Go your own way : reporting of fundraising in Australian charity financial statements

Australian charities are facing increased public scrutiny of their financial reports, which must now be submitted to the national regulator, the Australian Charities and Not-for-profits Commission. Some may wish to use reports to create so-called 'fundraising efficiency league tables'. This article seeks to provide a description of current best practice in fundraising financial reporting by examining annual reports that have been recognised with industry awards. We find a wide variation in how terms have been used, with no patterns discernible. Moreoever, reporting is influenced by regulatory requirements in the relevant jurisdiction, which differ substantially. It is unlikely that league tables will be meaningful if constructed from charities' current annual financial statements.

On the Security of Two RFID Mutual Authentication Protocols

In this paper, the security of two recent RFID mutual authentication protocols are investigated. The first protocol is a scheme proposed by Huang et al. [7] and the second one by Huang, Lin and Li [6]. We show that these two protocols have several weaknesses. In Huang et al.’s scheme, an adversary can determine the 32-bit secret password with a probability of 2−2 , and in Huang-Lin-Li scheme, a passive adversary can recognize a target tag with a success probability of 1−2−4 and an active adversary can determine all 32 bits of Access password with success probability of 2−4 . The computational complexity of these attacks is negligible.

The suffix-free-prefix-free hash function construction and its indifferentiability security analysis

In this paper, we observe that in the seminal work on indifferentiability analysis of iterated hash functions by Coron et al. and in subsequent works, the initial value (IV) of hash functions is fixed. In addition, these indifferentiability results do not depend on the Merkle–Damgård (MD) strengthening in the padding functionality of the hash functions. We propose a generic n -bit-iterated hash function framework based on an n -bit compression function called suffix-free-prefix-free (SFPF) that works for arbitrary IV s and does not possess MD strengthening. We formally prove that SFPF is indifferentiable from a random oracle (RO) when the compression function is viewed as a fixed input-length random oracle (FIL-RO). We show that some hash function constructions proposed in the literature fit in the SFPF framework while others that do not fit in this framework are not indifferentiable from a RO. We also show that the SFPF hash function framework with the provision of MD strengthening generalizes any n -bit-iterated hash function based on an n -bit compression function and with an n -bit chaining value that is proven indifferentiable from a RO.

Security Analysis of Randomize-Hash-then-Sign Digital Signatures

At CRYPTO 2006, Halevi and Krawczyk proposed two randomized hash function modes and analyzed the security of digital signature algorithms based on these constructions. They showed that the security of signature schemes based on the two randomized hash function modes relies on properties similar to the second preimage resistance rather than on the collision resistance property of the hash functions. One of the randomized hash function modes was named the RMX hash function mode and was recommended for practical purposes. The National Institute of Standards and Technology (NIST), USA standardized a variant of the RMX hash function mode and published this standard in the Special Publication (SP) 800-106. In this article, we first discuss a generic online birthday existential forgery attack of Dang and Perlner on the RMX-hash-then-sign schemes. We show that a variant of this attack can be applied to forge the other randomize-hash-then-sign schemes. We point out practical limitations of the generic forgery attack on the RMX-hash-then-sign schemes. We then show that these limitations can be overcome for the RMX-hash-then-sign schemes if it is easy to find fixed points for the underlying compression functions, such as for the Davies-Meyer construction used in the popular hash functions such as MD5 designed by Rivest and the SHA family of hash functions designed by the National Security Agency (NSA), USA and published by NIST in the Federal Information Processing Standards (FIPS). We show an online birthday forgery attack on this class of signatures by using a variant of Dean’s method of finding fixed point expandable messages for hash functions based on the Davies-Meyer construction. This forgery attack is also applicable to signature schemes based on the variant of RMX standardized by NIST in SP 800-106. We discuss some important applications of our attacks and discuss their applicability on signature schemes based on hash functions with ‘built-in’ randomization. Finally, we compare our attacks on randomize-hash-then-sign schemes with the generic forgery attacks on the standard hash-based message authentication code (HMAC).

Improved Security Analysis of Fugue-256 (Poster)

We present some improved analytical results as part of the ongoing work on the analysis of Fugue-256 hash function, a second round candidate in the NIST’s SHA3 competition. First we improve Aumasson and Phans’ integral distinguisher on the 5.5 rounds of the final transformation of Fugue-256 to 16.5 rounds. Next we improve the designers’ meet-in-the-middle preimage attack on Fugue-256 from 2480 time and memory to 2416. Finally, we comment on possible methods to obtain free-start distinguishers and free-start collisions for Fugue-256.

On Randomizing Hash Functions to Strengthen the Security of Digital Signatures

Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean’s method of finding expandable messages for finding a second preimage in the Merkle-Damgård hash function to existentially forge a signature scheme based on a t-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in 2 t/2 chosen messages plus 2 t/2 + 1 off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.

