By Topic

Security & Privacy, IEEE

Issue 5 • Date Sept.-Oct. 2008

Filter Results

Displaying Results 1 - 25 of 29
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (1260 KB)  
    Freely Available from IEEE
  • LISA 2008 Conference

    Page(s): c2
    Save to Project icon | Request Permissions | PDF file iconPDF (465 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (661 KB)  
    Freely Available from IEEE
  • Cybersecurity and Artificial Intelligence: From Fixing the Plumbing to Smart Water

    Page(s): 3 - 4
    Save to Project icon | Request Permissions | PDF file iconPDF (108 KB)  
    Freely Available from IEEE
  • The Shape of Crimeware to Come (review of Crimeware: Understanding New Attacks and Defenses by M. Jacobsson and Z. Ramzan) [Book reviews]

    Page(s): 5
    Save to Project icon | Request Permissions | PDF file iconPDF (69 KB)  
    Freely Available from IEEE
  • IEEE Security & Privacy masthead

    Page(s): 6
    Save to Project icon | Request Permissions | PDF file iconPDF (82 KB)  
    Freely Available from IEEE
  • Silver Bullet Talks with Bill Cheswick [Interview]

    Page(s): 7 - 11
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (255 KB)  

    Silver Bullet speaks with Bill Cheswick. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • News Briefs

    Page(s): 12 - 13
    Save to Project icon | Request Permissions | PDF file iconPDF (147 KB)  
    Freely Available from IEEE
  • Call for Papers

    Page(s): 14
    Save to Project icon | Request Permissions | PDF file iconPDF (317 KB)  
    Freely Available from IEEE
  • Virtualization and Security: Back to the Future

    Page(s): 15
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (349 KB)  

    The guest editors of the special issue on virtualization introduce the topic. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • I/O for Virtual Machine Monitors: Security and Performance Issues

    Page(s): 16 - 23
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (726 KB)  

    Modern I/O architectures are quite complex, so keeping a virtual machine monitor (VMM), or hypervisor, small is difficult. Many current hypervisors move the large, complex, and sometimes proprietary device drivers out of the VMM into one or more partitions, leading to inherent problems in complexity, security, and performance. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Virtualization and Hardware-Based Security

    Page(s): 24 - 31
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (600 KB)  

    Hypervisors allow virtualization at the hardware level. These technologies have security-related strengths as well as weaknesses. The authors examine emerging hardware and software virtualization technologies in the context of modern computing environments and requirements. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Virtual Machine Introspection: Observation or Interference?

    Page(s): 32 - 37
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (493 KB)  

    As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to monitor VM behavior. A survey of existing approaches highlights key requirements, which are addressed by a new tool suite for the Xen VM monitoring system. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Performance Metrics for Information Security Risk Management

    Page(s): 38 - 44
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (423 KB)  

    Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring reductions in expected loss. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • CSDP [advertisement]

    Page(s): 45
    Save to Project icon | Request Permissions | PDF file iconPDF (1464 KB)  
    Freely Available from IEEE
  • Data Retention and Privacy in Electronic Communications

    Page(s): 46 - 52
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1995 KB)  

    The retention of communication data by network providers, often mandated by legislation, raises social and technical security concerns. A generic model combining technical, procedural, and legal controls can help secure retained data and minimize privacy threats against users. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • IEEE Computer Society Career Center [advertisement]

    Page(s): 53
    Save to Project icon | Request Permissions | PDF file iconPDF (788 KB)  
    Freely Available from IEEE
  • Information Assurance Education: A Work In Progress

    Page(s): 54 - 57
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (144 KB)  

    The recognition that we need improved computer security education has increased over the past several years. Recent cyberattacks in Georgia and Estonia exemplify the new threats faced by economies that rely on the Internet. Thus, more people see the need to protect cyberspace-which translates into improving computer security in all aspects of computer use-as crucial for everyone, not merely for those who work with technology. In this column, we reflect on emerging opportunities and challenges in instruction as well as the need for increasing the partnerships among industry, government, and academia to foster mutual understanding of challenges and joint participation in solutions. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Cross-Border Data Flows and Increased Enforcement

    Page(s): 58 - 61
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (116 KB)  

    The term "privacy" is subject to many definitions and descriptions. Privacy is the subjective condition people experience when they have the power to control information about themselves and when they exercise that power consistent with their interests and values. The EU Data Protection Directive takes a somewhat different tack and defines personal data as data relating to an identified or identifiable individual, and then allocates a series of rights to the individual regarding the data, particularly regarding notice, consent, and other principles intended to grant an individual reasonable control over the data. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Identity-Based Encryption and Beyond

    Page(s): 62 - 64
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (103 KB)  

    In June 2008, the US National Institute for Standards and Technology (NIST) held a workshop entitled, "Applications of Pairing Based Cryptography: Identity-Based Encryption and Beyond," in Gaithersburg, Maryland. In a series of 14 talks and two panel discussions, the presenters at this workshop discussed several aspects of identity-based encryption (IBE) and related pairing-based public-key schemes, including the history of the technology, applications for which it is well suited, and potential future developments. Copies of the presentations are now available on the workshop's Web site (www.nist.gov/ibe/). Close to 100 people from a wide range of security vendors, government agencies and academic institutions attended the event; this installment of Crypto Corner takes a closer look at all the events. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Revealing Packed Malware

    Page(s): 65 - 69
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (303 KB)  

    To evade malicious content detection, malware authors use packers, binary tools that instigate code obfuscation. By using executable packers, modern malware can completely bypass personal firewalls and antivirus (AV) scanners.Reverse engineering (RE) has become an important approach to analyzing a program's logic flow and internal data structures, such as system call functions. Security researchers and AV products must be able to unpack and inspect the payloads hidden within the packed programs using RE tools. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

    Page(s): 70 - 73
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3786 KB)  

    A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, the author examines these issue and its consequences. OpenSSL is an open source library implementing the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols. Several widely deployed applications on many OSs rely on it for secure communications, particularly Linux and BSD-based systems. Where in use, it's a critical part of the OS's security subsystem. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Life or Death InfoSec Subversion

    Page(s): 74 - 76
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (795 KB)  

    Details about failures of complex and well-implemented information-based attacks on systems are extremely difficult to obtain. However, here the authors examine a real-life analogue - an information attack on a highly complex security system, that of the Colombian guerrilla group FARC. This operation included a man-in-the-middle attack, targeted denial of service (DoS), and authentication subversion. The attack on FARC's communications structure is interesting not only because of its electronic and analog components, but also because it was a life or death matter. The authors examine the hostages' liberation from an information security perspective, compiling data from several Colombian newspapers and magazines and using the most accepted version of the events. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Hardening the Target

    Page(s): 77 - 81
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (131 KB)  

    As enterprises increasingly depend on digitized data and seek commercial opportunities from accelerated digital access and transmission, senior management and boards of directors haven't sufficiently updated their enterprises' security protections on digitally stored information. Consequently, new and increasingly frequent attacks have occurred against their digital information assets. Enterprises must "harden the target" to protect against attacks against these assets. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Developing and Retaining a Security Testing Mindset

    Page(s): 82 - 85
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (109 KB)  

    Developing a security testing mindset is a hard task. Moreover, as hard as it is to develop it, it's just as hard to retain it and effectively apply it during testing. The authors discuss what it takes to conduct successful software security testing, primarily by describing how to develop a security testing mindset, retain it, and effectively apply it. In particular, they explore the different roles and processes an organization needs to maintain a high level of security assurance. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu