By Topic

Security & Privacy, IEEE

Issue 6 • Date Nov.-Dec. 2005

Filter Results

Displaying Results 1 - 23 of 23
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (2005 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (757 KB)  
    Freely Available from IEEE
  • Green Computing

    Page(s): 3
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (80 KB)  

    We need computing and networking environments that support many forms of accountability, but we also need to understand how to construct systems with interfaces simple enough to be usable, yet capable of supporting the kinds of security policies we employ intuitively every day. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Masthead

    Page(s): 4
    Save to Project icon | Request Permissions | PDF file iconPDF (29 KB)  
    Freely Available from IEEE
  • Letters to the Editor

    Page(s): 5
    Save to Project icon | Request Permissions | PDF file iconPDF (464 KB)  
    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Are RFIDs Coming to Get You?

    Page(s): 6
    Save to Project icon | Request Permissions | PDF file iconPDF (50 KB)  
    Freely Available from IEEE
  • News Briefs

    Page(s): 7 - 8
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (46 KB)  

    News items related to security, privacy, and policy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Winning the Game of Risk: Neumann's Take on Sound Design

    Page(s): 9 - 12
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (416 KB)  

    In an interview with Peter Neumann, he discusses the state of the information assurance discipline, as well as current market forces impacting software security, risks to the US computing infrastructure, and promising future security technologies. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Signaling vulnerabilities in wiretapping systems

    Page(s): 13 - 25
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (608 KB)  

    Many law enforcement wiretap systems are vulnerable to simple, unilateral countermeasures that exploit the unprotected in-band signals passed between the telephone network and the collection system. This article describes the problem as well as some remedies and workarounds. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security, wiretapping, and the Internet

    Page(s): 26 - 33
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (384 KB)  

    In a move that is dangerous to network security, the US Federal Bureau of Investigation is seeking to extend the Communications for Law Enforcement Act to voice over IP. Such an extension poses national security risks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The denial-of-service dance

    Page(s): 34 - 40
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (560 KB)  

    By understanding the types of attacks available to an adversary, we can develop more effective defenses against them. A taxonomy of denial-of-service attacks based on a dance-hall metaphor is a step toward gaining such an understanding. This article presents a metaphor for DoS-the dance hall-that helps us toward a comprehensive view of DoS attacks. In this article, "DoS" refers to the set of remote DoS attacks that depend on a network's presence. The article and the taxonomy it presents are the results of a short-term study aiming to explore avenues for defense. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Countering network worms through automatic patch generation

    Page(s): 41 - 49
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (544 KB)  

    To counter zero-day worms that exploit software flaws such as buffer overflows, this end-point architecture uses source code transformations to automatically create and test software patches for vulnerable segments of targeted applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A framework for countering denial-of-information attacks

    Page(s): 50 - 56
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (504 KB)  

    Denial-of-information (DoI) attacks degrade a given user's ability to seek, assimilate, and process information, and are becoming more prevalent due to the Internet's rapid growth. To counter such attacks, the authors' taxonomy provides structure to this area and proposes a model for describing the information space. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SecureWorld Expo 2005

    Page(s): 57 - 60
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (384 KB)  

    A report on SecureWorld Expo 2005, held 21 to 22 September 2005 in Dearborn, Michigan. The SecureWorld Expo targets business and IT professionals with security concerns and provides them with an industry-wide agenda to help solve those concerns through a partnership with government agencies. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Developing and sustaining information assurance. The role of community colleges. Part 1

    Page(s): 61 - 63
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (63 KB)  

    In 2001, articles in several technology journals underscored the shortage of qualified security professionals who understood information assurance (IA) concepts. At the time, only a handful of universities offered academic programs in IA, and those were at the masters and doctoral levels. Although a few colleges had classes that covered IA topics, no undergraduate-level programs existed. Continual training and education are necessary to manage the ever-evolving technologies of computer systems and network administration, which place increasingly heavy demands on public and private entities. New positions open frequently for qualified applicants in IA, sometimes forcing existing employees to step into the job of maintaining secure and available computer infrastructures to support their organizations. To help address the ongoing need for security training; several US community colleges have stepped up to develop academic programs over the past several years. This article presents the case for IA training at that level, setting the stage for further examination of the particular challenges that it entails. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Economically complex cyberattacks

    Page(s): 64 - 67
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (328 KB)  

    Most people working in cyber security recognize that the interconnections and complexities of our economy can have a huge effect on the destructiveness of cyber attacks. They refer casually to "network effects," "spillover effects" or "knock-on effects." Yet there is little understanding of how such effects actually work, what conditions are necessary to create them, or how to quantify their consequences. People working in cyber security also generally acknowledge that combinations of cyber attacks could be much more destructive than individual attacks. Yet there is little understanding of exactly why this is the case or what the principles would be for combining attacks to produce maximum destruction. These two sets of problems are actually the same. It is by taking account of the interconnections and complexities in our economy that cyber-attackers could devise combinations of attacks to cause greater destruction. To understand how this would work, we need to look at three features of our economy that are responsible for much of its structural complexity: redundancies, interdependencies, and near monopolies. Then, as we examine these features, we need to see how each of them would prompt a different sort of attack strategy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Network security basics

    Page(s): 68 - 72
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3216 KB)  

    Writing a basic article on network security is something like writing a brief introduction to flying a commercial airliner. Much must be omitted, and an optimistic goal is to enable the reader to appreciate the skills required. The first question to address is what we mean by "network security." Several possible fields of endeavor come to mind within this broad topic, and each is worthy of a lengthy article. To begin, virtually all the security policy issues apply to network as well as general computer security considerations. In fact, viewed from this perspective, network security is a subset of computer security. The art and science of cryptography and its role in providing confidentiality, integrity, and authentication represents another distinct focus even though it's an integral feature of network security policy. The topic also includes design and configuration issues for both network-perimeter and computer system security. The practical networking aspects of security include computer intrusion detection, traffic analysis, and network monitoring. This article focuses on these aspects because they principally entail a networking perspective. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Pretending that systems are secure

    Page(s): 73 - 76
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (768 KB)  

    To a large extent, computing systems are useful only to the degree in which they're embedded in the processes that constitute human society. This embedding makes effective system security extremely important, but achieving it requires a strong look at the human side of the picture - the computers themselves are only part of the system. IEEE Security & Privacy has covered these topics in-the past, but usually from the perspective of computing, not society. Can we make it easier for human users to correctly trust what their computers are telling them? Can we make it easier for human programmers to write code that achieves desired functional and performance goals, but with fewer vulnerabilities? Motivated by a series of events over this past year, we'll look at the societal aspects in this installment: the formal education process through which we train students, young and old, to be effective cyber-citizens; and the media coverage and editorializing process through which we express (or perhaps imprint) ethical judgment. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Acting responsibly with geospatial data

    Page(s): 77 - 80
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (76 KB)  

    Geospatial data is simply a "language of the landscape;" it can, for the occurrence of every event, "provide position-based knowledge". It consists of "information that identifies the geographic location, and characteristics of natural or constructed features and boundaries on the earth. This information may be derived from, among other things, remote sensing, mapping, and surveying technologies: Statistical data may be included in this definition at the discretion of the collecting agency." To the extent that such data is time-sensitive and focused on operational deployments, movements, and schedules, it can originate from widely available portable technologies. Statistics and other data are increasingly important because they permit the creation of profiles with myriad uses. Organizations must recognize that geospatial data can be created to contain highly sensitive data and that responsible handling of such data will not detract from a firm's commercial opportunities-in fact, it could help it avert severe reputation damage. Originating organizations will find that as the data they handle become increasingly sensitive, the procedures for deciding whether to withhold or change such data before their release must be well-established and periodically revised to ensure that organizations handle such data responsibly. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Seven pernicious kingdoms: a taxonomy of software security errors

    Page(s): 81 - 84
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1744 KB)  

    Taxonomies can help software developers and security practitioners understand the common coding mistakes that affect security. The goal is to help developers avoid making these mistakes and more readily identify security problems whenever possible. Because developers today are by and large unaware of the security problems they can (unknowingly) introduce into code, a taxonomy of coding errors should provide a real tangible benefit to the software security community. Although the taxonomy proposed here is incomplete and imperfect, it provides an important first step. It focuses on collecting common errors and explaining them in a way that makes sense to programmers. This new taxonomy is made up of two distinct kinds of sets, which we're stealing from biology: a phylum (a type of coding error, such as illegal pointer value) and a kingdom (a collection of phyla that shares a common theme, such as input validation and representation). Both kingdoms and phyla naturally emerge from a soup of coding rules relevant to enterprise software, and it's for this reason that this taxonomy is likely to be incomplete and might lack certain coding errors. In some cases, it's easier and more effective to talk about a category of errors than to talk about any particular attack. Although categories are certainly related to attacks, they aren't the same as attack patterns. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security standards for the RFID market

    Page(s): 85 - 89
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (304 KB)  

    As the RFID market expands, we'll see the continued proliferation of RFID tags built for highly specialized vertical markets, which means greater variety and the consequent need to ensure interoperability. A great deal of research and development is currently under way in the RFID security field to mitigate both known and postulated risks. Manufacturers; business managers, and RFID systems engineers continue to weigh the trade-offs between chip size, cost, functionality, interoperability, security and privacy with the bottom-line impact on business processes. Security features supporting data confidentiality, tag-to-reader authentication, optimized RF protocols, high-assurance readers, and secure system engineering principles should become available. Security and privacy in RFID tags aren't just technical issues; important policy questions arise as RFID tags join to create large sensor networks and bring us closer to "ubiquitous computing." With public attention focused on the RFID landscape, security and privacy have moved to the forefront in RFID standards work, and the results are worth watching. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • 2005 Annual Index

    Page(s): 90 - 95
    Save to Project icon | Request Permissions | PDF file iconPDF (856 KB)  
    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Zotob Storm

    Page(s): 96
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (144 KB)  

    Using Zotob worm outbreak as an example, Schneier discusses patches and security processes for preventing more worm outbreaks. Given that it's impossible to know what's coming beforehand, how you respond to an actual worm largely determines your defense’s effectiveness. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu