A Zero-Day Cloud Timing Channel Attack

IEEE has published Dr. Robert Flower’s paper titled “A Zero-Day Cloud Timing Channel Attack.”

The Intrusion Detection and Prevention System (IDPS) services of a North American cloud service provider were ineffective against a simulated network timing channel attack. During the tests, three conspiring white hat agents exchanged a total of 33,024 network packets. As the proxy based attack executed, the vendor’s intrusion detection service did not generate a warning, nor did its intrusion prevention service drop packets. Throughout the experiment, 4,096 bytes of randomized data (simulating covert traffic) were exchanged over a 2.06 hour period (4.4 bits-per-second); however, the vendor’s Artificial Intelligence (AI) enabled threat detection service did not issue an alert. A Wilcoxon Ranked Sum test on the before-and-after throughput confirmed none of the vendor’s countermeasures triggered/intervened to a statistically significant degree (threat intel: p=0.703, IDPS: p=0.998 , threat intel +  IDPS: p=0.118 ). These results indicate those accountable for data-oriented Service Organization Control (SOC) 2/3 reports (e.g., auditors, cybersecurity executives, etc.) should carefully examine the assurances offered by cloud service providers with regard to their network steganography defenses.

Read full paper here:


Faculty Paper Published by IEEE

Adjunct Professor Robert Flowers, Sc.D., latest research has been published in IEEE Access (Volume: 10).


Cybersecurity executives, engineers, and decision-makers should not presume effective network steganographic countermeasures come at the cost of performance. A performance assessment of network steganographic countermeasures during an experimental data exfiltration attack revealed a negligible influence on latency. Despite the advanced nature of the attack, preventative controls did not degrade packet round-trip times to a statistically significant degree. During the experiment, synthetic credit card numbers were exfiltrated at a rate equivalent to (US) $ 74,702 per second. The measured round trip time between a covert transmitting host and covert receiving host was nearly identical regardless of whether interventions were active or inactive. The de minimis effect suggests similar preventative controls in an enterprise environment would not have an adverse effect on large volumes of business network traffic in the presence of an actual attack.

Performance Impact of Header-Based Network Steganographic Countermeasures | IEEE Journals & Magazine | IEEE Xplore


Scott Christiansen describes how machine learning can be used to identify security bugs

Scott Christiansen, BU Cybersecurity Adjunct Faculty and Senior Security Program Manager at Microsoft co-authored a recent paper, Identifying Security Bug Reports Based Solely on Report Titles and Noisy Data, and featured blog post, Secure the software development lifecycle with machine learning, exploring methods to use machine learning to improve the identification and classification of security bugs. Discussed both on Venturebeat and The Verge these techniques are gaining the attention of software and service developers.

Research, Security Education

Special topics course offers students opportunity to solve national defense problems

Bellevue University will offer SYS699, Hacking for Defense, during Spring Term 2020. This course is a cross discipline open to all graduate students nearing the end of their program. Students will receive real-world problems from US Govt agencies looking for innovative solutions.

Interested students should contact their advising coach or program director. The Bellevue Leader recently published an article with interviews with several of the faculty involved with the course.

Concepts, Research

The Turning of a Year

HAPPY 2012 to All!

The end of one year and the start of another is a good time to both reflect and plan.  We should look back a little at what happened in the past year and use that to look ahead into the new one.  To paraphrase the famous quote by George Santayana, “Those who don’t learn from the past are doomed to repeat it.” 

In many ways, 2011 was a booming year for the Cybersecurity industry.  Many organizations realized the need for better security practices and tools.  Unfortunately, this was due to the multiple breaches.   According to the Privacy Rights Clearinghouse (PRC), there were 535 breaches during 2011, involving 30.4 million records containing sensitive information.   (See the full story here:  Jim Lewis, a co-blogger on this site, posted a short list of major events from 2011 with his post Major cyber security events of 2011.  

My list is similar, but takes a different perspective:

  • Sony PlayStation Network (SPN) – Sony disclosed in April an external intrusion where the thieves stole millions of online IDs and passwords and gained access to account holders credit cards.  A concise history of the Sony hacks can be found here.
  • Epsilon, an email service provider for other companies reported the largest security breach ever with at least 60 million names and email addresses compromised.
  • The group Anonymous seemed to have their way on any system.  While they didn’t cause massive breaches, they did show how most organizations (like the BART subway system) are vulnerable to attack.  It forces the question, is anyone safe?
  • Sutter Physicians Services, HealthNet, & TriCare/SAIC.  I’ve combined these breaches of medical systems, although they each have their own story and lessons to be learned. These show how having lax policies for many years are now leading to breaches of sensitive medical information.  Despite the HIPAA security rules, our personal medical information continues to be vulnerable. For some it’s cheaper to risk paying fines than it is to secure the data.

As we move into 2012, we need to reflect on these breaches and their root causes. Here are some of my thoughts on their lessons learned:

  • Approximately 30% of users reuse passwords across Internet sites.  If a thief discovers one password (like at SPN), then it can be used at many others. We need to educate our users to have different passwords, especially for sites containing their sensitive information.  Better yet, we need to encourage the use of tokens or other forms of multi-factor authentication.
  • It may seem innocuous when our names and email addresses are disclosed, but that can open us up to spear phishing attacks. This is when a criminal directly focuses fraudulent email at us to try to deceive us into disclosing more personal information.  The end result is identity theft.  There are two things to remember: (1) protect your name and email and (2) be on the look-out for any type of phishing attack.  If you’re unsure about a text, tweet, or email, contact the sender offline (telephone if possible) to confirm the message.
  • Policies and laws are in place, but are not consistently followed.  There are often no repercussions for failure to follow the policies and procedures to protect our personal information.  Compliance and governance would solve this issue for many organizations and could help prevent future breaches.

In 2012, we’ll continue to see the move to anytime, anyplace computing as more people move to smartphones and tablets for their basic business. Data will continue to be pervasive as more people trust cloud services.  It provides great convenience, but at what cost?  Diligence will continue to be the key for both individuals and organizations. If you can develop and keep a security mindset, it may save you many headaches in both 2012 and years to come.

What do you think will happen in 2012?     

Have a happy, safe, and secure 2012.