By Topic

Security & Privacy, IEEE

Issue 2 • Date March-April 2007

Filter Results

Displaying Results 1 - 25 of 25
  • [Front cover]

    Publication Year: 2007 , Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (1768 KB)  
    Freely Available from IEEE
  • [Inside front cover]

    Publication Year: 2007 , Page(s): c2
    Save to Project icon | Request Permissions | PDF file iconPDF (874 KB)  
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2007 , Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (1122 KB)  
    Freely Available from IEEE
  • Call for Papers

    Publication Year: 2007 , Page(s): 3
    Save to Project icon | Request Permissions | PDF file iconPDF (37 KB)  
    Freely Available from IEEE
  • Trusted Computing in Context

    Publication Year: 2007 , Page(s): 4 - 5
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | PDF file iconPDF (270 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • Masthead

    Publication Year: 2007 , Page(s): 6
    Save to Project icon | Request Permissions | PDF file iconPDF (32 KB)  
    Freely Available from IEEE
  • News Briefs

    Publication Year: 2007 , Page(s): 7 - 10
    Save to Project icon | Request Permissions | PDF file iconPDF (77 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • Silver Bullet Speaks with Dorothy Denning

    Publication Year: 2007 , Page(s): 11 - 14
    Save to Project icon | Request Permissions | PDF file iconPDF (812 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • A Surprise Party (on Your Computer)?

    Publication Year: 2007 , Page(s): 15 - 16
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (360 KB) |  | HTML iconHTML  

    Iv¿n Arce of Core Security Technologies looks at the current state of malware and introduces the articles he selected for this special issue. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Studying Bluetooth Malware Propagation: The BlueBag Project

    Publication Year: 2007 , Page(s): 17 - 25
    Cited by:  Papers (10)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1209 KB) |  | HTML iconHTML  

    Bluetooth worms currently pose relatively little danger compared to Internet scanning worms. The BlueBag project shows targeted attacks through Bluetooth malware using proof-of-concept codes and mobile devices View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Alien vs. Quine

    Publication Year: 2007 , Page(s): 26 - 31
    Cited by:  Papers (1)  |  Patents (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (410 KB) |  | HTML iconHTML  

    Is it possible to prove that a computer is malware-free without pulling out its hard disk? This article introduces a novel hardware inspection technique based on the injection of carefully crafted code and the analysis of its output and execution time. In theory, the easiest way to exterminate malware is to reformat the disk and then reinstall the operating system (OS) from a trusted distribution GD. This procedure assumes we can force computers to boot from trusted media, but most modern PCs have a flash BIOS, which means that the code component in charge of booting is recorded on a rewritable memory chip. Specific programs called flashers - or even malware such as the CIH (Chernobyl) virus - have the ability to update this chip. This article addresses this concern, namely, ascertaining that malware doesn't re-flash the BIOS to derail disk-reformatting attempts or simulate their successful completion View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward Automated Dynamic Malware Analysis Using CWSandbox

    Publication Year: 2007 , Page(s): 32 - 39
    Cited by:  Papers (65)  |  Patents (14)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (337 KB) |  | HTML iconHTML  

    Malware is notoriously difficult to combat because it appears and spreads so quickly. In this article, we describe the design and implementation of CWSandbox, a malware analysis tool that fulfills our three design criteria of automation, effectiveness, and correctness for the Win32 family of operating systems View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Using Entropy Analysis to Find Encrypted and Packed Malware

    Publication Year: 2007 , Page(s): 40 - 45
    Cited by:  Papers (35)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (466 KB) |  | HTML iconHTML  

    In statically analyzing large sample collections, packed and encrypted malware pose a significant challenge to automating the identification of malware attributes and functionality. Entropy analysis examines the statistical variation in malware executables, enabling analysts to quickly and efficiently identify packed and encrypted samples View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Code Normalization for Self-Mutating Malware

    Publication Year: 2007 , Page(s): 46 - 54
    Cited by:  Papers (9)  |  Patents (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (474 KB) |  | HTML iconHTML  

    Next-generation malware adopt self-mutation to circumvent current malware detection techniques. The authors propose a strategy based on code normalization that reduces different instances of the same malware into a common form that can enable accurate detection View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Trust Negotiation in Identity Management

    Publication Year: 2007 , Page(s): 55 - 63
    Cited by:  Papers (9)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (347 KB) |  | HTML iconHTML  

    Most organizations require the verification of personal information before providing services, and the privacy of such information is of growing concern. The authors show how federated identity management systems can better protect users' information when integrated with trust negotiation. In today's increasingly competitive business environment, more and more leading organizations are building Web-based infrastructures to gain the strategic advantages of collaborative networking. However, to facilitate collaboration and fully exploit such infrastructures, organizations must identify each user in the collaborative network as well as the resources each user is authorized to access. User identification and access control must be carried out so as to maximize user convenience and privacy without increasing organizations1 operational costs. A federation can serve as the basic context for determining suitable solutions to this issue. A federation is a set of organizations that establish trust relationships with respect to the identity information-the federated identity information-that is considered valid. A federated identity management system (idM) provides a group of organizations that collaborate with mechanisms for managing and gaining access to user identity information and other resources across organizational boundaries View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Common Body of Knowledge for Information Security

    Publication Year: 2007 , Page(s): 64 - 67
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (208 KB) |  | HTML iconHTML  

    The need for skilled information security professionals has led various academic, governmental, and industrial organizations to work to develop a common body of knowledge (CBK) for the security domain. A CBK is a framework and collection of information that provides a basis for understanding terms and concepts in a particular knowledge area. It defines the basic information that people who work in that area are expected to know. The International Information Systems Security Certification Consortium ([ISC]; www.isc2.org) defines a CBK as a taxonomy of topics relevant to professionals around the world. Information security is a multidisciplinary endeavor. In practice, professionals need knowledge and experience from fields such as management, business administration, ethics, sociology, and political science. Yet, existing CBKs focus on specific information security subdomains and thus offer limited understanding and narrow perceptions of the overall domain. Our aim is to identify and define an InfoSec CBK to serve as a tool for developing an information security curriculum View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Secure Communication without Encryption?

    Publication Year: 2007 , Page(s): 68 - 71
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (89 KB) |  | HTML iconHTML  

    The potential computational speedup that quantum algorithms offer in certain problems threatens the security of current cryptographic techniques that rely on the infeasibility of factoring large numbers. But the same technology that currently threatens public-key infrastructure also provides a seeming alternative: a protocol for quantum key distribution (QKD), which provides a secure method for establishing a secret key between two participants. These two people can then use this key to encrypt information, providing them with the ability to communicate securely View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Setting Boundaries at Borders: Reconciling Laptop Searches and Privacy

    Publication Year: 2007 , Page(s): 72 - 75
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (693 KB) |  | HTML iconHTML  

    If you've traveled internationally on business, the odds are that you've taken your laptop with you. Like most business travelers, you need these ubiquitous devices to do work, make presentations, and communicate with coworkers, family, and friends via the Internet. In a previous department, we explored the notion that laptops deserve special consideration because of the increasingly blurred line between home and office, the entrusting of intimate, private information to storage on laptops, and the resulting need to rethink the rules surrounding reasons-able expectations of privacy. This time, we examine the nexus between laptops, a government's search and seizure powers, and a traveler's transit through an international border checkpoint where customs officials have enhanced powers to search travelers and their belongings View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • When Cryptographers Turn Lead into Gold

    Publication Year: 2007 , Page(s): 76 - 79
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (814 KB) |  | HTML iconHTML  

    At its core, a cryptographer's job is to "transmutate" trust: just as alchemists turn lead into gold, cryptographers transmutate trust in one or more assumptions into trust in some other simpler and better-defined assumptions, the ones on which the security of complex monolithic systems rely. Because we can enforce and verify the resulting assumptions' validity more easily, such transmutation makes those systems more secure at a higher assurance. Unlike alchemists, though, cryptographers have successfully constructed some of the building blocks (such as public-key encryption and digital signatures) that play a make-or-break role in many of today's security-critical infrastructures. In this installment of Crypto Corner, we'll look at how cryptographers transmutate trust, identify some of the reasons why they sometimes fail, and investigate how they could do a better job View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Case (Study) For Usability in Secure Email Communication

    Publication Year: 2007 , Page(s): 80 - 84
    Cited by:  Papers (2)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (611 KB) |  | HTML iconHTML  

    As a network security researcher, the author finds it very disappointing that most users can't, or simply don't, secure their everyday Internet communications. For good reason, usability in security has received a fair deal of attention in the past few years. To push the issue further, the author decided to initiate his own informal case study on the usability and practical relevance of standard security mechanisms for email communication. The author focused my attention on available public-key cryptography techniques for digitally signing and encrypting email. His first step was to establish a public-private key pair to use with email. The author chose to use Secure/Multipurpose Internet Mail Extensions (S/MIME), a standard for signing and encrypting email, because it's already supported by popular email clients such as Apple Mail, Outlook Express, and Mozillas Thunderbird. Unlike S/MIME, the author found that pretty good privacy (PGP) and the GNU Privacy Guard (GPG) were unusable with nontechnical correspondents because it required them to install additional software. S/MIME, it seemed, was the better solution for these "everyday users", for whom the concepts of public-key infrastructure (PKI), PGP, certificates, keys, and so on remain elusive. Additionally, I decided to get my public key certified by Thawte (www.thawte.com), an online certificate authority (CA) View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • South Korea's Way to the Future

