By Topic

Security & Privacy, IEEE

Issue 4 • Date July-Aug. 2004

Filter Results

Displaying Results 1 - 20 of 20
  • [Front cover]

    Publication Year: 2004 , Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (834 KB)  
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2004 , Page(s): 2
    Save to Project icon | Request Permissions | PDF file iconPDF (287 KB)  
    Freely Available from IEEE
  • From the Editors: A Witty Lesson

    Publication Year: 2004 , Page(s): 5
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (54 KB) |  | HTML iconHTML  

    Associate Editor in Chief Marc Donner examines the Witty Worm and what its existence might mean for the future of the software development infrastructure. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Masthead

    Publication Year: 2004 , Page(s): 6
    Save to Project icon | Request Permissions | PDF file iconPDF (32 KB)  
    Freely Available from IEEE
  • Letters to the Editor

    Publication Year: 2004 , Page(s): 7 - 8
    Save to Project icon | Request Permissions | PDF file iconPDF (239 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • Book Reviews

    Publication Year: 2004 , Page(s): 10
    Save to Project icon | Request Permissions | PDF file iconPDF (51 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • The delicate balance: security and privacy

    Publication Year: 2004 , Page(s): 12 - 13
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (84 KB) |  | HTML iconHTML  

    The article examines the USA Patriot Act; a new push by law enforcement to wiretap voice-over-IP (VoIP) communications; and the need to prevent abuses of technology at the international level. Although the Patriot Act might be good for overall security, it raises serious privacy concerns. It is very one-sided in favoring law enforcement's ability to get information about people, without giving them the opportunity to attempt to protect that information. The act permits using wiretaps without requiring authorities to specify who is being tapped or where the tapping occurs. The Patriot Act likewise opens the door to potential technology abuses, such as providing funding for government database improvements, while offering no protections in terms of how those databases will be used. The article also examines the worldwide state of security by looking at concerns about the dumping and testing of surveillance technologies in countries where civil rights and civil liberties are not an issue. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Guest Editors' Introduction: Why Attacking Systems Is a Good Idea

    Publication Year: 2004 , Page(s): 17 - 19
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (256 KB) |  | HTML iconHTML  

    The articles in this issue represent the broad range of ideas that come to mind when scientists and engineers think about attacking systems. Some approach the problem by describing technically sophisticated attacks, attack patterns, and toolkits. Others fret about the politics of security and attacks, worrying that outlawing certain kinds of software will backfire. Some describe methodologies for breaking systems (on purpose) in order to evaluate them. Others describe in gory detail the kinds of tools the adversary regularly wields. All of these approaches are useful. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Beyond stack smashing: recent advances in exploiting buffer overruns

    Publication Year: 2004 , Page(s): 20 - 27
    Cited by:  Papers (31)  |  Patents (4)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (384 KB) |  | HTML iconHTML  

    Security vulnerabilities related to buffer overruns account for the largest share of CERT advisories, as well as high-profile worms - from the original Internet Worm in 1987 through Blaster's appearance in 2003. When malicious crackers discover a vulnerability, they devise exploits that take advantage of the vulnerability to attack a system. The article describes three powerful general-purpose families of exploits for buffer overruns: arc injection, pointer subterfuge, and heap smashing. These new techniques go beyond the traditional "stack smashing" attack and invalidate traditional assumptions about buffer overruns. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Cybercrime Treaty could chill research

    Publication Year: 2004 , Page(s): 28 - 32
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (160 KB) |  | HTML iconHTML  

    Supporters of the international Cybercrime Treaty claim it will help prevent viruses and worms such as Code Red and the SQL Slammer worm. Detractors worry that it will not only suppress freedom of speech, but will also discourage research into the control of such malicious computer programs. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The appropriate use of force-on-force cyberexercises

    Publication Year: 2004 , Page(s): 33 - 37
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (176 KB) |  | HTML iconHTML  

    Over time, network threats change, so a computer network defense system must be periodically tested to assess its true ability. Within the computer network arena, organizations are using cyberexercises to test reactions to security attacks and penetrations. Cyberexercises take a variety of forms; one of the most popular pits an attacking red team against network, system, and security administrators. Red teams are a popular way to test an organization's security posture, but proceeding too quickly with this kind of exercise can be counterproductive. Examining network security from a comprehensive organizational viewpoint raises several interesting questions: When are red teams and technical exercises appropriate? What aspects of network security do these types of exercises test? What alternative cyberexercises might be more suitable?. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Taking a lesson from stealthy rootkits

    Publication Year: 2004 , Page(s): 38 - 45
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (232 KB) |  | HTML iconHTML  

    Attackers use rootkits and obfuscation techniques to hide while covertly extracting information from commercial applications. The authors describe how developers can use similar obfuscation approaches to build more agile, less vulnerable software. Obfuscation deliberately transforms software into an identically functioning, but purposefully unreadable form, implemented in a high-level programming language at the machine-instruction level, or, to some extent, in the compiled binary. Obfuscation's only requirement is that its generated code be functionally equivalent to its parent. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The spread of the Witty worm

    Publication Year: 2004 , Page(s): 46 - 50
    Cited by:  Papers (68)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (216 KB) |  | HTML iconHTML  

    On Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST), an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including its RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm took advantage of a security flaw in these firewall applications that eEye Digital Security discovered earlier in March. Once the Witty worm - so called because its payload contained the phrase, "( , )insert witty message here ( , )" - infects a computer, it deletes a randomly chosen section of the hard drive, which, over time, renders the machine unusable. We share a global view of the worm's spread, with particular attention to its features. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Back to school [security education]

    Publication Year: 2004 , Page(s): 54 - 56
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (64 KB) |  | HTML iconHTML  

    As summer draws to an end, faculty and students turn their attention to academic planning. This used to be a very tough task - faculty developed most of their materials from scratch. Now, rather than a handful of items to draw on when planning a security and privacy course, there is a plethora of sample syllabi, textbooks, and other supportive materials. The question is: where are they? For all the busy academics out there readying their courses, and the students who are about to join you, we have written the article, with help from the Centers of Excellence in Information Assurance Education, in the hope that it will make your preparations a trifle less hectic. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Quantum cryptography

    Publication Year: 2004 , Page(s): 57 - 61
    Cited by:  Papers (7)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (400 KB) |  | HTML iconHTML  

    Though most people think they are science fiction, quantum cryptography systems are now operational, with prototypes protecting Internet traffic across metropolitan areas. These systems are so novel that we can consider quantum cryptography, or more properly, quantum key distribution (QKD), as the third and final insight to transform cryptography in the 20th century. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Deploying and using public key technology: lessons learned in real life

    Publication Year: 2004 , Page(s): 67 - 71
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (80 KB) |  | HTML iconHTML  

    When you think of Johnson & Johnson, images of baby powder and other elements of parenting probably come to mind. The company produces all of these things, along with a wide variety of healthcare products, including pharmaceuticals and medical devices, but it actually consists of more than 200 separately operating companies. Tying together this diverse business environment is a security foundation built on public-key infrastructure (PKI) technology, Coupled with an enterprise-wide identity directory. In this article, we describe that infrastructure, Johnson & Johnson's experience in deploying it, and how the company uses (and plans to use) digital certificates. Most important, we outline some real-world lessons the company learned when deploying PKI. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Honeypot forensics part 1: analyzing the network

    Publication Year: 2004 , Page(s): 72 - 78
    Cited by:  Papers (7)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (168 KB) |  | HTML iconHTML  

    A major goal of honeypot research is to improve our knowledge of blackhats from two perspectives: technical and ethnological. For the former we want new ways to discover rootkits, Trojans, and potential zero-day exploits. For the latter, we want a better understanding of the areas of interest and hidden links between blackhat teams. One way to achieve these goals is to increase the verbosity of our honeypot logs and traces so that we learn every single action the intruder made. The most common tools for doing this are Sebek for system events and Snort for network activity. Unfortunately, there is no easy way to correlate information from these sources, which complicates honeypot forensics. Although computer forensics focuses on analyzing a system once we suspect it has been compromised, we expect honeypots to be compromised. Thus, honeypot forensics focuses on understanding the blackhat's techniques and tools, before and after its intrusion on the honeypot. The article looks at: network activity analysis; building the network timeline; and tools and techniques. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Risk analysis in software design

    Publication Year: 2004 , Page(s): 79 - 84
    Cited by:  Papers (13)  |  Patents (5)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (136 KB) |  | HTML iconHTML  

    Risk analysis is, at best, a good general-purpose yardstick by which we can judge our security design's effectiveness. Because roughly 50 percent of security problems are the result of design flaws, performing a risk analysis at the design level is an important part of a solid software security program. Taking the trouble to apply risk-analysis methods at the design level for any application often yields valuable, business-relevant results. The risk analysis process is continuous and applies to many different levels, at once identifying system-level vulnerabilities, assigning probability arid impact, arid determining reasonable mitigation strategies. The paper looks at how, by considering the resulting ranked risks, business stakeholders can determine how to manage particular risks and what the most cost-effective controls might be. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Is privacy really constraining security or is this a red herring?

    Publication Year: 2004 , Page(s): 86 - 87
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (79 KB) |  | HTML iconHTML  

    On the surface, the argument at the heart of the "security vs. privacy" debate is seductively simple: "to prevent terrorism we must empower police to monitor all online activities." However, this claim suffers two fatal logical flaws: it presumes that the proposed fix will solve the problem, and it ignores the proposal's potential for creating even more serious problems than the one it professes to fix. The article considers these aspects. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Customers, passwords, and Web sites

    Publication Year: 2004
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (68 KB) |  | HTML iconHTML  

    Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts - and even their stock portfolios - on line. It's a tempting target - if criminals can access one of these accounts, they can steal a lot of money. And almost all these accounts are protected only by passwords.The solutions are not easy. The never-ending stream of Windows vulnerabilities limits the effectiveness of any customer-based software solution - digital certificates, plug-ins, and so on-and the case with which Malicious software can run on Windows limits other solutions' effectiveness. Point solutions might force attackers to change tactics, but won't solve the underlying insecurities. Computer security is an arms race, and money creates very motivated attackers. Unsolved, this type of security problem will change the way people interact with the Internet. It'll prove that the naysayers were right all along - the Internet isn't safe for electronic commerce. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu