Archive for July, 2009

Elisa Bertino new chair of ACM SIG on Security, Audit and Control (SIGSAC)

Saturday, July 11th, 2009

Elisa BertinoAISL CO-PI Elisa Bertino has been elected chair of the ACM Special Interest Group on Security, Audit and Control (SIGSAC) for a one year term bebinning.

She is professor at the Department of Computer Science, Purdue University and Research Director of CERIAS. Her main research interests cover many areas in the fields of information security and database systems. Her research combines both theoretical and practical aspects, addressing as well applications on a number of domains, such as medicine and humanities.

SIGSAC’s mission is to develop the information security profession by sponsoring high quality research conferences and workshops. SIGSAC conferences addresses all aspects of information and system security, encompassing security technologies, secure systems, security applications and security policies. Security technologies include access control, assurance, authentication, cryptography, intrusion detection, penetration techniques, risk analysis and secure protocols. Security systems include security in operating systems, database systems, networks and distributed systems and middleware. Representative security applications areas are information systems, workflow systems, electronic commerce, electronic cash, copyright and intellectual property protection, telecommunications systems and healthcare. Security policies encompass confidentiality, integrity, availability, privacy, and survivability policies, including trade-off and conflicts amongst these.

NY AG Cuomo to sue tagged.com social networking site for privacy invasion

Friday, July 10th, 2009

New York state attorney general Andrew Cuomo announced he intends to sue social networking company Tagged.com “for deceptive e-mail marketing practices and invasion of privacy”.

“Between April and June this year, Tagged sent tens of millions of misleading emails to unsuspecting recipients stating that Tagged members had posted private photos online for their friends to view. In reality, no such photos existed and the email was not from their friends. When recipients of these fraudulent emails tried to access the photos, they were forced to become a new member of Tagged. The company would then illegally gain access to their personal email contacts to send more fraudulent invitations.
     “This company stole the address books and identities of millions of people,” said Attorney General Cuomo. “Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their email contacts for Tagged’s unethical – and illegal – behavior. This very virulent form of spam is the online equivalent of breaking into a home, stealing address books, and sending phony mail to all of an individual’s personal contacts. We would never accept this behavior in the real world, and we cannot accept it online.”

See stories in the NYT and Independent.

Ravi Sandhu is new Editor in Chief of IEEE Transactions on Dependable and Secure Computing

Friday, July 10th, 2009

Ravi SandhuCongratulations to AISL CO-PI Ravi Sandhu, who was appointed Editor in Chief of IEEE Transactions on Dependable and Secure Computing (TDSC). His term will start on January 1, 2010. TDSC is a quarterly journal for archival research results on the foundations, methodologies, and mechanisms supporting the design of systems and networks that are dependable and secure without compromising performance.

Ravi Sandhu is Founding Executive Director of the Institute for Cyber Security at the University of Texas at San Antonio, where he holds the Lutcher Brown Endowed Chair in Cyber Security and courtesy appointments in Computer Science, Electrical and Computer Engineering and Information Systems. He previously served on the Information Security faculty at George Mason University (1989-2007) and the Computer Science faculty at Ohio State University (1982-1989). Ravi received B.Tech. and M.Tech. degrees in EE from IIT Bombay and Delhi respectively, and M.S. and Ph.D. degrees in CS from Rutgers University. He is a Fellow of ACM (2001), IEEE (2002), and AAAS (2008), recipient of the IEEE Computer Society Technical Achievement Award (2004), the ACM SIGSAC Outstanding Contribution Award (2008), and two Best Paper awards from NIST/NSA (1992, 1998).

Bhavani Thuraisingham gives SSIRI09 keynote on Security Engineering

Monday, July 6th, 2009

Bhavani Thuraisingham will give a keynote talk this week at the The Third IEEE International Conference on Secure Software Integration and Reliability Improvement (SSIRI09) in Shanghai, China. Her talk on Security Engineering: Developments and Directions will discuss the developments in security engineering from requirements, to policy to model to design to verification to testing as well as developing CONOPS and conducting certification and accreditation. She will also cover system evaluation, usability and metrics related issues enumerate changes that have to be made to security engineering to support the next generation of secure systems for mission critical applications. Her presentation slides are available online.

Anatomy of a cyber crime

Saturday, July 4th, 2009

Brian Krebs’ most recent Security Fix post in the Washington Post, PC Invader Costs Ky. County $415,000, goes into some detail on how cyber criminals stole $415K from a county in Kentucky.

“Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks.”

The particulars, both technical and social, were fascinating and helped me to better understand how these things happen.

NSA: lead for Government IDS, DHS involvement added

Friday, July 3rd, 2009

The Washington Post has a long article on the latest Obama administration plan to protect government agencies from cyber attacks, Cybersecurity Plan to Involve NSA, Telecoms — DHS Officials Debating The Privacy Implications.

“The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials.

President Obama said in May that government efforts to protect computer systems from attack would not involve “monitoring private-sector networks or Internet traffic,” and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems.

But the program has provoked debate within DHS, the officials said, because of uncertainty about whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency’s involvement in warrantless wiretapping during George W. Bush’s presidency would draw controversy. Each time a private citizen visited a “dot-gov” Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.”

This is reported to be a continuation of the Einstein 3 program begun under the Bush administration. One difference is the new role for DHS in providing some oversight and guidance.

“Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks.”

There’s a lot more in the article that is worth reading.

FaceBook default privacy policies changing

Wednesday, July 1st, 2009

FaceBook is changing how it manages privacy starting today. After reading last week’s post on the FaceBook blog, More Ways to Share in the Publisher, and a followup note on ReadWriteWeb, A Closer Look at Facebook’s New Privacy Options, I thought I understood: Facebook was sharing more but only for people who have made their profiles public. From the official FaceBook post:

“We’ve received some questions in the comments about default privacy settings for this beta. Nothing has changed with your default privacy settings. The beta is only open to people who already chose to set their profile and status privacy to “Everyone.” For those people, the default for sharing from the Publisher will be the same. If you have your default privacy set to anything else—such as “Friends and Networks” or “Friends Only”—you are not part of this beta.”

But today the New York Times has an article, The Day Facebook Changed: Messages to Become Public by Default that clearly says more is coming (emphasis added):

“By default, all your messages on Facebook will soon be naked visible to the world. The company is starting by rolling out the feature to people who had already set their profiles as public, but it will come to everyone soon. You’ll be able each time you publish a message to change that message’s privacy setting and from that drop down there’s a link to change your default setting.

But most people will not change the setting. Facebook messages are about to be publicly visible. A whole lot of people are going to hate it. When ex-lovers, bosses, moms, stalkers, cops, creeps and others find out what people have been posting on Facebook – the reprimand that “well, you could have changed your default setting” is not going to sit well with people.”

But it will come to everyone soon! That’s a big change if true. I hope that there is come clarification soon from FaceBook. I, for one, am left confused.

In face, as the ReadWrite post notes, the FaceBook privacy policy interface is confusing and not easy to use.

“Unfortunately, it’s very difficult to manage the new privacy settings as they are currently constituted. Several members of our staff struggled to make changes to message-specific and default privacy settings really stick. The feature is confusing if not outright broken. A lot of messages intended for limited distribution are going to be sent out wider than the author intended. That’s not good.”

This is an important thing to get right.