    Publication Year: 2007 , Page(s): 85 - 87
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (152 KB) |  | HTML iconHTML  

    South Korea leads the world in access to broadband services; as of early 2006, 83 percent of households had broadband, compared to roughly 45 percent in the US. Not coincidentally, the country also leads in the transition to digital music sales via digital rights management (DRM) software. In fact; the past decade has seen South Korea's music scene change dramatically. It once had 8,000 music stores; now, it has 400 - partly because of the Asian financial crisis of the late 1990s, but mostly due to the change in music distribution patterns. South Korea is also the first country in which online music sales exceeded CD sales in value. According to The Korea Times, South Koreans spent 400 billion won buying music from traditional stores in 1999; by 2005, that number was down to 108 billion won whereas online music purchases had reached 262 billion won. The exchange rate is roughly 1,000 won to every US dollar, so converting the word "billion" to "million" gives US readers an idea of what's going on in a country one-sixth the US s size and with 1 /15th of its gross domestic product. A typical South Korean mobile phone is a camera as well as a music player, and some include video players, stored value cards, and full keyboards. South Korea's ringtone market alone is larger than its CD market - ringtones brought in US$336 million in 2004, for example. Consumers can buy unlimited music downloads for $5 per month or broadband service for $20 per month - and they're about to have a new form of interoperability among music vendors View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Metrics Framework to Drive Application Security Improvement

    Publication Year: 2007 , Page(s): 88 - 91
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (927 KB) |  | HTML iconHTML  

    Web applications' functionality and user base have evolved along with the threat landscape. Although controls such as network firewalls are essential, they're wholly insufficient for providing overall Web application security. They provide security for underlying hosts and a means of communication, but do little to aid the application resist attack against its software implementation or design. Enterprises must therefore focus on the security of the Web application itself. But in doing so, questions immediately arise: "What could go wrong with my software? How vulnerable are my existing applications to the most common problems? What changes to my software development life cycle might affect these vulnerabilities?" The Open Web Application Security Project (OWASP; www.owa sp.org) Top Ten offers a starting point for figuring out what could go wrong. This installment of Building Security In presents metrics that can help quantify the impact that process changes in one life-cycle phase have on other phases. For the purposes of this short discussion, we've broken an applications life cycle into three main phases: design, deployment, and runtime. By organizing metrics according to life cycle in addition to OWASP type, insight from the derived quantitative results can potentially point to defective processes and even suggest strategies for improvement View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Infrastructure Standards for Smart ID Card Deployment

    Publication Year: 2007 , Page(s): 92 - 96
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (115 KB) |  | HTML iconHTML  

    Smart card deployment is increasing thanks to the addition of security features and improvements in computing power to support cryptographic algorithms with bigger footprints (for digitally signing and encrypting) in the smart card chips in the past five or six years. Typical applications include subscriber identification module (SIM) cards (in telecommunications), micropayments (in financial transactions), commuter cards (in urban transportation systems), and identification (ID) cards. Although the share of cards used for identification applications (which we'll call smart ID cards) is relatively small within the overall smart card market, it's one of the fastest growing segments. Smart ID cards control physical access to secure facilities and logical access to IT systems (Web servers, database servers, and workstations) and applications. Authentication of the card and holder takes place using a set of credentials. An organization deploying such cards must have an infrastructure for generating, collecting, storing, provisioning, and maintaining credentials. The components involved in these credential life-cycle management activities constitute what we'll call the smart ID card system infrastructure, which supports smart ID card deployment. Not all components involved in this infrastructure have standardized interfaces. Moreover, no robust messaging standards exist for information exchange among the components. Yet, some efforts are under way to partially address the standards gap in this area View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • [Back inside cover]

    Publication Year: 2007 , Page(s): c3
    Save to Project icon | Request Permissions | PDF file iconPDF (1071 KB)  
    Freely Available from IEEE
  • [Advertisement - Back cover]

    Publication Year: 2007 , Page(s): c4
    Save to Project icon | Request Permissions | PDF file iconPDF (934 KB)  
    Freely Available from IEEE

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu