By Topic

Security & Privacy, IEEE

Issue 1 • Date Jan.-Feb. 2007

Filter Results

Displaying Results 1 - 24 of 24
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (972 KB)  
    Freely Available from IEEE
  • [Inside front cover]

    Page(s): c2
    Save to Project icon | Request Permissions | PDF file iconPDF (1576 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (813 KB)  
    Freely Available from IEEE
  • New Challenges for the New Year

    Page(s): 3 - 4
    Save to Project icon | Request Permissions | PDF file iconPDF (147 KB)  
    Freely Available from IEEE
  • Masthead

    Page(s): 5
    Save to Project icon | Request Permissions | PDF file iconPDF (45 KB)  
    Freely Available from IEEE
  • Special Thanks to S&P's Reviewers

    Page(s): 6 - 7
    Save to Project icon | Request Permissions | PDF file iconPDF (53 KB)  
    Freely Available from IEEE
  • Software Security: State of the Art

    Page(s): 8
    Save to Project icon | Request Permissions | PDF file iconPDF (41 KB)  
    Freely Available from IEEE
  • Silver Bullet Speaks with John Stewart [Interview]

    Page(s): 9 - 11
    Save to Project icon | Request Permissions | PDF file iconPDF (78 KB)  
    Freely Available from IEEE
  • News Briefs

    Page(s): 12 - 15
    Save to Project icon | Request Permissions | PDF file iconPDF (49 KB)  
    Freely Available from IEEE
  • Providing Certified Mail Services on the Internet

    Page(s): 16 - 22
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (494 KB)  

    Even though email is an increasingly important application, the Internet doesn't yet provide a reliable messaging infrastructure. Thus, an email message's sender can never be certain - and doesn't receive any evidence -that his or her message was actually delivered to and received by its intended recipients. Furthermore, a recipient can always deny having received a particular message, and the sender can't do much to prove the opposite. This lack of evidence for message delivery and reception is actually a missing piece in the infrastructure required for the more widespread and professional use of email. Against this background, several value-added services come to mind such as non-repudiation services and the digital analog of certified mail. In this article, the author addresses the problem of how to provide certified mail services on the Internet, focusing on the two-party scenario View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Dependability in Wireless Networks: Can We Rely on WiFi?

    Page(s): 23 - 29
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (192 KB)  

    WiFi - short for "wireless fidelity" - is the commercial name for the 802.11 products that have flooded the corporate wireless local area network (WLAN) market and are becoming rapidly ingrained in our daily lives via public hotspots and digital home networks. Authentication and confidentiality are crucial issues for corporate WiFi use, but privacy and availability tend to dominate pervasive usage. However, because a technology's dependability requirements are proportional to its pervasiveness, newer applications mandate a deeper understanding of how much we can rely on WiFi and its security promises. In this article, we present an overview of WiFi vulnerabilities and investigate their proximate and ultimate origins. The intended goal is to provide a foundation to discuss WiFi dependability and its impact on current and future usage scenarios. Although a wireless network's overall security depends on the network stack to the application layer, this article focuses on specific vulnerabilities at the physical (PHY) and data (MAC) layers of 802.11 networks View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Considering Operational Security Risk during System Development

    Page(s): 30 - 35
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (211 KB)  

    Software products today are riddled with defects, some of which leave systems vulnerable to cyber-attacks. Although high-quality development processes can limit vulnerabilities, these processes alone aren't sufficient for operational security. The operational security of software-intensive systems is closely linked to the practices and techniques used during system design and development. In this article, we discuss OCTAVE within the context of analyzing an organization's potential operational security risks for a software-intensive system development project prior to actual deployment View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Is Information Security Under Control?: Investigating Quality in Information Security Management

    Page(s): 36 - 44
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (416 KB)  

    Over the past decade, organizations have sought to become more efficient and productive by adopting information and communication technologies. Organizations are consequently more aware of information security risks and the need to take appropriate action. Previous studies of organizations' use of information security controls have focused on the presence or absence of controls, rather than their quality. We designed and conducted a survey as an initial step toward meeting this challenge. To do this, we benchmarked how organizations manage information security by implementating various controls. Although security surveys are nothing new, our method aims to uncover specific details of control implementation and focus on implementation quality. With a more precise understanding of current practices, information security management can begin to properly pursue effective strategies to improve quality and lower risk View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • HIPAA's Effect on Web Site Privacy Policies

    Page(s): 45 - 52
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (306 KB)  

    Healthcare institutions typically post their privacy practices online as privacy policy documents. We conducted a longitudinal study that examines the effects of HIPAA's enactment on a collection of privacy policy documents for a fixed set of organizations over a four-year period. We present our analysis of 24 healthcare privacy policy documents from nine healthcare Web sites, analyzed using goal mining, a content-analysis method that supports extraction of useful information about institutions' privacy practices from documents. We compare our results to our pre-HIPAA study of these same institutions' online privacy practices and evaluate their evolution in the presence of privacy laws View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Achieving Learning Objectives through E-Voting Case Studies

    Page(s): 53 - 56
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (524 KB)  

    The rapidly increasing use of electronic voting machines in US elections provides a wonderful opportunity to teach students about computer security. In this article, we present an informal e-voting case study to achieve five learning outcomes for students in a typical college (or even high school) classroom. Our intent is to motivate a set of lessons specifically involving e-voting, as well as illustrate the usefulness of mapping outcomes to simplified case studies: (i) understanding how to write a "security specification", (ii) learning about different forms of security policies, (iii) understanding confidentiality, privacy, and information flow, (iv) recognizing the importance of considering usability from a security perspective, and (v) identifying assurances role in establishing confidence in results View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward Application-Aware Security and Reliability

    Page(s): 57 - 62
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1117 KB)  

    Two trends - the increasing complexity of computer systems and their deployment in mission- and life-critical applications - are driving the need to provide applications with security and reliability support. Compounding the situation, the Internet's ubiquity has made systems much more vulnerable to malicious attacks that can have far-reaching implications on our daily lives. Clearly, the traditional one-size-fits-all approach to security and reliability is no longer sufficient or acceptable from the user perspective. In this article, we introduce the concept of application-aware checking as an alternative. By extracting application via recent breakthroughs in compiler analysis and enforcing the characteristics at runtime with the hardware modules embedded in the reliability and security engine (RSE), it's possible to achieve security and reliability with low overheads and false-positive rates View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Special-Purpose Hardware in Cryptanalysis: The Case of 1,024-Bit RSA

    Page(s): 63 - 66
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (724 KB)  

    For efficiency, we should implement cryptographic subsystems with short keys, but reliably estimating minimal key lengths is a rather involved and complicated process - especially for systems with long life cycles and limited update capabilities. In symmetric cryptography, experts consider 56-bit IDES (Data Encryption Standard) keys to be inadequate for most applications: new devices can efficiently derive a DES key from known plaintext-ciphertext pairs. Discussion in asymmetric cryptography circles currently focuses on 1,024-bit RSA key security. Interestingly, in this discussion, a major argument put forward for the insecurity of 1,024-bit RSA isn't due to paramount theoretical progress but to hypothetical hardware devices for factoring large numbers. Unlike quantum computers, these special-purpose designs try to work within the bounds of existing technology; in this article, we look at the ideas underlying some of these designs and their potential View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • How Not to Be Seen

    Page(s): 67 - 69
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (78 KB)  

    The concept of stealth - as it pertains to computers - shares a great deal with its real-world counterpart. In this article, we take a look at stealth from both a historical and a technological perspective. This is a hugely important topic, for if an unwanted computer program can't be seen, it can't be eliminated. In addition, software developers - especially security software developers - must have a solid understanding of what can be trusted in an environment - and what can't. When it comes to deception, stealth is the state of the art View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Evolutionary Microcosm of Stock Spam

    Page(s): 70 - 75
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (541 KB)  

    Spam is a form of advertisement. Through the years, spammers have tried to entice us to purchase a wide variety of gray market products, including pharmaceuticals without prescriptions, pornography without taste, master's degrees with substandard credentials, and mortgages with subprime rates. The messages have become so standardized that both spammers and spam fighters treat the mail sender, the pitch, and the contact information separately, applying different mutation and detection methods to each field. The underlying assumption on both sides of the conflict has been that spam would advertise both a product and a place to purchase that product, allowing spam sponsors to make money View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Providing Web Service Security in a Federated Environment

    Page(s): 73 - 75
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (89 KB)  

    One of the Internet's biggest successes has been the automation of the travel-reservation system. Travelocity, Expedia, and Orbitz have all thrived in a fickle economic sector. The key to their success is Web services, which are exploding across government and industry. A business federation is very similar to a political federation, which is a union of self-governing states united by a central government. Each individual member maintains its individual sovereignty rights while participating as a federation member. Travel sites, therefore, are federations of companies that provide services, yet maintain a separate identity outside the group. Membership in a business federation, however, usually involves much less diplomacy and political discord than a political federation. Business federations must provide security for their day-to-day operations. A comprehensive Web services architecture that incorporates security standards enforces federation security policies and enables critical data exchanges. As such, we must explore ways to create an automated means for each organization to securely pass critical information using a service-oriented approach View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Who's Watching You Now?

    Page(s): 76 - 79
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (524 KB)  

    Location-based applications and services are emerging at a pace that's likely to accelerate over the next few years. Such services offer everything from consumer convenience to life-saving security. All these scenarios involve the transmission of location information over an IP network, and all raise significant issues about that information's privacy, security, and control. The IETF's Geographic Location/Privacy working group (Geopriv WG) has created a set of standards for sending location information coupled with privacy rules over the Internet. The standards call for the creation of location objects (LOs), which contain a location along with a limited set of rules that can point to an external set of more complex rules, if necessary. In development over the past few years, Geopriv is approaching an initial completion stage and appears likely to be implemented in several key technologies View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • DRM, Complexity, and Correctness

    Page(s): 80
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (77 KB)  

    Steve Bellovin looks at the complex code behind Microsoft Vista and its DRM mechanisms. Increased amounts of code add to insecurity, but the real danger with DRM is with increased interaction among different pieces of code. A lot of new mechanisms have been introduced; more seriously, a lot of new communications paths and dependencies have been introduced. Worst of all, these paths and mechanisms are solving a new problem, one with which the profession has very little experience. Did Microsoft get it right? View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • [Back inside cover]

    Page(s): c3
    Save to Project icon | Request Permissions | PDF file iconPDF (2340 KB)  
    Freely Available from IEEE
  • [Advertisement - Back cover]

    Page(s): c4
    Save to Project icon | Request Permissions | PDF file iconPDF (1045 KB)  
    Freely Available from IEEE

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu