IEEE Security & Privacy

The System-on-Token architecture for biometric systems gives users full control over their biometric data and lets them sign digital transactions using biometrics. The authors implemented and tested the architecture on a commercial mobile device, the Nokia N800. View full abstract»

As Bluetooth finds its way into millions of devices worldwide, it also becomes a prime target for hackers. The author presents a taxonomy for threats against Bluetooth-enabled devices, describes several of these threats, and identifies steps for threat mitigation. View full abstract»

A new communication framework makes USB smart cards portable by using the preinstalled device drivers included in modern computer operating systems. This framework could provide the missing link that lets general consumers secure their online access via smart cards.From phishing schemes to pharming scams, online identity theft is a risk that Internet users face as attackers continue to trick peopl... View full abstract»

This research provides a security assessment of the Android framework-Google's software stack for mobile devices. The authors identify high-risk threats to the framework and suggest several security solutions for mitigating them. View full abstract»

Spam-over-IP telephony (SPIT) will likely have a significant impact on the usefulness of VoIP telephony solutions, but some solutions to the problem, such as filtering, could raise unanticipated legal issues.This paper contains both an overview and an assessment of the emerging legal issues in this domain and compares the legislation of two countries with very different legal systems: the US and G... View full abstract»

In this paper, the author mentions that despite the reliance on software in everything from televisions and cars to medical equipment, it often doesn't work correctly. Everyone has had problems with software like text editors that freeze, answering machines that won't answer. Others are far more serious, such as the program on a satellite that contains an error, causing the loss of expensive equip... View full abstract»

Google's January 2010 news of apparent attacks from China on its Gmail service is one of many hints that we should think harder about cloud computing's merits. Touted by its advocates as the answer for many needs, the cloud triggered security concerns early. However, these concerns have been overwhelmed by the assurances offered with the hype. So let's pause to consider the alter ego of the cloud ... View full abstract»

The US Federal Trade Commission (FTC) has embarked on a series of three workshops on exploring privacy. The first, in December 2009 in Washington, DC, focused on market and regulatory issues; the second, in January in Berkeley, California, examined technological issues; and the third, scheduled for March in Washington again, will focus on possible solutions. But after hearing from more than 70 spe... View full abstract»

Cryptography has long been a useful, important tool for defensive computer security. Increasingly, however, attackers are using cryptographic techniques for the same reason as the defenders: to protect code's confidentiality and integrity. But in this case, the code is malicious. This paper reviews uses of encryption by writers of malicious code, through some recent examples. Malicious-code writer... View full abstract»

Debate has arisen in the scholarly community, as well as among policymakers and business entities, regarding the role of vulnerability researchers and security practitioners as sentinels of information security adequacy. The exact definition of vulnerability research and who counts as a "vulnerability researcher" is a subject of debate in the academic and business communities. For purposes of this... View full abstract»

In this paper, existing sophisticated techniques can provide a deep and effective analysis to discover whether files hide a computer virus or other malware. Examples of the most effective approaches are heuristic or exhaustive static code analysis and behavior alanalysis in a sandbox environment. However, given the huge number of circulating malware and the high-performance impact associated with ... View full abstract»

Consumers and enterprises alike are rapidly adopting voice-over-IP (VoIP) technologies, which offer higher flexibility and more features than traditional telephony infrastructures. They can also potentially lower costs through equipment consolidation and, for the consumer market, new business models. However, VoIP systems also represent high complexity in terms of architecture, protocols, and impl... View full abstract»

Many of the most common software vulnerabilities, such as buffer overflows, cross-site scripting, and misapplications of cryptography, are wholly avoidable if software makers apply an appropriate level of training, testing, and care.Yet developers today have the "wrong" incentives, often leading them to underinvest in security or even to directly harm it. If we can understand these incentives and ... View full abstract»

As software security has increasingly become an important part of information security programs, there have been some notable trends and successes of various tools, processes, and models. Because "building security in" is so different from how enterprise software has historically been developed, the changes might seem revolutionary. In the enterprise, revolutionary changes involve cost and complex... View full abstract»

Investors at all levels are pulling back from cybersecurity, which has serious consequences if and only if investment in cybersecurity matters. If it does, then trouble is brewing. If it does not, then radically different tactics are called for. Definitive numbers are scarce, but indicative numbers are self-evident. View full abstract»

A strong identification system presupposes a strong notion of identity. The Internet, though, is multilayered; identity is different at each layer. My computer has three different MAC addresses and several IP addresses, including many IP addresses and logins for different instant message systems. If I switch computers, locations, or employers, several of these would change. Am I no longer myself? ... View full abstract»