DHS: A roadmap for cybersecurity research

February 1, 2010 by Leave a comment

DHS has released a report entitled “A Roadmap for Cybersecurity Research” in which they outline what they consider to be the major research challenges in cybersecurity. Both “Privacy-Aware Security” and “Usable Security” made the list. Each research direction has several pages worth of discussion about the topic and the current interesting research challenges in that area. Both Lorrie Cranor’s book, “Security and Usability: Designing Secure Systems That People Can Use“, and SOUPS are cited under resources in the Usable Security section.

– Kami

Filed under News, Research Tagged with ,

ITRC data theft report

February 1, 2010 by 1 Comment

The Identity Theft Resource Center (ITRC) released their Data Breaches report for 2009. They analyzed 498 breaches which resulted in approximately 222 million compromised records.

The main highlights are:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

. . . .

The ITRC Breach Report also monitors how breaches occur. ITRC Breach Report – By Attribute. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Some additional interesting facts from the report:

  • In 2009 insider thefts account for 16.9% of breaches. In 2007 insider thefts accounted for 6.1% of breaches.
  • Insider thefts may have accounted for 16.9% of breaches but it only accounted for 0.1% of compromised records. The majority of those records came from Business and Government/Military sectors.
  • Paper (physical pieces of paper) breaches accounted for 26% of all breaches in 2009. However, paper breaches only accounted for just under 200,000 compromised records vs. 222 million electronic records compromised.

Filed under Research Tagged with , , ,

Behavioral Advertising

January 26, 2010 by 1 Comment

Behavioral advertising is used by groups, such as online advertisers, to track users as they move around the internet. This method allows third parties to infer and learn significant amounts of information about users and their browsing habits. Members of my research lab, CUPS, have studied how users perceive the issues surrounding behavioral advertising.

Researchers in the Computer Science Department at Worcester Polytechnic Institute are interested in educating users about what information your browser shares with web pages it visits. They setup a web page called What They Know where users can go to see what information they are broadcasting. Users visitors can also see the trends from past visitors.

Update: EFF has a site you can visit which shows the identifiable information your browser broadcasts to every site you visit.

Update: What They Know has published a report of their findings.

Filed under Education, Research Tagged with ,

Yahoo! Key Scientific Challenges Program

January 8, 2010 by Leave a comment

Yahoo! is running their Key Scientific Challenges Program again this year. Their website has lists of ideas for projects that they consider to be major scientific challenges.

Under Security challenges they list this challenge which I found interesting:

Scalable and Integrated access control for users
Users share data with a variety of applications within and outside Yahoo. Each of these applications has their own Terms of Service forcing users to specify separate access control rules for each application. This frustrates users and users feel like they have relinquished all control of where their data ends up. The challenge here is to design an integrated access control language and mechanism that can be used across applications from different organizations. At the very least, this would allow users to identify which information they have disclosed and to whom across different applications. Another challenge is to design a scalable “access control broker” that brokers access to user information to applications that satisfies user defined permissions.

They also have a section for privacy challenges where I found this:

Tracking user locations privately
Mobile phones these days are capable of being tracked with very high resolution. Many applications provide fine grained location services, like finding your friends, nearby attractions, coupons, ads, and even location aware dating. However, there is a huge privacy risk for the individuals who opt-in. Moreover, current access control mechanisms are either opt-in (in which case you usually don’t have too much control of who can access your data and who can’t) or opt-out (in which case you miss out on the location services). Problems in this space are:

  • Can individuals be tracked in such a way that the individual cannot be uniquely identified from the logs?
  • Can an application which tracks an individual share this information with a third party vendor/application, while preserving the individual’s privacy?
  • What is the right access control language for location tracking?

Filed under Research Tagged with , , ,

Social networking data taxonomy

November 20, 2009 by Leave a comment

On his blog Schneier proposed a taxonomy of social networking data.  I’ve copied the taxonomy below.

1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.

2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.

3. Entrusted data. This is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.

4. Incidental data. Incidental data is data the other people post about you. Again, it’s basically same same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.

5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.

Schneier’s taxonomy is interesting as it focuses on data transfer and ownership. In the United States data ownership is a continuously debated issue. When I give my medical records to my doctor does my doctor now own those records such that he can give them to anyone he chooses as long as he complies with HIPPA? When I give my data to Facebook who now owns that data? When I allow a third party Facebook application to access my data who now has control of that data?

In his taxonomy Schneier seems to be implying that we should group social networking data based on the context under which it was collected and who controls it. I like this idea. I think this taxonomy well models how people perceive the flow of ownership of data. If I put data in my space then I should control it. If I give you data then you control it. If you ask me for data through a form then you control it.

Filed under Research Tagged with , , ,

Walmart servers hacked

November 2, 2009 by Leave a comment

Wired has a story about a hacker breaking into Walmart’s point of sales computer. Amazingly Walmart claims that the attacker didn’t get any costumer’s personal information or credit cards. While I’m a bit dubious of their ability to know this, I did find the description of how the attacker got in to be interesting.

Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company.

Filed under News Tagged with , ,

Psychology and Security resources

November 2, 2009 by Leave a comment

Ross Anderson put together a web page which contains many resources in the intersection of psychology and security. The site includes papers, books, conferences and people.

Filed under Research, Useful sites Tagged with

Drawing trees in Processing

October 21, 2009 by 2 Comments

I’ve been looking at different ways to draw trees (the kind found in forests) using the Processing language. Below are some of the good examples I found online.

Tree example

Simple examples of a tree in processing.

http://processing.org/learning/topics/tree.html

http://www.openprocessing.org/visuals/?visualID=2925

Blossom

This sketch lets the user plant trees which then quickly grow and randomly branch. When the tree is tall enough it also blossoms with flowers.

http://mavdisk.mnsu.edu/kallhw/blossom/blossom.html

ExploreTree

This is a representation of the tree of life. The tree is written in processing and allows a user to explore different species and how they are related to each other. The tree lets you follow different branches to learn more about a species. It also provides links to Wikipedia to learn more.

http://www.exploretree.org/

OpenProcessing Tree Generation

A collection of different tree generation Processing sketches.

http://www.openprocessing.org/collections/?collectionID=19

3D tree at OpenProcessing

Filed under Research Tagged with

AES Explained

September 29, 2009 by Leave a comment

I just found an excellent stick figure comic on AES and how it works.  The comic is very accessible for both people who just want a simple explanation and people who want heavy details. It starts at a high level with the history and gets progressively more complex.

Filed under Education Tagged with ,

TAing for Web Commerce, Security and Privacy

August 25, 2009 by Leave a comment

This term I’m TAing Web Commerce, Security and Privacy for Norman Sadeh. The course is targeted at both technical students in computer science and electrical engineering as well as Tepper business students. The mix in backgrounds is purposeful.  Issues of web commerce are not just technical issues, they are issues of politics and business.

It will be interesting to see how the class progresses over the school year.

Filed under Education

Older posts

Newer posts