IEEE Security and Privacy Magazine

Published by Institute of Electrical and Electronics Engineers
Online ISSN: 1540-7993
Publications
Article
Experience-based access management (EBAM) is a life-cycle model for identity and access management. It incorporates models, techniques, and tools to reconcile differences between the ideal access model, as judged by professional and legal standards, and the enforced access control, specific to the operational system. EBAM's principal component is an expected-access model that represents differences between the ideal and enforced models on the basis of access logs and other operational information. A technique called access rules informed by probabilities (ARIP) can aid EBAM in the context of healthcare organizations.
 
Article
Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version 1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired-a low-risk, often ignored error-but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.
 
Article
Interoperable medical devices (IMDs) face threats due to the increased attack surface presented by interoperability and the corresponding infrastructure. Introducing networking and coordination functionalities fundamentally alters medical systems' security properties. Understanding the threats is an important first step in eventually designing security solutions for such systems. Part 2 of this two-part article defines a failure model, or the specific ways in which IMD environments might fail when attacked. An attack-consequences model expresses the combination of failures experienced by IMD environments for each attack vector. This analysis leads to interesting conclusions about regulatory classes of medical devices in IMD environments subject to attacks. Part 1 can be found here: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.128.
 
Article
Interoperable medical devices (IMDs) face threats due to the increased attack surface presented by interoperability and the corresponding infrastructure. Introducing networking and coordination functionalities fundamentally alters medical systems' security properties. Understanding the threats is an important first step in eventually designing security solutions for such systems. Part 1 of this two-part article provides an overview of the IMD environment and the attacks that can be mounted on it.
 
Article
Nature takes a variety of approaches regarding risk concentration. Stationary life tends to bend but not break, whereas mobile life tends toward risk concentration with stout border protection. Client and network devices tend to follow the latter model.
 
Article
It's a difficult mental exercise to simultaneously envision how a system could be forced to fail while you're busy designing how it's meant to work. At George Mason University, instructors give their students practice at this skill by requiring them to write attack scripts for all their assignments. Creating an attack script is a mental exercise for the student in which they align themselves with an attacker's perspective to formulate a structured plan of attack: a series of tasks and experiments that gain information about the internal state of the probed system. The purpose of this exercise is to help the student nurture a mindset in which they can appreciate how systems might be attacked in all their aspects, from design and implementation to runtime configuration.
 
Article
'Tis the season when we musically celebrate the 12 days of Christmas while quietly rejoicing that there are fewer days of Christmas than there are bottles of beer on the wall. 'Tis also the season for us to visit the Owned Price Index (OPI), our index of underground economy prices. The OPI mimics the PNI Christmas index - the price index of the 12 days of Christmas items. The PNI Christmas index, the market price of 12 drummers drumming down to a partridge in a pear tree, rose an impressive 10.1% in 2008 to a record US$86,609, outperforming most major market indices dramatically. Although we sheepishly concede that golden rings have outperformed Goldman Sachs, and swans a-swimming have outperformed Swanson Foods, it does serve to further distinguish between our true love and our financial advisor. In 2008, true love is Pareto dominant.
 
Article
For efficiency, we should implement cryptographic subsystems with short keys, but reliably estimating minimal key lengths is a rather involved and complicated process - especially for systems with long life cycles and limited update capabilities. In symmetric cryptography, experts consider 56-bit IDES (Data Encryption Standard) keys to be inadequate for most applications: new devices can efficiently derive a DES key from known plaintext-ciphertext pairs. Discussion in asymmetric cryptography circles currently focuses on 1,024-bit RSA key security. Interestingly, in this discussion, a major argument put forward for the insecurity of 1,024-bit RSA isn't due to paramount theoretical progress but to hypothetical hardware devices for factoring large numbers. Unlike quantum computers, these special-purpose designs try to work within the bounds of existing technology; in this article, we look at the ideas underlying some of these designs and their potential
 
Article
Role-based access control (RBAC) is assigned directly to a user, which can provide simpler security administration and finer-grained access control policy. RBAC has provided a widely used model for security administration in large networks of applications and other IT resources. INCITS 359 contains an RBAC reference model, RIIS (RBAC Implementation and Interoperability Standard), as well as a system and administrative functional specifications, which describes a framework of components, use-case scenarios, management interaction functions, data-exchange models, operational definitions and interoperability. The RBAC data exchange model provides the bridge to exchange role information between security domains. RIIS defines technical interaction functions as specific mechanisms for exchanging operational and management data. The CS1.1 RBAC task group is soliciting industry use cases to cite in the area of system-to-system RBAC information exchange.
 
Article
The effect of power failure due to the blackout, that took place at 4:11PM Eastern Daylight Time (EDT) on August 14, 2003 on the Internet is discussed. The normal Border Gateway Protocol (BGP) chatter jumped several notches as border routers across the globe relayed the news of unreachable networks. The spreading of blackout resulted in power-grid failure, due to which more than 1 percent of the Internet was unreachable. In addition to this, as the blackout continued, routing tables shrank as hundreds and thousands of networks went offline.
 
Article
As governments attempt to prevent, investigate, or prosecute crimes by persons who use the Internet to plan and carry out terrorist acts, the protection of private, personal information stored on computers becomes the subject of controversy. It is inevitable that the home computer becomes a target for surveillance, search, and seizure by government agents. As a result, courts will be asked to determine whether such agents have complied with applicable laws that condition such intrusions on meeting standards set by constitutions or laws that did not anticipate the home computer as a focal point for such controversies. Courts are more accustomed to addressing similar controversies in the context of a house and its material contents, rather than a computer and its digital files. It is likely that the judicial system will use analogies to the house when deciding controversies concerning the reasonable expectations of privacy in a home computer's contents. In apparent anticipation, the US Justice Department's policy on the search and seizure of computers in investigations uses such an analogy to justify its position that when several people share a computer, any one of them can grant the police permission to search and seize its contents
 
Article
The authors look at the recent Metricon 2.0 conference and discuss its highlights. In particular, the conference focused on the importance of metrics, especially as they apply to security.
 
Breach Notification Laws and Reported Data Loss Events 12 
Article
Internet privacy was the topic in this paper. A 2008 survey revealed that US Internet users' top three privacy concerns haven't changed since 2002, but privacy-related events might have influenced their level of concern within certain categories. The authors describe their results as well as the differences in privacy concerns between US and international respondents. They also mentioned that individuals have become more concerned about personalization in customized browsing experiences, monitored purchasing patterns, and targeted marketing and research.
 
Article
We can find considerable information security debris in the wake of 2003's attack trends and new security flaws. New and serious vulnerabilities were discovered, disclosed, and subsequently exploited in many ways - from simple, straightforward methods to more advanced and innovative exploitation techniques. This paper examines a handful of the more than 3,000 unique vulnerabilities and 115,000 security incidents reported in 2003 (according to CERT Coordination Center's report for quarters one through three) and do my best to predict information security woes for 2004. The author's analysis focuses on the distinguishing characteristics of the 2003 attacks trends rather than on specific vulnerabilities or a precisely defined taxonomy of security bugs.
 
Article
The International Association for Cryptologic Research (IACR; www.iacr.org) held its 24th annual International Cryptography Conference 15--19 August 2004 in Santa Barbara, California. The conference consisted of short sessions, invited talks, and presentations of conferences papers for interested attendees.
 
Article
The European Institute Center for Anti-Virus Research (EICAR; www.eicar.org) held its 14th annual conference and attracted about 100 researchers, vendors, users, and government representatives interested in discussing the field’s latest developments. This report presents a brief overview of what went on at the invited talks, paper presentations, and industry sessions.
 
Article
The first Symposium on Usable Privacy and Security (SOUPS 2005) brought together a variety of academic and industry researchers from the emerging field of human-computer interaction and security (HCISEC). The symposium helped to define the challenges that HCISEC researchers face, and provide an overview of many of today's most important usable security-and-privacy problems.
 
Article
A report on SecureWorld Expo 2005, held 21 to 22 September 2005 in Dearborn, Michigan. The SecureWorld Expo targets business and IT professionals with security concerns and provides them with an industry-wide agenda to help solve those concerns through a partnership with government agencies.
 
Article
Information assurance experts at the Technology Forecasts 2005 give insights into how the threat's evolving nature, the current information technology environment, and various market forces are combining to yield new security challenges and likely new technology paths for the future. The integration of computation into the environment, rather than having computers as distinct objects, opens up a whole new class of information assurance problems. The advent of quantum computing, if it happens, could have a profound effect on the information assurance landscape. The widespread use of computers to monitor and control safety-critical processes.
 
Article
Reading Andrew Jaquith's Security Metrics: Replacing Fear, Uncertainty, and Doubt will inspire you to start identifying and measuring meaningful computer security performance factors and begin the process of transforming our shaman-like discipline into a science.
 
Article
A report of the second annual Symposium on Usable Privacy and Security (SOUPS 2006) held at Carnegie Mellon University (CMU) 12-14 July 2006.
 
Article
Some of the distinguished information assurance experts have provided insights into how the evolving nature of threats, the current information technology environment, and various market forces are combining to yield new security challenges and new technology paths for the future. Terry V. Benzel has expressed that the future will see the commoditization of ubiquitous computing. Computing will move from a stand-alone conscious activity to a fully integrated aspect of daily life. Technically, it will move from workstations and laptops connected to networks and servers to embedded computational nodes and wide-spread sensor-based systems. Jeremy Epstein believes that availability of low-cost hardware in future will make feasible information assurance technologies. With the feasible networks of dedicated processors in a single computer of device, computing will see partitioning of applications with well-defined boundaries that will help to gain information assurance.
 
Article
The Windows Server 2008 and Windows Vista, the System Access Control List (SACL) have been extended to carry integrity level information and is in the process of being converted to something like a mandatory access control (MAC) label. The basis for Microsoft's steps toward MAC like functionality in Windows Server 2008 and Windows Vista, in which a no-read-down policy have been introduced. The integrity label is used to establish the low label that marks the Internet Explorer process used in low rights Internet Explorer. The object have only one owner and one primary group, but the DACL and SACL can have many sub-components declaring the appropriate access, restrictions, and system settings for various principals. The Security issues are now mitigated by the Owner Access Restriction ACL, which is introduced with Windows Vista and Server 2008. The capabilities of Microsoft's ACL model in modern Windows systems allows fine grained control of object permissions.
 
Article
Cloud computing presents an opportunity to offload computing to third party resources, but this business model isn't without security risks. Customers must determine if running their computing on a base system managed by a third party is better than running on their own systems. They must be convinced that running in the same data center as their competitors or adversaries is safe, and they are still responsible for complex security configuration. Despite these concerns, cloud vendors can also leverage the cloud architecture to improve security by building verifiable base systems, designing integrity-protected cloud services, and limiting security configuration complexity. Thus, while the cloud architecture provides security challenges, there are also opportunities to ease the security configuration burden on customers.
 
Article
The Distributed Wireless Security Auditor (DWSA), which has been designed to secure 802.11b wireless local area networks (WLAN), is discussed. The application works toward finding unauthorized wireless access points in large-scale wireless environments while providing an autonomic and unobstrusive layer of network protection. The Linux- and Windows-based implementations provide continuous wireless assessments by harnessing the power of trusted wireless clients as distributed anomaly sensors throughout a company's network infrastructure. Using periodic security reports, a back-end server detects rogue and misconfigured access points and subsequently locates them via 3D trilateration.
 
Article
The IEEE 802.16 Security standard for constructing wireless metropolitan area networks, which reuses a security scheme designed for wired media, is analyzed. The standard suffers from a number of flaws which makes it vulnerable to security attacks. It has the same security protocols, regardless of the physical layer type. The standard also does not define the authentication method used, and the EAP methods to support the needs of wireless networking security. Solving these problems require extensive back-end development, and algorithmic developments to address these problems are ongoing.
 
Article
Computation must exist in the physical world. Security designs that require secrets must hide and use them in the real world. Unfortunately, the real world offers more paths to secret storage and more observable computational artifacts than these security designs anticipate. Careful integration of physical defenses and security architecture can sometimes succeed against the adversary class designers consider. However, in the long term, we hope for either a quantum leap in physically defensible technology-or a significant reduction in the properties that designs force us to assume about our computers.
 
Article
Modeling of system quality attributes, including security, is often done with low fidelity software models and disjointed architectural specifications by various engineers using their own specialized notations. These models are typically not maintained or documented throughout the life cycle and make it difficult to obtain a system view. However, a single-source architecture model of the system that is annotated with analysis-specific information allows changes to the architecture to be reflected in the various analysis models with little effort. We describe how model-based development using the Architecture Analysis and Design Language (AADL) and compatible analysis tools provides the platform for multi-dimensional, multi-fidelity analysis and verification. A special emphasis is given to analysis approaches using Bell-LaPadula, Biba, and MILS approaches to security and that enable a system designer to exercise various architectural design options for confidentiality and data integrity prior to system realization.
 
Article
Software development is all about making software do something: when software vendors sell their products, they talk about what the products do to make customers' lives easier, such as encapsulating business processes or something similarly positive. Following this trend, most systems for designing software also tend to describe positive features. The authors provide a nonacademic introduction to the software security best practice of misuse and abuse cases, showing you how to put the basic science to work.
 
Article
Web users face considerable fraud, malfeasance, and economic harm that system operators could prevent or mitigate. Although the legal system can respond, regulations have mixed results. The author examines the applicable legal rules that constrain online fraud and the economic underpinnings to identify whether those rules assign responsibility to the parties best positioned to take action.
 
Article
The US National Security Agency's Centers of Academic Excellence (CAEs) in Information Assurance Education program is in its seventh year, and 59 educational institutions have received the coveted "CAE" designation. The program was originally designed to jump-start education of an information security workforce by providing incentives to academic institutions to form information assurance programs and to students by providing scholarships. It has since been augmented by scholarship programs from the US National Science Foundation and the US Department of Defense. Several hundred graduates from these scholarship programs are already in the federal workforce. Indeed, information security and assurance has quickly become an important topic in computer science departments worldwide, with increasing numbers of information security specialists earning associate, undergraduate, masters, and doctoral degrees in the subject
 
Article
We ask how one should invest one's time and money in a lifelong learning program, and if hiring personnel, what training and expertise should be looked for. In this article, we discuss general professional certifications and compare and contrast them with a bachelor's degree to help decide which is most appropriate.
 
Article
In studying how to protect the United States' critical infrastructure, a presidential commission divided it into several sectors: information and communications, banking and finance, energy, physical distribution, and vital human services. Given that all sectors are strongly interconnected, the vulnerability of one represents dangers for the others. For example, a failure in the communications infrastructure would quickly have consequences in the finance and physical distribution sectors, which rely on it for coordination. Disruption of finance and transportation would quickly spill over into the energy and human services sectors. The communications and information infrastructures' self-evident long-term dependence on energy and finance completes the cycle
 
Article
While advances in, and diverse applications of, technology are revolutionizing our way of life, they also expose us to numerous new threats. We must understand how these highly complicated and interconnected systems work, as well as how to employ and protect them. With these concerns in mind, USMA recently added a specific academic goal of ensuring that graduates can understand and apply information technology concepts to acquiring, managing, communicating, and defending information, solving problems, and adapting to technological changes. In addition to this specific goal, the academy has integrated applications of technology into all its academic disciplines. Our ubiquitous computing environment is an integral part of developing cadets' proficiency in the use of information technology.
 
Article
First Page of the Article
 
Adding and deleting a role from RH
Article
In 2004, the American National Standards Institute approved the Role-Based Access Control standard to fulfill "a need among government and industry purchasers of information technology products for a consistent and uniform definition of role based access control (RBAC) features". Such uniform definitions give IT product vendors and customers a common and unambiguous terminology for RBAC features, which can lead to wider adoption of RBAC and increased productivity. However, the current ANSI RBAC Standard has several limitations, design flaws, and technical errors that, it unaddressed, could lead to confusions among IT product vendors and customers and to RBAC implementations with different semantics, thus defeating the standard's purpose.
 
Personal extensions of federated services  
Network smart card user experience flow  
Article
Network smart-card technology, which includes built-in networking capabilities, are proving to be effective in addressing the problems of authentication security and flexibility to the Web services. The network smart card facilitates the communication with the host PC and remote machines by using standard networking infrastructure. This allows it use standard data transport security layers, turning the smart card into a capable computing node on the network. A credential-provisioning agent that runs on the card and is accessible through a Web browser, together with the personal identity broker, allows users build a personal single-sign-on (SSO) Web service system, which can deliver standard SSO-like features without any business relationship between the corresponding Web service providers. The card can also manage the authorization/authentication factors that differentiate single-sign-on from simple sign-on systems.
 
Article
Effective security requires looking at an entire system, as this department has noted in many previous installments. Looking at only one piece leads to security trouble—and this dangerous reductionism extends to looking at only what traction representing these complex policies in formal computer terms, the infosec research community approached the challenge as any good scientist does: first, we start with a simplified model. We assume that the world is less complex, convince ourselves that we can solve the problem in this simplified world, and then move
 
Article
"For original paper see Ninghui Li et al., vol. 5, no. 6, p.41, (2007)". Some notion of roles for access control predates the research papers cited by the authors by at least a decade. Our work was designed to formalize RBAC and add features (such as hierarchies and constraints) to make it more useful to software developers and administrators. Extensive discussion of these and subsequent papers over many years led to the consensus standard for RBAC.
 
Article
Digital rights management (DRM), technology and law, threaten the entire system of discourse on which progress is built. It is based on a reductionist model, in which creativity and innovation are isolated actions supplied according to the economic returns promised to those who are successful. Yet science, innovation, and creativity are dynamic systems chat require open discourse and readily available information to flourish. The core flaw in DRM laws and technology is the model of author as sole creator, rather than as a part of a system. The article enumerates the dramatic threats to the system of creation and innovation that the author believes exist in DRM law and technology.
 
Article
The Access Policy Tool (APT) verifies access policy implementation against specification of global policy that encodes best practice recommendations. The APT specifies a network's global access policy and verifies that an implementation adheres to the global access policy exactly. The APT can analyze networks with heterogeneous mixtures of firewall brands and models and deals with sophisticated firewall features such as authentication. Users can browse the firewall rules, run the verifier, and display the results using the APT's graphical interface. They can use this to describe a network, import the network using an XML schema or run a program that infers the network topology from the firewall rule sets. The APT automatically highlights the devices involved in the rules in the graphical display. The APT can perform an exhaustive analysis that identifies every possible flow that violates global policy in some way or the other.
 
Article
Since wireless access points have reached commodity pricing, the appeal of deploying them in an unauthorized fashion has grown. Unlike traditional attacks, which originate outside the network, the insertion of rogue access points (RAPs) is most often due to insiders. This seemingly simple misfeasance can have significant consequences; it creates a back door to the network, completely negating the significant investment in securing the network. Several RAP detection approaches exist, but none are foolproof. Industry, government, and academia need to be aware of this problem and promote state-of-the-art detection methods.
 
Article
A privacy-aware role-based access control (P-RBAC) model that extends RBAC to express complex privacy-related policies, including such features as conditions and obligations is discussed. P-RBAC is easy to deploy in systems already adopting RBAC, thus allowing seamless integration of access control and privacy policies. Conditional P-RBAC introduces permission assignment sets and complex Boolean expressions. It can express more complex conditions than those supported by core P-RBAC's condition language. Hierarchical P-RBAC introduces the notions of role hierarchy, object hierarchy, and purpose hierarchy. P-RBAC can represent privacy law rules with obligations using a rule from COPPA. P-RBAC features method that deals with obligations with subject binding instead of action binding.
 
Article
Today's Internet has proven to be such a valuable resource, so useful in enabling creative new forms of communication and commerce, that it has become a critical infrastructure underlying much of our economy and society. Unfortunately, today's Internet and the machines it connects have also become easy targets for economically and politically motivated attacks that exploit vulnerabilities in computer software and network protocols that were designed without security as a primary consideration. EIC Carl Landwehr explores what it will take to get the Internet to the next level.
 
Article
The rapidly increasing use of electronic voting machines in US elections provides a wonderful opportunity to teach students about computer security. In this article, we present an informal e-voting case study to achieve five learning outcomes for students in a typical college (or even high school) classroom. Our intent is to motivate a set of lessons specifically involving e-voting, as well as illustrate the usefulness of mapping outcomes to simplified case studies: (i) understanding how to write a "security specification", (ii) learning about different forms of security policies, (iii) understanding confidentiality, privacy, and information flow, (iv) recognizing the importance of considering usability from a security perspective, and (v) identifying assurances role in establishing confidence in results
 
Article
The border between Canada and the US is often hailed as the longest undefended border in the world. This is true for the physical border, dotted with sporadic land crossings, and even more so for the digital border, where thousands of strands of fiber span the frontier without any regulation or formality. Since the attacks of September 11, 2001, US authorities have spent untold millions of dollars guarding their frontiers to regulate what gets into the country. On the other side of the border, many Canadian jurisdictions have turned their thoughts to regulating what information flows southward, into the US. This isn't out of concern about terrorism but rather about the US response to terrorism.
 
Top-cited authors
Gary McGraw
  • Berryville Institute of Machine Learning
Michael Merritt
James B. D. Joshi
  • University of Pittsburgh
Daniel Takabi
  • Georgia State University
S. Pankanti