Security Analysis of salt||password Hashes

Protection of passwords used to authenticate computer systems and networks is one of the most important application of cryptographic hash functions. Due to the application of precomputed memory look up attacks such as birthday and dictionary attacks on the hash values of passwords to find passwords, it is usually recommended to apply hash function to the combination of both the salt and password, denoted salt||password, to prevent these attacks. In this paper, we present the first security analysis of salt||password hashing application. We show that when hash functions based on the compression functions with easily found fixed points are used to compute the salt||password hashes, these hashes are susceptible to precomputed offline birthday attacks. For example, this attack is applicable to the salt||password hashes computed using the standard hash functions such as MD5, SHA-1, SHA-256 and SHA-512 that are based on the popular Davies-Meyer compression function. This attack exposes a subtle property of this application that although the provision of salt prevents an attacker from finding passwords, salts prefixed to the passwords do not prevent an attacker from doing a precomputed birthday attack to forge an unknown password. In this forgery attack, we demonstrate the possibility of building multiple passwords for an unknown password for the same hash value and salt. Interestingly, password||salt (i.e. salts suffixed to the passwords) hashes computed using Davies-Meyer hash functions are not susceptible to this attack, showing the first security gap between the prefix-salt and suffix-salt methods of hashing passwords.

Ethical screening and financial performance : the case of Islamic equity funds

Whether ethical screening affects portfolio performance is an important question that is yet to be settled in the literature. This paper aims to shed further light on this question by examining the performance of a large global sample of Islamic equity funds (IEFs) from 1984 to 2010. We find that IEFs underperform conventional funds by an average of 40 basis points per month, consistent with the underperformance hypothesis. In line with popular media claims that Islamic funds are a safer investment, IEFs outperformed conventional funds during the recent banking crisis. However, we find no such outperformance for other crises or high volatility periods. Based on fund holdings-based data, we provide evidence of a negative curvilinear relation between fund performance and ethical screening intensity, consistent with a return trade-off to being more ethical.

Balancing the books : an assessment of financial stress associated with social work and human service student placements

This report presents the findings from a study of the financial impact of work-integrated learning commonly referred to as 'placement' among social work and human services students. Based on a survey of 214 respondants, 14 in-depth interviews and two focus groups, the findings indicate that two thirds of the surveyed group felt tired and anxious about their experience of balancing paid work and placement, with 2 in 5 reporting their learning experience was compromised as a result. The significant implications and potential solutions are also discussed.

Is biggest best? A comparative analysis of the financial viability of the Brisbane City Council

Structural reform through forced mergers has been a dominant feature of Australian local government for decades. Advocates of compulsory consolidation contend that larger municipalities perform better across a wide range of attributes, including financial sustainability. While empirical scholars of local government have invested considerable effort into investigating these claims, no-one has yet examined the performance of Brisbane City Council against other local authorities, despite the fact that it is by far the largest council in Australia. This paper seeks to remedy this neglect by comparing Brisbane with Sydney City Council, an average of six south east Queensland councils and an average of ten metropolitan New South Wales councils against four measures of financial performance over the period 2008 to 2011.

Hierarchical deterministic Bitcoin wallets that tolerate key leakage (short paper)

A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32. Unfortunately, in all existing HD wallets---including BIP32 wallets---an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurer-auditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided. We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the so-called "one more" discrete logarithm problem.

Safety envelope for security

We present an approach for detecting sensor spoofing attacks on a cyber-physical system. Our approach consists of two steps. In the first step, we construct a safety envelope of the system. Under nominal conditions (that is, when there are no attacks), the system always stays inside its safety envelope. In the second step, we build an attack detector: a monitor that executes synchronously with the system and raises an alarm whenever the system state falls outside the safety envelope. We synthesize safety envelopes using a modified machine learning procedure applied on data collected from the system when it is not under attack. We present experimental results that show effectiveness of our approach, and also validate the several novel features that we introduced in our learning procedure.

Household food insecurity, diet, and weight status in a disadvantaged district of Ho Chi Minh City, Vietnam: A cross-sectional study

Background Food security exists when all people, at all times, have physical, economic and socially acceptable access to safe, sufficient, and adequately nutritious food in order to meet their dietary needs for an active and healthy life. For high income countries and those experiencing the nutrition transition, food security is not only about the quantity of available food but also the nutritional quality as related to over- and under-nutrition. Vietnam is currently undergoing this nutrition transition, and as a result the relationship between food insecurity, socio-demographic factors and weight status is complex. The primary objective of this study was to therefore measure the prevalence of household food insecurity in a disadvantaged urban district in Ho Chi Minh City (HCMC) in Vietnam using a more comprehensive tool. This study also aims to examine the relationships between food insecurity and socio-demographic factors, weight status, and food intakes. Methods A cross-sectional study was conducted using multi-stage sampling. Adults who were mainly responsible for cooking were interviewed in 250 households. Data was collected on socioeconomic and demographic factors using previously validated tools. Food security was assessed using the Latin American and Caribbean Household Food Security Scale (ELCSA) tool and households were categorized as food secure or mildly, moderately or severely food insecure. Questions regarding food intake were based on routinely used and validated questions in HCMC, weight status was self-reported. Results Cronbach’s alpha coefficient was 0.87, showing the ELCSA had a good internal reliability. Approximately 34.4% of households were food insecure. Food insecurity was inversely related to total household income (OR = 0.09, 95% CI = 0.04 - 0.22) and fruit intakes (OR = 2.2, 95% CI 1.31 - 4.22). There was no association between weight and food security status. Conclusions Despite rapid industrialization and modernization, food insecurity remains an important public health issue in large urban areas of HCMC, suggesting that strategies to address food insecurity should be implemented in urban settings, and not just rural locations. Fruit consumption among food insecure households may be compromised because of financial difficulties, which may lead to poorer health outcomes particularly related to non-communicable disease prevention and management.