CERIAS Security Seminar Podcast

Juhee Kwon, "Information Security Management and IT Executives in a Top Management Team"

Wed, 21 Oct 2009 20:30:00 +0100

As information assets have become a critical factor for enterprises to stay competitive, there is an increasing awareness of information security management. However, they are easily overlooked by those who focus only on the IT side, failing to see that human resources and policies are the most likely cause of information risks, which need to become real enterprise-wide and strategic issues. This paper examines the impacts of an IT executive’s structural status in Top Management Teams (TMTs) on information security risk management. E-Business has made it imperative for IT executives to adopt cross-functional roles due to the increased importance of securing and managing risks to information assets across the enterprise. Therefore, IT executive representation and status in a TMT is necessary to strategically and operationally conduct liaison activities between IT groups and other business units. However, there is little empirical research examining the effects of IT executives’ structural status on managing information security risks. We employ logistical regression to examine the data from 2003 to 2008 with information security breach reports and executive compensation data. We augment this data with IT internal controls information provided by external auditors. Our results demonstrate high IT executive engagement and fair compensation are associated with reduced levels of both IT internal controls weaknesses and reported information security breaches. Second, we find that pay dispersion in a TMT increases the probability of information security breaches, while IT executive turnover is not significantly associated with breaches. As a comprehensive analysis across the accounting, human resources, and information systems literature, this study gives firms new insights into how they set IT executive compensation strategies as well as delegate authority and responsibility for ensuring confidentiality, integrity, and availability of information assets.

Richard Power, "Starting Over After A Lost Decade, In Search of a Bold New Vision for ...

Wed, 30 Sep 2009 20:30:00 +0100

Starting Over After A Lost Decade, In Search of a Bold New Vision for Cyber Security: It is not enough to develop a comprehensive cyber security program that exists in isolation from the world beyond the cloud and the cables. We have to understand the political, economic and social environments that impact our ability to deliver security, as well as our own organizational cultures. We cannot wage a 21st Century struggle for hearts and minds with a 20th Century world-view anymore than we can wage a 21st Century struggle to secure information and systems with 20th Century technology. A bold new vision is needed, one that is holistic and evolves out of transformative metaphors that reframe our concepts about security.

Rick Aldrich, "The Importance of Law in Cybersecurity, Recent Developments and Trends in ...

Wed, 23 Sep 2009 20:30:00 +0100

Information security professionals increasingly need to be familiar with developments in cyberlaw to ensure they comport their actions with the contours of the law. Unfortunately, with technology changing far faster than the statutes, judges are increasingly being called upon to fill in the interstices. In this interactive session, facts from actual cases will be presented in a “You Be the Judge” format to highlight important developments in recent cases and identify key trends in the case law. What is the legal efficacy of a click-through consent banner and how does this impact information security professionals? What constitutes an “interception” and what types of interceptions are legal and illegal? What law dictates whether an employer can or cannot inspect its employee’s personal e-mail messages? Do individuals have to divulge their encryption keys requested to do so by border guards or law enforcement agents? Are there jurisdictional borders in cyberspace? Who has jurisdiction and how does the law apply in virtual worlds? How do extradition laws apply to cybercrimes? These and many other questions will be answered in this interactive seminar.

Jerry Saulman, "From Security Architecture to Implementation"

Wed, 16 Sep 2009 20:30:00 +0100

From security architecture to implementation details... what matters when a customer faces a project to implement a global J2EE application? This presentation will cover some of the more pertinent concepts and details involved from real world experiences in customer environments.

Peter Mork, "Database Assurance: Anomaly Detection for Relational Databases"

Wed, 09 Sep 2009 20:30:00 +0100

Behind countless complex applications lurk trusty relational databases that are responsible for managing the data that fuel these applications. For example, relational databases are used to support electronic medical health record systems, timecard reporting systems, and transportation systems. Ideally, the relational database system has been sufficiently hardened to prevent exfiltration or modification of data. Unfortunately, adversaries often have insider access to the networks and machines on which the database is running and can easily circumvent such security measures. Therefore, in this research project, we create profiles of known, legitimate behavior so that we can flag any anomalous behavior as potentially illegitimate.

In this presentation, because SQL injection remains the #1 attack vector, I will first illustrate how SQL injection attacks can exfiltrate data from a database system. I will then discuss various locations within the database engine that one might monitor activity, highlighting the benefits of placing a monitor between the query optimizer and query execution engine. Next, I will describe how we use cross-feature analysis to generate profiles of legitimate behavior and how these profile are used at run-time to identify anomalous activity. Then, I will present experimental results both in terms of performance overhead and precision/recall. I will conclude with a discussion of when our techniques are most applicable and how a clever adversary might nevertheless elude our monitor.

Ragib Hasan, "Fake Picassos, Tampered History, and Digital Forgery: Protecting the ...

Wed, 02 Sep 2009 20:30:00 +0100

As increasing amounts of valuable information are produced and persist
digitally, the ability to determine the origin of data becomes
important. In science, medicine, commerce, and government, data
provenance tracking is essential for rights protection, regulatory
compliance, management of intelligence and medical data, and
authentication of information as it flows through workplace tasks.
While significant research has been conducted in this area, the
associated security and privacy issues have not been explored, leaving
provenance information vulnerable to illicit alteration as it passes
through untrusted environments.

In this talk, we show how to provide strong integrity and
confidentiality assurances for data provenance information in an
untrusted distributed environment. We describe our provenance-aware
system prototype that implements provenance tracking of data writes at
the application layer, which makes it extremely easy to deploy. We
present empirical results that show that, for typical real-life
workloads, the run-time overhead of our approach to recording
provenance with confidentiality and integrity guarantees ranges from
1% - 13%.

For more details, please refer to http://dais.cs.uiuc.edu/provenance

Ian Goldberg, "Sphinx: A Compact and Provably Secure Mix Format"

Wed, 26 Aug 2009 20:30:00 +0100

Mix networks, originally proposed in 1981, provide a way for Internet
users to send messages--such as email, blog posts, or tweets--without
automatically revealing their identities or their locations. In this
talk, we will describe Sphinx, a cryptographic message format used to
relay anonymized messages within a mix network. It is the first scheme
to support a full set of security features: compactness, efficiency,
provable security, indistinguishable replies, hiding the path length and
relay position, as well as providing unlinkability for each leg of the
message's journey over the network. We will compare Sphinx to other mix
formats, and will also briefly outline Sphinx's security reduction
proof.

Joe Judge, "Software Assurance: Motivation, Background, and Acquisition Pursuits"

Wed, 22 Apr 2009 20:30:00 +0100

This Software Assurance (SwA) is a slightly different spin on the SwA presentation and discussion. The need for measurable SwA, for the purposes of presenting and assurance "case" and explained with a practitioner's point of view. Current pursuits and practices are shared with the context of what is needed from the SwA industry.

John D'Arcy, "USER AWARENESS OF SECURITY COUNTERMEASURES AND ITS IMPACT ON INFORMATION ...

Wed, 15 Apr 2009 20:30:00 +0100

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50-75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This study presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one’s level of morality. The results have implications for both the research and practice of IS security.

Johann-Christoph Freytag, "Privacy – from accessing databases to location based ...

Wed, 08 Apr 2009 20:30:00 +0100

Over the last years it has become apparent that privacy issues become more
and more important when accessing data sources either on the Web or by
database management systems. That is, the user does not only want to hide
the query, but also the result of that query from others. In the past the
problem of querying a database privately was solved by organizational rather
than by technical means.

In this talk we describe the problem of querying databases privately more
formally and discuss existing solutions from the area of private information
retrieval (PIR). The lack of efficiency and scalability motivated us look
for alternative approaches using a so called “secure co-processor” (built by
IBM). We introduce a set of algorithms that take advantage of the (physical)
properties of the co-processor and show which algorithms are necessary to
guarantee privacy for database queries. In the last part of my talk I
briefly describe our vision how to extend the current privacy approach to
location-based services, in particular to moving objects such as vehicles
(cars).

Melissa Dark, "An Analysis of Data Breach Disclosure"

Wed, 01 Apr 2009 20:30:00 +0100

In the past six years, 44 states in the United States have embraced a new form of privacy and identity theft regulation – mandatory disclosure of data breach information. Information disclosure regulation is a form of legislation considered effective for issues that span consumer protection and risk and where market mechanisms would/could work effectively to shape consumer and producer behavior and bring about allocative efficiency. Informational regulation is a new approach in the data privacy milieu, but has a precedent in environmental and health policy. While data breach information disclosure policies intend to have an impact on consumer and producer behavior, little is known about the costs and benefits of these policies and whether they are in fact enhancing social welfare in the area of identity theft and privacy. This talk addresses this relatively nascent public policy phenomenon with a focus on future considerations for policy analysis in this area to determine if and how such policy may be affecting the state of information assurance and security in the USA.

, "Rick Clark, Ontario Systems"

Wed, 25 Mar 2009 20:30:00 +0100

Arjan Durresi, "Security for the Next Internet over Heterogeneous Environments"

Wed, 11 Mar 2009 20:30:00 +0100

The networking research community is working to design the Next Generation Internet, which will meet the needs of the twenty-first century. The first requirement for the Next Generation Internet is security. Furthermore, the Internet will include heterogeneous environment, such as cellular and sensor networks. In this talk, I will present our research work related to above mentioned problems and focusing on a new security oriented Internet architecture and security solutions for heterogeneous environments.

It should allow receivers to set policies for how and where they receive their information. The Next Generation Internet should be designed for mobile objects. Naming, addressing architecture, and routing have to be such that these objects can move and decide how and where they want to receive their Internet traffic with full rights of privacy of their location, if desired. In this talk, I will present our research work related to above mentioned problems and focusing on Internet architecture, mobile, wireless and security issues.

Jeremy Rasmussen, "The Best Defense is Information"

Wed, 04 Mar 2009 21:30:00 +0100

In the course of doing security vulnerability testing for government and commercial clients over the past 10 years, our Information Security Solutions team at Sypris Electronics has seen a lot of interesting things—perhaps none more so than a recent attack witnessed on a client’s network targeted by a buffer overflow on a popular application. The attack launched a trojan horse, which then dropped in another piece of malware that stealthily connected out to several sites to receive command and control. We will go down the rabbit hole with the attack (as much as I can publicly divulge), talk about our approach to the forensic investigation, and how the client was advised to implement countermeasures to provide an overall framework of security against future attacks.

It is possible people may have known about this particular exploit for more than six months before it was publicly disclosed, and the vendor still has not published a patch for it. Therefore, in this talk, we will also explore the concept of responsible disclosure, information sharing (minus attribution), and how all of this possibly fits into the Presidential Comprehensive National Cybersecurity Initiative (CNCI).

Mummoorthy Murugesan, "Providing Privacy through Plausibly Deniable Search"

Wed, 25 Feb 2009 21:30:00 +0100

Query-based web search is becoming an integral part of many people's daily activities. Most do not realize that their search history can be used to identify them (and their interests). In July 2006, AOL released an anonymized search query log of some 600K randomly selected users. While valuable as a research tool, the anonymization was insufficient: individuals could be identified from the contents
of the queries alone Government requests for such logs serves to increase the concern. To address this problem, we propose a client-centered approach of "plausibly deniable search". Each user query is substituted with a standard, closely-related query intended to fetch the desired results. In addition, a set of k-1 cover queries are issued; these have characteristics similar to the standard query but on unrelated topics. The system provides a property that any of these k queries will produce the same of set of k queries, giving k possible topics the user could have been searching for. We use Latent Semantic Indexing (LSI) based technique to generate queries, and evaluate on the DMOZ webpage collection to show the effectiveness of the proposed approach.

Charles Killian, "Mace: Systems and Language Support for Building Correct, ...

Wed, 18 Feb 2009 21:30:00 +0100

Building distributed systems is particularly difficult because of the
asynchronous, heterogeneous, and failure-prone environment where these
systems must run. This asynchrony makes verifying the correctness of
systems implementations even more challenging. Tools for building
distributed systems must strike a compromise between reducing programmer
effort and increasing system efficiency. Mace is a C++ language
extension, compiler, runtime, and toolset, that translates a concise but
expressive distributed system specification into a C++ implementation.
Mace exploits a natural decomposition of distributed systems into a
layered, event-driven state machine. A key design principle of Mace is
to separate each service algorithm from the implementation mechanics
(serialization, dispatch, synchronization, etc.), debugging code (logging
and property testing), and its utility services (lower-level services
providing a specified interface). Our experience indicates that
precisely because Mace imposes limits on the design structure of
distributed systems, it supports the implementation of a wide variety of
high-level supporting tools, including model checking, simulation, live
debugging, and visualization. Mace is fully operational, has been in
development for four years, and has been used to build a wide variety of
Internet-ready distributed systems. This talk will describe both the
Mace programming language design and MaceMC, the first model checker
that can find liveness violations in unmodified systems implementations.

Mehmet Sahinoglu, "Quantitative Risk Assessment of Software Security and Privacy, and Risk ...

Wed, 11 Feb 2009 21:30:00 +0100

The need for information security is undeniable and self-evident. The pervasiveness of this critical topic requires primarily risk assessment and management through quantitative means. To conduct an assessment; repeated security probes, surveys, and input data measurements must be taken and verified toward the goal of risk mitigation with minimal cost. One can evaluate risk using a probabilistically accurate statistical estimation scheme in a quantitative security meter (SM) model that mimics the events of the breach of security. An empirical study using Java code is presented and its accuracy is veriﬁed by discrete-event or Monte Carlo simulations. The design improves as more data are collected and updated. Practical aspects of the SM are presented with a real-world example as related to a PC user and a risk-management scenario using the Game Theory approach for optimal cost mitigation results.

Index Terms(10)— Quantitative Risk Assessment, Cost Mitigation, Countermeasure, Security, Privacy, Management, Simulation, Threat, Vulnerability, Game Theory

Cassio Goldschmidt, "The dark side of software engineering and how to defend against it"

Wed, 04 Feb 2009 21:30:00 +0100

If you create an application that runs on one or more computers
connected to a network such as the internet, your code will be attacked.

Consequences of compromised systems often include loss of trust,
reputation and revenue. Software will always have defects and
vulnerabilities. Strikes against digital assets are unquestionably on
the rise. We can, however, make it substantially harder to find and
exploit vulnerabilities by identifying insecure coding practices and
developing secure alternatives.

During this practical session, we'll examine in detail the principles
behind some of the worst attack patterns seen today in the software
industry. Most importantly, we'll learn effective defense programming
techniques every developer must employ when building software.

Ryan Riley, "An Alternate Memory Architecture for Code Injection Prevention"

Wed, 28 Jan 2009 21:30:00 +0100

Code injection attacks, in their various forms, have been in existence and been an area of consistent research for a number of years. A code injection attack is a method whereby an attacker inserts malicious code into a running computing system and transfers execution to his malicious code. In this way he can gain control of a running process or operating system due to the fact that his injected code will run at the same privilege level as the entity being attacked. At the user-level, these attacks can be used to gain access to a system through an application bug. At the kernel-level, they are commonly used to install kernel rootkits and hide an attacker's presence on a machine.

In this talk I will discuss code injection with regards to the memory architecture of modern computer systems. I will compare two common memory architectures, von Neumann and Harvard, with respect to their susceptibility to code injection attacks and the advantages and disadvantages of each in practice. Based on this, I will present a third memory architecture which is immune to code injection attacks and describe implementations of it that are able to stop code injection at the user and kernel levels. My experimental results show that this architecture is able to effectively and efficiently prevent code injection attacks against unmodified operating systems and applications running on standard x86 hardware.

Paul Kidwell, "A Rules Based Statistical Algorithm for Keystroke Detection"

Wed, 21 Jan 2009 21:30:00 +0100

A rules-based statistical algorithm (RBSA) identifies packets in any TCP connection that are client keystrokes of an ssh login. The input data of the algorithm are the packet arrival times and TCP/IP headers of the connection packets at a point along the path of the connection.

The algorithm is applied to all connections seen by a network monitor; ssh port 22 connections are classified as client-keystrokes or scp file transfers, and ssh keystroke connections are discovered for all other
ports. This forms a network login database that can be further analyzed for network security monitoring and forensics. One application is to an "inside'' network in which the monitor sees all connections between
the inside and outside.

The model --- which uses the packet sizes, flags, and interarrival times --- first goes through the packets identifying epochs of different activities, and then goes back and uses more detailed information for
the classification. Performance from three types of packet traces is excellent.

Previous work has proceeded by forming connection summary statistics from the headers and timestamps, and classifying the connection as one with keystrokes or not using the statistics. The RBSA takes on a much
more ambitious task of classifying each packet as a client keystroke packet or not, but in the end the classification of the connection has extremely low false positives and false negatives.

One important property of the RBSA is that it does not employ packet payload, as is done in some connection-level surveillance methods, so it
cannot be defeated by an attacker through payload encryption. A second important property is that the inside network can be a large enterprise,
allowing monitoring and forensics across a very large number of hosts from a single device."

Chris Clifton, "Measuring Privacy: A Risk-Based Approach"

Wed, 14 Jan 2009 21:30:00 +0100

There have been significant research developments in technology to protect privacy. Unfortunately, few of these have made the transition to practice. A large part of the problem is the lack of an accepted way to measure privacy. Legal and regulatory terms do not translate well into technological solutions, and the plethora of technical approaches do not seem to resonate with privacy advocates.

This talk will discuss issues and challenges, with examples of the reason why a clear standard is difficult. A risk-based approach will be presented that allows anonymization based on controlling the potential damage from disclosure. This approach will be compared with more traditional anonymization measures, showing the difficulty of measuring
the potential for harm from those measures.

This represents joint work with Mehmet Ercan Nergiz (Purdue University) and Maurizio Atzori (University of Pisa).

Ibrahim Baggili, "Extending anonymity research to high-tech white collar crimes and IT ...

Wed, 10 Dec 2008 21:30:00 +0100

Theories of deindividuation share common grounds, one of which is anonymity. For decades, it has been hypothesized that anonymity affects human behavior. With the rise of the popularity and development of personal computing, claims are made that individuals perceive themselves to be more anonymous in computer mediated environments. This perception may be a major factor contributing to the engagement of individuals in online antisocial behaviors and in cyber criminal activities like high-tech white collar crimes and Information Technology (IT) insider threat crimes. This talk presents an overview of the literature on anonymity and the deindividuation theory. A philosophical bind is then made between the various effects of anonymity, high-tech white collar crimes and IT insider threat crimes. These philosophical accounts may be used as a cornerstone for scientific research in the new cyber crime phenomenon.

Weidong Cui, "Automatic Signature Generation for Unknown Vulnerabilities"

Wed, 03 Dec 2008 21:30:00 +0100

In this talk, I will present a new approach to automatically generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. Our approach is based on two systems we developed: Tupni and ShieldGen.

Tupni takes one or more input instances and reverse engineers their format by analyzing how an application parses and processes them. Its reverse-engineered format has a rich set of information, including record sequences, record types and input constraints. We have implemented a prototype of Tupni and demonstrated that it can effectively reverse engineer ten common, real-world file and network message formats.

ShieldGen can generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance and its format. The key novelty of ShieldGen is that it leverages knowledge of the input format to generate new potential attack instances, uses a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability, and then takes the feedback of the oracle to guide its search for the vulnerability signature. We have implemented a prototype of ShieldGen and used it to generate high-quality vulnerability signatures for three real-world vulnerabilities.

By feeding the input format generated by Tupni to ShieldGen, we can automatically generate a vulnerability signature even when the format of the attack instance is unknown. We have integrated Tupni with ShieldGen and demonstrated that we can automatically generate the vulnerability signature for a real-world WMF vulnerability given a single malicious WMF file.

Sylvia Osborn, "The Role Graph Model and its Extensions"

Wed, 19 Nov 2008 21:30:00 +0100

The Role Graph Model was first introduced by Nyanchama and Osborn in 1994. It has been extended over the years to include parameterized roles, an administrative model and a delegation model. We will show how the semantics of our role graph operations differ from those of the ANSI standard. Then we will discuss how to simulate DAC, and how the underlying basic model helped us to understand and expand the model to deal with delegation. The present and future of RBAC will also be discussed.

John Oritz, "John Oritz, SRA International"

Wed, 12 Nov 2008 21:30:00 +0100

Steganography is a discipline of computer science whose aim is to conceal the existence of information. Steganography synergizes various technologies including data compression, digital signal processing, information theory, data networks, cryptography, coding theory, and the human audio and visual system. Strap on your seatbelt. I will present some key concepts of steganography, describe a number of basic and advanced spatial and transform domain techniques (with lots of pictures and sounds for the “attention-challenged”), and demonstrate these techniques using custom steganography software. The demonstrations include a Least Significant Bit (LSB) technique, High-Capacity Hiding in Jpegs, and time modulation in audio.

Scott Orton, "The "merge" of Anti-Tamper and Information Assurance - lessons ...

Wed, 05 Nov 2008 21:30:00 +0100

Scott Orton is the Anti-Tamper (AT) subject matter expert at Raytheon and was previously responsible for establishing the DOD AT executive agency. Scott will discuss the trends in information security driving the merge of AT and IA. He will also discuss valuable lessons learned from the AT community that have applicability in IA.

Kenji Takahashi, "Trends in Identity Management"

Wed, 29 Oct 2008 20:30:00 +0100

Currently many initiatives are being proposed for identity management, such as OpenID, SAML, CardSpace/Information Cards, and OAuth, as its importance is becoming apparent. Identity management is as an integral part of service infrastructures to make identity available to services across organizations in a secure and privacy protected manner. The identity data are crucial to successfully providing the privileged and personalized experiences for legitimate users of services. Also it is important that the users should have strong control over their identity data to foster a socially responsible service industry.

This talk will give an overview of trends in identity management, and illustrate best practices and lessons learned in real settings using case studies. The talk will also highlight standard harmonization (SAML/Liberty, OpenID, CardSpace/Information Cards, etc.) and explore the future research agenda (e.g., mobile applications).

Federica Paci, "Access Control and Resiliency for WS-BPEL"

Wed, 22 Oct 2008 20:30:00 +0100

Business processes –the next generation workflows- have attracted considerable research interest in the last fifteen years. More recently, several XML-based languages have been proposed for specifying and orchestrating business processes, resulting in the WS-BPEL language. Even if WS-BPEL has been developed to specify automated business processes that orchestrate activities of multiple Web services, there are many applications and situations requiring that people be considered as additional participants that can influence the execution of a process. Significant omissions from WS-BPEL are the specification of activities that require interactions with humans to be completed, called human activities, and the specification of authorization information associating users with human activities in a WS-BPEL business process and authorization constraints, such as separation of duty, on the execution of human activities. This talk investigates the problem of access control and resiliency for WS-BPEL processes. Access control in the context of business process means checking whether a user claiming the execution of an activity is authorized and the execution does not violate authorization constraints. Resiliency means that even if some users become unavailable, the remaining users can still complete the execution of the process according to the stated authorizations and authorization constraints. We present RBAC-WS-BPEL, an RBAC model for WS-BPEL business processes that supports the specification of resiliency constraints, authorizations and authorization constraints on business process activities. Resiliency constraints are evaluated when a WS-BPEL process is deployed, to check if there is a sufficient number of authorized users to perform the process so that authorization constraints are satisfied and the process terminates even if some users become unavailable. Authorizations and authorization constraints are evaluated whenever a user claims the execution of a business process’s activity to determine if the execution of the activity by the user does not violate any authorization constraints and does not prevent some other subsequent activities from completing.

Adam Dugger, "Signature Analysis Coupled With Slicing Analysis for the Validation of ...

Wed, 15 Oct 2008 20:30:00 +0100

What if you could determine exactly where, in any compiled binary, a security threat existed?

Answering this question has been the fundamental goal of anti-virus software for many years past, with limited success. Instead, what if you could determine not where security threats do exist, but where they could possibly exist? This is certainly a step in the right direction for total software security -- one which puts us well on our way to being able to develop applications safe against hidden malicious code. All of this is possible with the machine code analysis methodology known as Signature Analysis.

However, consider the following question: What if you could determine exactly where, in any compiled binary, a security threat might exist, and, further, precisely what this threat might affect later in the application’s execution?

This information can be retrieved by combining the capabilities of Code Slicing Analysis with the previously mentioned Signature Analysis. This paradigm not only assists in hardening against currently known threats, but it also identifies areas that are affected by those threats.

These principles form the framework for a novel static technique for ensuring software integrity. The goal of this seminar is to present these ideas and to discuss possible future applications.

Yuecel Karabulut, "Measuring the Attack Surfaces of Enterprise Software Systems"

Wed, 08 Oct 2008 20:30:00 +0100

Software vendors have traditionally focused on improving code quality for
improving software security and quality. The code quality improvement effort aims toward reducing the number of design and coding errors in software. In principle, we can use formal correctness proof techniques to identify and remove all errors in software with respect to a given specification and hence remove all its vulnerabilities. In practice, however, building large and complex software devoid of errors, and hence security vulnerabilities, remains a very difficult task. Software vendors can minimize the risk associated with the exploitation of future vulnerabilities. One way to minimize the risk is by reducing the attack surfaces of their software. A smaller attack surface makes the exploitation of the vulnerabilities harder and lowers the damage of exploitation, and hence mitigates the security risk. We believe that a complete risk mitigation strategy requires a combination of code quality efforts and attack surface measurement. SAP and CMU collaborated to develop a new attack surface measurement method for measuring the attack surfaces of SAP software systems implemented in Java. We implemented a tool and demonstrated the feasibility of our approach by measuring the attack surface of an SAP software system. In this talk, we will present the attack surface measurement method and report on its application.

Dave Keppler, "Resilient Systems for Mission Assurance"

Wed, 01 Oct 2008 20:30:00 +0100

The ability for information services to continue operating despite attacks is a core enabler of mission assurance goals. Existing security techniques lack this concept of resilience and are inadequate for protecting critical services and data against targeted attacks by sophisticated adversaries. Widely implemented signature and anomaly-based detection techniques fail to keep pace with the advancement of attacker sophistication.

Our objective is to develop and prototype resilience techniques that make applications impervious to the damaging effects of attacks without relying on identifying and filtering specific attacks. We employ effects-based countermeasures to impart resilience to applications, creating an environment inhospitable to attack goals, and countering previously unknown attacks on service utility, in particular, code injection and data subversion.

Ashish Kamra, "Responding to Anomalous Database Requests"

Wed, 24 Sep 2008 20:30:00 +0100

Organizations have recently shown increased interest in database activity monitoring and anomaly detection techniques to safeguard their internal databases. Once an anomaly is detected, a response from the database is needed to contain the effects of the anomaly. However, the problem of issuing an appropriate response to a detected database anomaly has received little attention so far. In this work, we propose a framework and a policy language for issuing a response to a database anomaly based on the characteristics of the anomaly. We also propose a novel approach to dynamically change the state of the access control system in order to contain the damage that may be caused by the anomalous request. We have implemented our mechanisms in the PostgreSQL DBMS and we discuss relevant implementation issues. We have also carried out an experimental evaluation to assess the performance overhead introduced by our response mechanism. The experimental results show that the techniques are very efficient.

Shimon Modi, "Fingerprint Sensor Interoperability: Analysis of Error Rates for Fingerprint ...

Wed, 17 Sep 2008 20:30:00 +0100

The last decade has witnessed a huge increase in deployment of biometric systems, and while most of these systems have been single vendor, monolithic architectures the issue of interoperability is bound to arise as distributed architectures are considered for large scale deployments. The distortions and variations introduced when acquiring fingerprint images propagate from the acquisition subsystem all the way to the matching subsystem. These variations ultimately affect performance rates of the overall fingerprint recognition system. Fingerprint images captured using the same sensor technology during enrollment and recognition phases will introduce similar distortions, thus making it easier to compensate for such distortions and reducing its effect on the performance of the overall fingerprint recognition system. However, an impact on performance is expected, but unpredictable, when different fingerprint sensor technologies are used during enrollment and recognition phases. The purpose of this study was to examine the effect of sensor dependent variations and distortions, characteristics of the sensor and characteristics of the finger skin on the interoperability matching error rates of minutiae based fingerprint recognition systems. Fingerprint images were be collected from 9 different fingerprint sensors from 190 subjects for analysis of this research study. A statistical analysis framework for testing interoperability was formulated for this research, which included parametric and non-parametric tests. The statistical analysis framework tested similarity of minutiae count, similarity of image quality and similarity of performance between native and interoperable datasets. Interoperability performance analysis was conducted on each sensor dataset and also by grouping datasets based on the acquisition technology and interaction type of the acquisition sensor. The end objective of this study was to provide greater insight into the effect of a fingerprint dataset acquired from various sensors on performance measured in terms of error rates like false non match rates (FNMR) and false match rates (FMR).

Dennis Moreau, "Virtualization: Resource Coupling and Security across the Stack"

Wed, 10 Sep 2008 20:30:00 +0100

Virtualization technology can deliver better IT asset utilization, more agile IT asset allocation, more efficient use of resources, while supporting a potentially more secure IT infrastructure. Virtualization accomplishes these benefits by leveraging mechanisms which provide a) asset isolation, b) resource sharing and c) provisioning dynamics.
This session will address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments. Comprehensive security and risk situation awareness of more dynamic, more interdependent, and more insulated assets, will allow enterprises to take fuller advantage of the promised benefits of virtualization.
This session will also briefly address extension of these considerations to the cloud and utility computing infrastructures.

Gabriel Ghinita, "Private Queries in Location Based Services: Anonymizers are not ...

Wed, 03 Sep 2008 20:30:00 +0100

Mobile devices equipped with positioning capabilities (e.g., GPS) can ask location-dependent queries to Location Based Services (LBS). To protect privacy, the user location must not be disclosed. Existing solutions utilize a trusted anonymizer between the users and the LBS. This approach has several drawbacks: (i) All users must trust the third party anonymizer, which is a single point of attack. (ii) A large number of cooperating, trustworthy users is needed. (iii) Privacy is guaranteed only for a single snapshot of user locations; users are not protected against correlation attacks (e.g., history of user movement).

We propose a novel framework to support private location-dependent queries, based on the theoretical work on Private Information Retrieval (PIR). Our framework does not require a trusted third party, since privacy is achieved via cryptographic techniques. Compared to existing work, our approach achieves stronger privacy for snapshots of user locations; moreover, it is the first to provide provable privacy guarantees against correlation attacks. We use our framework to implement approximate and exact algorithms for nearest-neighbor search. We optimize query execution by employing data mining techniques, which identify redundant computations. Contrary to common belief, the experimental results suggest that PIR approaches incur reasonable overhead and are applicable in practice.

Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense"

Wed, 27 Aug 2008 20:30:00 +0100

Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this work, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects.

This work was presented at the USENIX Workshop On Offensive Technologies (WOOT) in July, 2008. Subsequently, several online press venues have covered it, including The Washington Post, SC Magazine, and Herald Times.

Jacob West, "Static source code analysis"

Wed, 16 Apr 2008 20:30:00 +0100

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:

* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

Jack Jones, "Shifting focus: Aligning security with risk management"

Wed, 09 Apr 2008 20:30:00 +0100

With few exceptions, executive management doesn’t care about security. They care about risk. In this session, Jack will discuss the differences and share his experiences in taking the information security program at a Fortune 100 financial services company from a security focus to one of risk management. This presentation will cover why the change took place, how it took place (what worked and what didn’t), and the practical benefits that resulted.

Hao Chen, "Exploiting Opportunistic Scheduling in Cellular Data Networks"

Wed, 02 Apr 2008 20:30:00 +0100

Third Generation (3G) cellular networks utilize time-varying and
location-dependent channel conditions to provide broadband services. They employ opportunistic scheduling to efficiently utilize spectrum under fairness or QoS constraints. Opportunistic scheduling algorithms rely on collaboration among all mobile users to achieve their design objectives. However, we demonstrate that rogue cellular devices can exploit vulnerabilities in opportunistic scheduling algorithms, such as Proprotional Fair (PF), to usurp the majority of time slots in 3G networks. Our simulations show that only five rogue device per 50-user cell can use up to 90% of the time slots, and can cause 2 seconds of end-to-end inter-packet transmission delay on VoIP applications for every user in the same cell, rendering VoIP applications useless. To defend against these attacks, we explore several detection and prevention schemes, including modifications to the PF scheduler and a secure handoff procedure.

This is a joint with with Denys Ma, Radmilo Racic, and Xin Liu.

Sencun Zhu, "Towards Event Source Location Privacy in Wireless Sensor Networks"

Wed, 26 Mar 2008 20:30:00 +0100

For sensor networks deployed to monitor and report real events, event source location privacy is an attractive and critical security property, which unfortunately is also very difficult and expensive to achieve. This is not only because adversaries may attack against sensor source privacy through traffic analysis, but also because sensor networks are very limited in resources.

In this talk, we will discuss the techniques we have developed for enhancing source location privacy in sensor networks under a global adversarial model. Specifically, we will propose the notion of statistically strong source anonymity, where carefully chosen dummy traffic will be introduced to hide the real event sources. In addition, several privacy-preserving mechanisms will be employed to drop dummy messages on their roads to the base station to prevent explosion of network traffic.

Daniel Hoffman, "Hacking the Mobile Workforce"

Wed, 05 Mar 2008 21:30:00 +0100

Companies spend millions of dollars implementing security technologies to protect their corporate networks. Laptop computers and other mobile devices lose this protection once they leave the confines of the corporate office. This presentation will define mobility-related threats, show live hacks and define best security practices to address these risks, with a particular focus on Network Access Control and NAP technologies.

Buzz Walsh, "Managing Security Polarities"

Wed, 27 Feb 2008 21:30:00 +0100

There is inherent tension between network performance and security. With the rapidly evolving drive for military and economic data being accessible via Service Oriented Architectures, the import of securing such data is increasing and the consequences for a security breach often are detailed in our daily media. Complex security architectures are maturing, but broad questions remain about how to certify or accredit the transactions occurring in Net-Centric Enterprise Services. This presentation does not propose a solution and is intended to motivate discussion, collaboration and directed research.

Ta-Wei "David" Wang, "Reading the Disclosures with New Eyes: Bridging the Gap ...

Wed, 20 Feb 2008 21:30:00 +0100

This paper investigates the relationship between information security related disclosures in financial reports and the impacts of information security incidents through cross-sectional and cluster analysis. First, by drawing upon the theories of disclosures in the accounting literature, we examine the effect of the number of disclosures on stock price reactions to information security incidents from 1997 to 2006. Our findings suggest that first-time disclosed information security risk factors in financial reports can mitigate the impact of information security incidents on business value. Second, a cluster analysis is performed on the disclosures in financial reports before and after the incidents. The results demonstrate that companies react to information security incidents by disclosing additional and more specific risk factors in subsequent financial reports. A prediction model is also built to classify disclosures as a belonging to a firm reported in the as breached or non-breached. The model can correctly classify a disclosure with approximately 75% accuracy which help investors and auditors assess information provided by the firm. This paper not only contributes to the literature in information security and accounting but also sheds light on how managers can evaluate their information security policies and convey information security practices more effectively to the investors.

Myron Cramer, "Beyond the Enclave: Evolving Concepts in Security Architectures"

Wed, 13 Feb 2008 21:30:00 +0100

This presentation discusses evolving concepts in security architectures. Current security architectures are based on the enclave architecture model. This model organizes and separates networked information systems into trusted, untrusted, and shared areas. Security components are located within these areas to provide the required security services based upon system requirements. While this model has many advantages in a basic client server business model, it has limitations with the evolving need to share information. This talk discusses the enclave security architecture and how it is implemented within enterprise networks. It also discusses information sharing needs that are difficult to meet within the constructs of the enclave as well as some of the security limitations of the enclave model. Potential solutions include incorporating new architectural concepts and new technologies to provide a greater variety of robust enterprise implementation options.

Anand Singh, "What are CSO's thinking about? Top information security initiatives for 2008 ...

Wed, 30 Jan 2008 21:30:00 +0100

2006 and 2007 were seminal years which saw emergence of several information security threats and significant data breaches. The media focus on various incidents have made consumers much more aware of information security and hence, any significant security breach results in a significant loss of brand image.

As a result, corporate boards are demanding more information security controls as a part of their risk management oversight. This has forced a rethink among the C-suite executives and has increased the importance of information security in their eyes. The CSO's are seeing an elevation in prestige and importance and are becoming empowered to contribute to the organizational strategy by defining information security as a part of organizational governance and risk management framework.

The objectives of this talk are two fold. First, the focus will be on practical aspects of information security in most organizations. I will describe how Information Security is becoming a more central function and how the organizational roles and responsibilities are transforming as a result. Second, I will talk about the top information security initiatives for 2008 and what is driving those including examples and explanations of what transpired in several security breaches. Some of those initiatives are governance, wireless security, hardening of network infrastructure and data loss prevention. Throughout this talk, where applicable, I will also identify information security challenges that have not proven tractable in the hope that it will help inspire research ideas.

Edward W. Felten, "Electronic Voting: Danger and Opportunity"

Wed, 23 Jan 2008 21:30:00 +0100

Electronic voting machines have made our elections less reliable and less secure, but recent developments offer hope of a better system in the future. Current research offers the hope of a future voting system that is more reliable and more secure than ever before, at reasonable cost, by combining high-tech and low-tech methods so that each can compensate for the weaknesses of the other. This talk will sketch what this future might look like, and will highlight some of the research that may make it possible.

Paul Syverson & Roger Dingledine, "Tor: Anonymous communications for government ...

Wed, 16 Jan 2008 21:30:00 +0100

What do the Department of Defense and the Electronic Frontier Foundation have in common? They have both funded the development of Tor (torproject.org), a free-software anonymizing network that helps people around the world use the Internet in safety. Tor's 1500 volunteer servers carry traffic for several hundred thousand users including ordinary citizens who want protection from identity theft and prying corporations, corporations who want to look at a competitor's website in private, law enforcement and government intelligence agencies who need to do operations on the Internet without being noticed, and aid workers in the Middle East who need to contact their home servers without fear of physical harm.

We'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and policy and legal issues. Then we can open it up for discussion about open research questions, wider social implications, and other topics the audience wants to consider.

Eric Cole, "Security in a Changing World"

Wed, 09 Jan 2008 21:30:00 +0100

While the world is constantly changing, the core principles of security have not changed that much, yet organizations are stilling be compromised. This talk will look at some of the problems in cyber space and some unique solutions for securing information.

Ventkat Venkatakrishnan, "CANDID: Preventing SQL Injection Attacks using Dynamic Candidate ...

Wed, 28 Nov 2007 21:30:00 +0100

SQL injection attacks are one of the topmost threats for applications
written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this talk, I will present a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks.

A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID that retrofits Web applications written in Java to defend them against SQL injection attacks. We report experimental results that show that our approach performs remarkably well in practice.

(Joint work with Sruthi Bandhakavi, Prithvi Bisht and P. Madhusudan)

Steve Myers, Indiana University, "Wireless Router Insecurity: The Next Crimeware Epidemic"

Wed, 14 Nov 2007 21:30:00 +0100

The widespread adoption of home routers by the general public has added a new target for malware and crimeware authors. A router's ability to manipulate essentially all network traffic coming in to and out of a home, means that malware installed on these devices has the ability to launch powerful Man-In-The-Middle (MITM) attacks, a form of attack that has previously been largely ignored. Making matters worse, many homes have deployed wireless routers which are insecure if the attacker has geographic proximity to the router and can connect to it over its wireless channel. However, some have downplayed this risk by suggesting that attackers will be unwilling to spend the time and resources necessary, nor risk exposure to attack a large number of routers in this fashion. In this talk, we will consider the ability of malware to propagate from wireless router to wireless router over the wireless channel, infecting large urban areas where such routers are deployed relatively densely. We develop an SIR epidemiological model, and use it to simulate the spread of malware over major metropolitan centers in the US. Using hobbyist collected wardriving data from Wigle.net and our model, we show the potential for the infection of tens of thousands of routers in short periods of time is quite feasible. We consider simple prescriptive suggestions to minimize the likelihood that such attacks are ever performed. Next, we show a simple yet worrisome attacks that can easily and silently be performed from infected routers. We call this attack 'Trawler Phishing'. The attack generalizes a well understood failure of many web-sites to properly implement SSL, and allows attackers to harvest credentials from victims over a period of time, without the need to use spamming techniques or mimicked, but illegitimate web-sites, as in traditional phishing attacks, bypassing the most effective phishing prevention technologies. Further, it allows attackers to easily form data-portfolios on many victims, making collected data substantially more valuable. We consider prescriptive suggestions and countermeasure for this attack.

The work on epidemiological modeling is joint work with Hao Hu, Vittoria Colizza and Alex Vespignani. The work on trawler phishing is joint work Sid Stamm.

Richard Thieme, "Security, Soft Boundaries, and oh-so-subtle Strategies:How to Play Chess ...

Wed, 07 Nov 2007 21:30:00 +0100

Non-state and state intelligence are converging in a context of fluid boundaries. It is increasingly difficult to know who is inside and who is not. Creating a trusted network does not resolve the most critical security problems because those problems begin at the interface of the network and the human user. The identity and intention of that human user is critical, but that is often what is most difficult to discern.

This emergent world of ambiguous boundaries and multiple identities challenges our models and descriptions of the playing field. Even with a program, we can't always tell the players, because both players and program are morphing.

And it's worse than that: the ethical guidelines of the past, rooted in religious systems thousand of years old, are going through the looking-glass, too, along with the structures of spirituality and religion. Identity-shift applies to God and Self as well as the social and cultural structures in which they are embedded.

This speech confronts the transformation of the structures in which we live, identifies some consequences of identity-shift, and distinguishes the business of security from the myths of the security business. It points to new ways to organize our lives that complement rather than replace traditional methods of defending electronic and human networks.

Abhilasha Bhargav-Spantzel, "Protocols and Systems for Privacy Preserving Protection of ...

Wed, 31 Oct 2007 20:30:00 +0100

In order to support emerging online activities within the digital information infrastructure, such as commerce, healthcare, entertainment and scientific collaboration, it is increasingly important to verify and protect the digital identity of the individuals involved. Identity management systems manage the digital identity life cycle of individuals that includes issuance, usage and revocation of digital identifiers.

Identity management systems have improved the management of identity information and user convenience; however they do not provide specific solutions to address protection of identity from threats such as identity theft and privacy violation. One major shortcoming of current approaches is the lack of strong verification techniques for management and protection of digital identifiers. Moreover current identity management systems do not consider neither biometric nor history-based identifiers. Both biometric and history-based identifiers are increasingly becoming an integral part of an individual's identity. Such types of identity data also need to be used with other digital identifiers and protected against misuse.

In this presentation I introduce a number of techniques that address the above problems. The approach is based on the concept of privacy preserving multi-factor identity verification. The main technique consists of verifying multiple identifier claims of an individual, without revealing extraneous identity information. A distinguishing feature of our approach is that we employ identity protection and verification techniques at all stages of the identity life cycle. In addition we develop techniques to use biometrics in a secure and privacy preserving manner. We also enhance our approach with the use of history-based identifiers.

George Heron, "Secure Virtualization"

Wed, 24 Oct 2007 20:30:00 +0100

The potential for security to be tightly integrated into virtual machine technology is an exciting prospect. Not only does virtualization offer IT departments the opportunity to reduce costs, but it also offers increased agility. Now that application vendors are coming to understand the benefits of virtual machine technology, the technical world has also started to take note of supplementary services, such as security products and functions, which can also reside in these virtualized environments. Heron will discuss the future of security in virtualized environments and how IT professionals can take a Security Risk Management (SRM) approach to securing their virtual machines.

Srdjan Capkun, "From Securing Navigation Systems to Securing Wireless Communication"

Wed, 17 Oct 2007 20:30:00 +0100

Recent rapid development of wireless networks of sensors, actuators and identifiers dictates the digitalization of our physical world and the creation of the "internet of things". In this new internet, each wireless device will sense and provide contextual information, of which crucial component are locations of devices and objects. In this talk, we present recent research results in secure computation and verification of locations of wireless devices: we show that current localization systems are highly vulnerable to attacks and we demonstrate that out solutions can prevent these attacks. We further illustrate how location-awareness can help in solving some of the fundamental security challenges of wireless networks, e.g., enabling authenticated and confidential communication without pre-shared keys of credentials.

Neil Daswani, "What Every Engineer Needs To Know About Security And Where To Learn It"

Wed, 10 Oct 2007 20:30:00 +0100

This talk discusses how engineers can go about learning what they need
to know to prevent the most significant emerging data security vulnerabilities, and the impact these vulnerabilities are having on electronic commerce. I'll review how attacks such as XSRF (Cross-Site-Request-Forgery) and SQL Injection work, and how to defend against them. I'll present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. Finally, I'll discuss the current state of security education, and provide pointers to certification programs, books, and organizations where engineers can learn more.

David Ehinger, "The Effect of Rootkits on the Corporate Environment"

Wed, 26 Sep 2007 20:30:00 +0100

Jill Frisby, "Protecting Data Privacy: A Practical Guide to Managing Risk"

Wed, 19 Sep 2007 20:30:00 +0100

Protecting valuable information assets, including personal data about employees, students, customers, and medical patients, is an enterprise-wide responsibility. Like all components of good corporate governance, it begins with senior leadership establishing a culture of awareness about the importance of safeguarding these assets, and extends through coordinated actions among all business units, divisions, and departments. When creating data privacy programs, organizations should align them with their strategic enterprise risk management objectives and follow a top-down approach to achieve the greatest benefit.

This presentation will focus on a practical approach to data privacy, that seeks to understand the business needs for data and align a data privacy protection program to those needs. Effective programs prevent companies from ending up in the news, disclosing a data loss, by enabling its employees to stay vigilant for situations where data may be at risk. Topics to be discussed include:

* The Goals of an Effective Data Privacy Program
* Current Data Privacy Landscape
* Common Privacy Program Pitfalls
* Key Components of a Successful Data Privacy Program
* The Top Down Data Privacy Risk Assessment
* Data Privacy Roles and Responsibilities
* High Level Roadmap and Ideas to Consider for Future Strategy

Ron Buskey, " Security issues within embedded software development"

Wed, 12 Sep 2007 20:30:00 +0100

Software development processes and tools used for small communication devices have changed significantly over the years. Some of these practices and processes have resulted in improvements in quality and time to market for their target products, but in some cases have unintended results for the security and trustedness of those same products. This talk will look at several of these practices and approaches that can drive improvements in quality and productivity metrics for embedded communication software development teams yet create vulnerabilities and/or weaken the security architecture for those products.

Yvo Desmedt, "Applying Recreational Mathematics to Secure Multiparty Computation"

Wed, 05 Sep 2007 20:30:00 +0100

The problem of a mice traveling through a maze is well known. The maze can be represented using a planar graph. We present a variant of the maze. We consider a grid vertex colored planar graph in which an adversary can choose up to t colors and remove all vertices that have these colors and their adjacent edges. We call the grid in which these vertices and adjacent edges are removed a reduced grid. The problem is that a mice must be able to move in the reduced grid from the first row to the last row, and from the first column to the last column, and this for all possible reductions. We present three types of solutions to construct such grids. The efficiency of these solutions is discussed.

The problem finds its origin in the problem of secure multiparty
computation. Imagine going to a medical doctor in Iraq who needs to prescribe some medication, which might be counterindicated. The typical solution is to disclose all medical records to the doctor. If secure multiparty computation would be used, the medical doctor in Iraq only learns from the distributed
medical databases whether the medication is, or is not, counterindicated. We consider the problem of parties each having a secret belonging to a non-abelian group. The parties want to compute the product of these secrets without leaking anything that does not follow trivially from the product. Our
solution is black box, i.e., independent of the non-abelian group. This has applications to threshold block ciphers and post-quantum cryptography.

Klemens Boehm, "Towards Effective and Efficient Behavior-based Trust Models"

Wed, 29 Aug 2007 20:30:00 +0100

Trust models have been touted to facilitate cooperation among unknown entities. In our current work, we are interested in behavior-based trust models, i.e., models that derive the trustworthiness of an entity from its behavior in previous interactions. Existing proposals in this field typically feature one specific trust model. Further, various publications exist which have proposed different centrality measures to rank individuals, i.e., compute their reputation based on feedback, and have demonstrated their effectiveness in certain (rather specific) situations. This presentation in turn proposes a framework for behavior-based trust models for open environments with the following distinctive characteristic. Based on a relational representation of behavior-specific knowledge, we propose a trust-policy algebra allowing for the specification of a wide range of trust policies. Since the evaluation of the standing of an entity requires centrality indices, we propose a first-class operator of our algebra for their computation. The presentation concludes with an objective comparison of the effectiveness of the various centrality measures in reputation systems.

Bill Horne, "Role Discovery"

Wed, 22 Aug 2007 20:30:00 +0100

The first step in migrating to a role based access control (RBAC) system, is role development, in which teams of people meticulously define sets of roles that meet the needs of an organization's security and business requirements. Because it is so labor intensive, role development is the most expensive step in migrating to RBAC. In this talk, I will describe an approach called role discovery to help assist with the role development process. We attack the problem by finding simplifications of a bipartite graph that models the existing access control rules. Biclique covers of this graph are a fundamental tool in our approach. I will describe some of the theoretical background of this problem as well as some experimental results testing the approach on several real-world datasets.

Umut Topkara, "Passwords Decay, Words Endure: Towards Secure and Re-usable Multiple ...

Wed, 25 Apr 2007 20:30:00 +0100

Human aspects of information security were identified at the early stages in the history of time shared computing. The recent surge in attacks that exploit security vulnerabilities involving human factors have also put them under the spotlight of various research fields including human-computer interaction, information security and cognitive science. The human centered vulnerabilities involve an interplay of a broad range of actors from Information Technology specialists (who might mis-configure the security hardware and software or enforce impractical security policies) to end users (who might have a poor understanding of good security practices or not know the possible impact of weak security).

This talk will focus on human aspects of authentication mechanisms. I will present two methods that we have developed to reinforce the security of existing systems by improving their usability.

Previous studies have repeatedly shown that users find it taxing to remember truly random passwords. Many users choose easy to guess --therefore not secure-- passwords, since they require the least effort to recall. Experienced users adopt "mnemonic phrases" to generate and easily recall more secure passwords. However, regularity in the human languages may render such passwords vulnerable against a brute force attack. In the first part of the talk, I will present a method that we developed to automatically generate mnemonic phrases which can yield secure passwords in an effort to increase the usability of text password authentication.

Many computer users need to remember a multiplicity of usernames and passwords for different systems, and the users tend to reuse passwords across these systems which may have different security guarantees. In such cases remembering a different mnemonic phrase for each password does not scale and quickly becomes a challenging task. In the second part of the talk, I will present a scheme that helps the users remember a multiplicity of truly random passwords. The new scheme is applicable to an existing password authentication system without any modification, as it does not require any form of involvement from the service provider (e.g., bank, brokerage). Nor does it require the user to have any computing device at hand (not even a calculator). The scheme is such that changes to passwords do not necessitate a change in what the user remembers. Hence, passwords can be frequently changed without any additional burden on the memory of the user, thereby increasing the system's security.

Mercan Topkara, "Hiding the Message Behind the Words: Advances in Natural Language ...

Wed, 18 Apr 2007 20:30:00 +0100

The Internet has become one of the main sources of knowledge
acquisition, harboring resources such as online newspapers, web
portals for scientific documents, personal blogs, encyclopedias, and
advertisements. It has become a part of our daily life to search and
access this immense amount of online information, and more recently we
have also started to contribute to this pool of information our own
creativity in the form of text, images and video. Unfortunately, it is
still an open question as to how we, as authors, can control the way
that the information we create is distributed or re-used.

Rights management problems are serious for text since it is much easy
for other people to download and manipulate copyrighted text from
Internet and later re-use it free from control. There is a need for a
rights protection system that ``travels with the content''. Digital
watermarking is an information hiding mechanism that embeds the
copyright information in the document. Besides traveling with the
content of the documents, digital watermarks are also imperceptible
(i.e., seamless) to the user, which makes the process of removing them
from the document challenging.

Using linguistic features for information hiding into natural language text is an exciting and new idea. This talk begins with a short survey
of existing technologies in natural language watermarking, and then
focuses on a recently developed natural language watermarking system
that is practical, easy-to-use and provides resilience to attacks through
the use of ambiguity in natural language. The talk is aimed for a general
audience, and will be self-contained covering the necessary background
information.

Dr. Charles P. Pfleeger, "Dumb Ideas in Computer Security"

Wed, 11 Apr 2007 20:30:00 +0100

Every profession goes through mistakes and unwise steps, especially in its early years. It is through trial and error that leaders and innovators of the profession are able to advance knowledge. Computer security is no exception. Both insiders' and outsiders' choices have held back and even harmed the state of computing. Of course, hindsight is usually more accurate than foresight.

This talk picks a handful of ideas that in retrospect have turned out dumb, ideas such as compound complexity, single-state hardware, downloaded code, and incomplete mediation. For each idea we will see from where the idea came, why it is unwise, and why we should have known better. From these examples, we will see how better choices can be made in the future.

Dr. Albert M. K. Cheng, "Automatic Debugging and Verification of RTL-Specified Real-Time ...

Wed, 28 Mar 2007 20:30:00 +0100

Abstract 1:

Real-time logic (RTL) is useful for the verification of a safety assertion with respect to the specification of a real-time system. Since the satisfiability problem for RTL is undecidable, the systematic debugging of a real-time system appears impossible. With RTL, each propositional formula corresponds to a verification condition. The number of truth assignments of a propositional formula can help us determine the specific constraints which should be added or modified to derive the expected solutions. This talk describes this debugging approach and how it can be embedded into autonomous systems. We have implemented a tool called ADRTL for automatic debugging of RTL specifications. The confidence of our approach is high as we have effectively evaluated ADRTL on several existing industrial applications, including the NASA X-38 Crew Return Vehicle avionics.

Abstract 2:

Embedded systems are becoming ubiquitous and are increasingly interconnected or networked, making them more vulnerable to security attacks. A large class of these systems such as SCADA and PCS has real-time and safety constraints. Therefore, in addition to satisfying these requirements, achieving system security emerges as a critical challenge to ensure that users can trust these embedded systems to perform correct operations. One objective in a secure system is to identify attacks by detecting anomalous system behaviors. This part of the talk describes the challenges in the design and implementation of such intrusion detection system (IDS), addressing (1) accuracy: the IDS identifies no or as few false positives as the resource (time, space, power, etc.) and/or policy constraints allow, and no or as few false negatives as the resource and/or policy constraints allow; (2) efficiency/timeliness: the IDS does not violate the host embedded system's application deadlines and has a reasonable space overhead; (3) scalability: the IDS can scale to work with large embedded systems; and (4) power-awareness: the IDS does not significantly reduce the operational period of battery-powered embedded systems. We conclude with an outline of one of several promising embedded IDS approaches under investigation. This approach is based on automatic rule-base generation and semantic analysis.

Dan Geer, "A quant looks at the future"

Wed, 21 Mar 2007 20:30:00 +0100

If there is a difference between information and bits we had better find it soon. The bit-count is bounding upward, no one dares throw anything away, and once "search" supplants "organize" there is no going back. Information may or may not want to be free, but it wants to be in motion, so much so that ISPs see their future in movie rentals and the speed of light determines how far away your trade submission servers can be from the Exchange and still do micro-arbitrage. Like a gas, information has to be collected, purified, and compressed to be of value, so any leak, impurity, or loss of containment is a loss of value, per se. The street price of drugs has a more stable floor than the street price of stolen data, the percentage of attack tools that are privately held is rising, and the workfactor for information defense is the integral of the workfactor for information offense, yet we do not have the quantitative tools to value our information. That is possibly the key -- quantitative information risk management that is on par with quantitative financial risk management.

Eugene Schultz, "Intrusion Detection Event Correlation: Approaches, Benefits and Pitfalls"

Wed, 07 Mar 2007 21:30:00 +0100

Over the years intrusion detection technology has improved to the point that it is highly useful to both the commercial and non-commercial sector. This technology is, however, by no means anything close to perfect. Even the best intrusion detection systems miss a fairly large proportion of attacks that occur; they also tend to yield unacceptably high false alarm rates. Correlating the output of multiple systems and devices is a promising solution for the limitations in today's intrusion detection systems. There have been numerous advances in intrusion detection event correlation, yet this technology lags behind intrusion detection technology. How events are correlated makes a big difference concerning the value of event correlation. This talk will cover the various approaches to event correlation as well as their advantages and disadvantages.

Bhavani Thuraisingham, "Assured Information Sharing between Trustworthy, Semi-trustworthy ...

Wed, 28 Feb 2007 21:30:00 +0100

Data mining is the process of posing queries and extracting patterns, often previously unknown from large quantities of data using pattern matching or other reasoning techniques. Data mining has many ap-plications in security including for national security as well as for cyber security. The threats to national security include attacking buildings, destroying critical infrastructures such as power grids and telecom-munication systems. Data mining techniques are being investigated to find out who the suspicious people are and who is capable of carrying out terrorist activities. Cyber security is involved with protecting the computer and network systems against corruption due to Trojan horses, worms and viruses. Data mining is also being applied to provide solutions such as intrusion detection and auditing.
The first part of the presentation will discuss my joint research with Prof. Latifur Khan and our students at the University of Texas at Dallas on data mining for cyber security applications For example; anomaly detection techniques could be used to detect unusual patterns and behaviors. Link analysis may be used to trace the viruses to the perpetrators. Classification may be used to group various cyber attacks and then use the profiles to detect an attack when it occurs. Prediction may be used to determine potential future attacks depending in a way on information learnt about terrorists through email and phone conversations. Data mining is also being applied for intrusion detection and auditing. Other applications include data mining for malicious code detection such as worm detection and managing firewall policies.
This second part of the presentation will discuss the various types of threats to national security and de-scribe data mining techniques for handling such threats. Threats include non real-time threats and real-time threats. We need to understand the types of threats and also gather good data to carry out mining and obtain useful results. The challenge is to reduce false positives and false negatives.
The third part of the presentation will discuss some of the research challenges. We need some form of real-time data mining, that is, the results have to be generated in real-time, we also need to build models in real-time for real-time intrusion detection. Data mining is also being applied for credit card fraud de-tection and biometrics related applications. While some progress has been made on topics such as stream data mining, there is still a lot of work to be done here. Another challenge is to mine multimedia data including surveillance video. Finally, we need to maintain the privacy of individuals. Much research has been carried out on privacy preserving data mining.
In summary, the presentation will provide an overview of data mining, the various types of threats and then discuss the applications of data mining for malicious code detection and cyber security. Then we will discuss the consequences to privacy.

Howard Schmidt, "Cyber Security and the "NEW" world enterprise"

Wed, 21 Feb 2007 21:30:00 +0100

As cyber security has evolved in the new world of distributed
computing
there have been dramatic changes to the nature of our security needs. Mr.
Schmidt will talk about issues that affect large enterprises, small and
medium business and end users. He will talk about common threats, and the
possibility of frameworks which would protect ourselves, our civil rights
and our privacy while ensuring improved security.

Stuart Shapiro, "Scenario-Driven Construction of Enterprise Information Policy"

Wed, 07 Feb 2007 21:30:00 +0100

Information policy at the enterprise level is invariably an exercise in gaps and inconsistencies. The range of concerns—including security—is broad, the environment tends to be heterogeneous and dispersed, the contextual scope is significant, and the stakeholders are numerous. MITRE ran headlong into this problem as it set about conceiving and implementing a new enterprise IT architecture, with questions increasingly raised regarding what policies the new architecture had to be capable of supporting. The MITRE Information Policy Framework (MIPF) is the mechanism MITRE developed to answer these questions. The MIPF supports systematic, structured analysis and formulation of information policy in five areas: security, privacy, management, stewardship, and sharing. This presentation will discuss the structure and use of the MIPF, with an emphasis on security requirements.

Chris Clifton, "Mathematically Defining Privacy"

Wed, 31 Jan 2007 21:30:00 +0100

Computer systems ease the sharing and use of information,
but accessibility of information leads to privacy concerns.
Technology is being developed to address this issue - enabling
use of information while controlling the disclosure. But is
this enough to protect privacy? How do we even know if it is
enough? This talk will survey recent developments in privacy
and anonymity technology, emphasizing the variety of privacy
definitions, their benefits, and their weaknesses.

Wojciech Szpankowski, "WHAT IS INFORMATION?"

Wed, 24 Jan 2007 21:30:00 +0100

Information permeates every corner of our lives and shapes our
universe. Understanding and harnessing information holds the potential for
significant advances. The breadth and depth of underlying concepts of
the science of information transcend traditional disciplinary boundaries
of scientific and commercial endeavors. Information can be manifested
in various forms: business information is measured in dollars;
chemical information is contained in shapes of molecules;
biological information stored and processed in our cells prolongs life.
So what is information? In this talk we first attempt to identify the
most important features of information and define it in the broadest
possible sense. We subsequently turn to the notion and theory of information
introduced by Claude Shannon in 1948 that served as the backbone for
digital communication. We go on to bridge Shannon information with
Boltzmann's entropy, Maxwell's demon, Landauer's principle and
Bennett's irreversible computations. We point out, however,
that while Shannon created a successful and beautiful theory
of information for communication, a wide spread application of information
theory to economics, biology, life science and complex networks seems to be
still awaiting us. We shall discuss some examples that recently crop up in
biology, chemistry, computer science, and quantum physics. We conclude
with a list of challenges for future research.
We hope to put forward some educated questions, rather than answers,
to the issues and tools that lay before researchers interested in information.

Vipin Swarup, "Research Challenges in Assured Information Sharing"

Wed, 17 Jan 2007 21:30:00 +0100

Assured information sharing has been a "grand challenge" problem of
information security for several decades. Currently, there is broad
consensus that the state-of-practice of information sharing is
inadequate. One primary problem is that people on the field (e.g.,
soldiers, firefighters) have mission-critical need for sensitive
information but are often among the least trusted principals in their
organizations and hence do not receive the information. Another
problem is that data producers claim ownership of the data they
produce and place sharing constraints on that data despite the
competing interests of multiple parties over that data. In this talk,
we highlight these and other problems and discuss a wide range of
technical solutions that are needed. We elaborate on the need to
balance the risks of sharing data with the risks of not sharing data
and present several proposed approaches for doing so. We also
describe how obligation policies play an important role in addressing
some information sharing issues.

Virginia Rezmierski, "Computer-Related Incidents: Factors Related to Cause and ...

Wed, 10 Jan 2007 21:30:00 +0100

Computer-related incidents that have the potential to destabilize, violate, or damage, the resources, services, policies, or data of the community or individual members of the community are happening in increasing numbers. Despite the news, we know that they are happening not just in academia which has been painted as insecure and wide-open, but in corporate and not-for-profit environments as well. We have inclinations about what is causing these incidents, but now we also have facts. While we look for technical fixes to the problems, the real factors that are related to the cause of these incidents may not be technical at all, but rather human. This presentation will discuss the "Computer Incident Factor Analysis and Categorization Project", CIFAC, which was carried on at the University of Michigan under funding from the National Science Foundation. Dr. Rezmierski will present the project findings and will discuss what they mean for colleges, universities, corporations, not-for-profit organizations and individuals. The presentation will include discussion of actual incidents, the statistical methodology and findings, and the recommendations put forward by the researcher team.

Marc Rogers, " The Psychology of Computer Deviance: How it can assist in digital evidence ...

Wed, 06 Dec 2006 21:30:00 +0100

The talk will look at the phenomenon of deviant computer behavior and how understanding the individuals who engage in this behavior can benefit digital evidence investigations. A brief overview of the current research on computer deviance will be presented. An investigative process model will also be introduced that will assist in the investigation and analysis of computer crimes.

Dongyan Xu, "OS-Level Taint Analysis for Malware Investigation and Defense"

Wed, 29 Nov 2006 21:30:00 +0100

The Internet is facing threats from increasingly stealthy and
sophisticated malware. Recent reports have suggested that new
computer worms and malware deliberately avoid fast massive
propagation. Instead, they lurk in infected machines and inflict
contaminations over time, such as rootkit and backdoor
installation, botnet creation, and data/identity theft. In defense
against Internet malware, the following tasks are critical: (1)
raising timely alerts to trigger a malware investigation, (2)
determining the break-in point of malware, i.e. the vulnerable
software via which the malware initially infiltrates the victim,
and (3) identifying all contaminations inflicted by the malware
during its residence in the victim. In this talk, I will present
Process Coloring, an information flow-preserving, provenance-aware
approach to malware investigation. In particular, I will
demonstrate that through the preservation and tainting of malware
break-in provenance along OS-level information flows, malware
investigators will be able to improve the efficiency and
effectiveness of existing log-based intrusion investigation tools.
Furthermore, process coloring brings the new capability of runtime
malware alert, which cannot be achieved by existing log-based
tools. I will also present results of our experiments with a
number of real-world Internet worms as well as a highly
tamper-resistant implementation of process coloring using
virtualization-based techniques.

Richard Power, "One Step Forward, Two Steps Back, or Two Steps Forward, One Step Back: A ...

Wed, 15 Nov 2006 21:30:00 +0100

This presentation explores the evolution of cyber crime and cyber security as global issues over the past decade. It examines the growth of cyber bank robbery, cyber extortion, identity theft, economic espionage, denial of service, cyber vandalism, cyber stalking and other criminal endeavors. It also sheds a harsh light on corporate and government response to these problems: technologies, organization, professional issues, awareness and education, etc. The presentation includes a compelling timeline, explores fascinating case studies and also provides real-world cyber security recommendations for governments, businesses and families.

David Zage, "Mitigating Attacks Against Measurement-Based Adaptation Mechanisms in ...

Wed, 08 Nov 2006 21:30:00 +0100

Many multicast overlay networks maintain application-specific performance goals such as bandwidth, latency, jitter and loss rate by dynamically changing the overlay structure using measurement- based adaptation mechanisms. This results in an unstructured overlay where no neighbor selection constraints are imposed. Although such networks provide resilience to benign failures, they are susceptible to attacks conducted by adversaries that compromise overlay nodes. Previous defense solutions proposed to address attacks against overlay networks rely on strong organizational constraints and are not effective for unstructured overlays. In this work, we identify, demonstrate and mitigate insider attacks against measurement-based adaptation mechanisms in unstructured multicast overlay networks. The attacks target the overlay network construction, maintenance, and availability and allow malicious nodes to control significant traffic in the network, facilitating selective forwarding, traffic analysis, and overlay partitioning. We propose techniques to decrease the number of incorrect or unnecessary adaptations by using outlier detection. We demonstrate the attacks and mitigation techniques in the context of a mature, operationally deployed overlay multicast system, ESM, through real- life deployments and emulations conducted on the PlanetLab and DETER testbeds, respectively.

Paula DeWitte, "Developing an Operational Framework for Integrated System Security"

Wed, 01 Nov 2006 21:30:00 +0100

Systems are composed of multiple complex levels including the physical infrastructure, personnel or “humans-in-the-loop”, administration policies and procedures, computers, networks, and the communication protocols for connectivity that tie the system into a workable unit. Each aspect is in itself a complex system. When we consider system security, we tend to focus on the electronic components—the connectivity, computers, and network—over the non-electronic. Although we rigorously implement security in the various system components, the security is rarely integrated across the boundaries of the entire system spectrum. We tend to implement security on the distinct levels of the system without considering the impact or interaction with other system levels. For example, we may fully implement encryption, passwords, and firewalls and feel that our electronic systems are secure, while the weakest link may be staff members who fall victim to social engineering techniques and unknowingly reveal sufficient information to allow a perpetrator to circumvent our best security. Or we may have fortified computer systems and well trained personnel, but neglect the fact that we are being monitored through the building’s walls, floors, and windows.

Without true understanding of the nature of the interactions of the system, we cannot fully understand how vulnerabilities in one level of the system such as the physical infrastructure can be exploited to allow attacks on another level such as the computer networks. By taking advantage of these vulnerabilities, perpetrators are able to circumvent even the most effective computer and network security, breach that security, and achieve their goals. We only need to consider the current challenges of insider threats or threats from coordinated attacks on the physical infrastructure and the computer networks to appreciate the need for better integrated system security.

Our goal is to provide analytical tools for the real world, focusing on the decision makers who implement security policies across the system spectrum. Further, to be effective, these analytical tools must be implemented within an organizing framework that provides both an integrated view of security as well as the insight and understanding necessary to make effective security issues. This necessitates the development of step-by-step processes for analyzing and implementing security decisions. While this may seem to be a soft and less complete technical solution, it is actually implementing technology at the highest level because of the integration required to address each aspect of the system as well as the multi-disciplinary approach blending computer science, engineering, psychology, linguistics, and management in developing such analytic tools.

This presentation will discuss work in progress in developing these analytical tools as well as the overarching framework for implementing integrated system security. Our intention is to understand “what can be” or “what could happen”. With this insight, they can more effectively provide prevention, protection, or remediation strategies.

Qihua Wang, "Beyond Separation of Duty: An Algebra for Specifying High-level Security ...

Wed, 25 Oct 2006 20:30:00 +0100

A high-level security policy states an overall requirement for a sensitive task. One example of a high-level security policy is a separation of duty policy, which requires a sensitive task to be performed by a team of at least k users. It states a high-level requirement about the task without the need to refer to individual steps in the task. While extremely important and widely used, separation of duty policies state only quantity requirements and do not capture qualification requirements on users involved in the task. This talk will introduce a novel algebra that enables the specification of high-level policies that combine qualification requirements with quantity requirements motivated by separation of duty considerations. A high-level policy associates a task with a term in the algebra and requires that all sets of users that perform the task satisfy the term. The syntax and semantics of the algebra, as well as the algebraic properties of its operators will be presented. The talk will also discuss results for computational problems related to the
algebra and compare the algebra with regular expressions.

Nitin Khanna, "Forensics Characterization of Printers and Image Capture devices"

Wed, 18 Oct 2006 20:30:00 +0100

The falling cost and wide availability of electronic devices have led to their
widespread use by individuals, corporations, and governments. These devices,
such as computers, cell phones, digital cameras, and printers, all contain
various sensors which generate data that are stored or transmitted
to another device. One example of this is a security system containing a
network of video cameras, temperature sensors, alarms, computers, and other
devices. In such a network, it is important to be able to trust the data from
each of these sensors. Forensic techniques can be used to uniquely identify
each device using the data it produces. This is different from simply securing
the data being sent across the network because we are also authenticating the
sensor that is creating the data.

Forensic characterization of a device allows identification of the type of
device, make, model, configuration, and other characteristics based solely on
observation of the data that the device produces. These characteristics
that uniquely identify a device are called device signatures. As an example,
the noise characteristics in a digital image can be used as a signature of the
camera that produced it. Similarly, the ‘‘noise’’ characteristics of a print
engine can be used as a signature of the printer that generated a document.

This talk will present current research and techniques for forensic
characterization of printers and image capture devices such as digital
cameras and scanners.

Nora Rifon, "Network Security Begins at Home: Changing Consumer Behavior for i-Safety"

Wed, 11 Oct 2006 20:30:00 +0100

Virus and worm attacks that spread through holes in popular consumer
software emphasize the role the online public must play in preserving the
safety and integrity of the Internet. To protect the network commons, more
users must engage in safe online behavior by such actions as controlling
their private information, updating software security patches, downloading
protective software, and filtering their email. While network security
remains an abstract notion to the general public, online consumers can
understand the issue in terms of their personal privacy behavior, actions
that result in the undesired disclosure of information and unwanted
intrusions on their personal cyberspace. In her talk, Professor Rifon will
discuss a social-psychological approach to understanding Internet user
privacy and security safety related behaviors.

Danfeng Yao, "Verification of Integrity for Outsourced Content Publishing and Database ...

Wed, 04 Oct 2006 20:30:00 +0100

In outsourced content publishing, the data owner gives the content to a service provider who answers requests from users. Similarly, in outsourced databases, the data owner delegates a service provider to answer queries. Outsourcing enables fast and fault-tolerant delivery of information. However, since service providers in outsourced systems may not be trusted by users, the user needs to verify the integrity of
information obtained.

First, I present a cryptographic solution for the verification of pseudonymized documents. A document can be pseudonymized by the service provider on the fly, based on the data owner's policies and the user's access permissions. Our pseudonym protocol is simple and efficient, and only requires the data owner to prepare and sign the document once.
Second, I present a solution for integrity verification of database aggregate queries, such as sum and max. We design proofs of correctness and completeness of aggregate results. What makes the problem challenging is that individual data entries may be sensitive (such as in medical databases), and should not be revealed to the user. We give
cryptographic protocols to support verification of query results in a privacy-preserving fashion.

Ravi Sandhu, "The Secure Information Sharing Problem and Solution Approaches"

Wed, 27 Sep 2006 20:30:00 +0100

The secure information sharing problem is one of the oldest and most fundamental and elusive problems in information security. Mission objectives dictate that Information must be shared and made available to authorized recipients, and yet information must be protected from leakage and subversion by malicious insiders and malicious software. The doctrine of "share but protect" indicates the inherent conflict in achieving effective secure information sharing. In this talk we demonstrate the complexity and richness of the secure information sharing problem space. We then identify some "sweet spots" that appear promising in their practical benefit and feasibility of solutions. We describe the PEI models approach to decompose security problems into the three layers of policy models (topmost), enforcement models (middle), and implementation models (bottom). We discuss how this approach can be applied to the secure information sharing problem. Finally we indicate how modern trusted computing technology can be used to solve important variations of this problem.

Gene Kim, " Prioritizing Processes and Controls for Effective and Measurable Security"

Wed, 20 Sep 2006 20:30:00 +0100

Are your security & IT controls really effective? Do you know how your security & IT operations compare to high performers?

In this presentation, Gene Kim will share the work he has been doing over the last six years with the IT Process Institute (ITPI), Software Engineering Institute, and Institute of Internal Auditors, codifying the observed practices of high-performing IT organizations. These high performers have a culture of change management, a culture of causality and a perpetual desire to detect variance before it causes a catastrophic event.

Specifically, Gene will discuss the ITPI IT Controls Benchmarking Survey of practice, a recently completed research project which has quantified the value, effectiveness, efficiency and security of controls. This landmark research has uncovered an alternative approach to being an effective security executive, based on measuring security by its ability to maintain its existing commitments; integrate controls into daily IT operations (prevent); put automated controls in place to variance before loss events (detect); reduce the percent of security incidents that result in loss events (detect); and successfully investigate and conclude security investigations.

Attendees will learn about the key research findings:
* That high performers have 5-8x higher operational and security
effectiveness and efficiency measures
* The 20% of IT controls that have 80% of the measurable benefits, and
how to implement and the prescriptive steps to take in order to achieve
defined security results
* The certain processes and controls that have shown catalytic and
sustaining properties, meaning that the value they add demonstrably
exceeds the cost to implement, and report out on them.

Hyogon Kim, "Real-Time Visualization of Network Attacks on High-Speed Links"

Wed, 13 Sep 2006 20:30:00 +0100

In this talk, we will see that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised.

Ed Finkler, "A Multi-layered Approach to Web Application Defense"

Wed, 06 Sep 2006 20:30:00 +0100

Defending against attacks on a web application is by nature is complex process, one that must address everything from coding practices to user management to network architecture. This talk will describe a number of techniques that, used in concert, will make your web app a much tougher cookie to crack. Primary focus will be on open-source "XAMP" setups, but the concepts should be applicable to most other systems.

Sid Stamm, "Invasive Browser Sniffing and Countermeasures"

Wed, 30 Aug 2006 20:30:00 +0100

We describe the detrimental effects of browser cache/ history sniffing in the context of phishing attacks, and detail an approach that neutralizes the threat by means of URL personalization; we report on an implementation performing such personalization on the fly, and analyze the costs of and security properties of our proposed solution.

Ehab Al-Shaer, Ph.D., "Toward Autonomic Security Policy Management"

Wed, 23 Aug 2006 20:30:00 +0100

The assurance of network security is dependent not only on the protocols but also on polices that determine the functional behavior of network security devices. Network security devices such as Firewalls, IPSec gateways, IDS/IPS operate based on locally configured access control policies. However, the complexity of managing security polices, particularly in enterprise networks, poses many challenges for deploying effective security. For example, security policies are usually configured in isolation from each other, even though they are not necessarily independent as they interact with each other to form the global security policy. As a result of such ad-hoc management, policy inconsistencies and network vulnerability are created. In addition security policy might grow in size causing a significant performance overhead in security devices. A major performance gain can be achieved if policies can be dynamic optimized to adapt to traffic properties (called traffic-aware policy optimization). This talk will explain these challenges and present the recent research results in the area of automated verification, and optimization of network security polices.

Virgil D. Gligor, "On the Evolution of Adversary Models for Security Protocols - from the ...

Wed, 26 Apr 2006 01:00:00 +0100

Invariably, new technologies introduce new vulnerabilities which, in principle, enable new attacks by increasingly potent adversaries. Yet new systems are more adept at handling well-known attacks by old adversaries than anticipating new ones. Our adversary models seem to be perpetually out of date: often they do not capture adversary attacks enabled by new vulnerabilities and sometimes address attacks rendered impractical by new technologies. In this talk, I provide a brief overview of adversary models beginning with those required by program and data sharing technologies, continuing with those required by computer communication and networking technologies, and ending with those required by mobile ad-hoc and sensor network technologies. I argue that mobile ad-hoc and sensor networks require new adversary models (e.g., different from those of Dolev-Yao and Byzantine adversaries). I illustrate this with adversaries that attack perfectly sensible and otherwise correct protocols of mobile ad-hoc and sensor networks. These attacks cannot be countered with traditional security protocols as they require emergent security properties.