IEEE Security & Privacy‘s readers are concerned with not only security and privacy but also safety and dependability. This issue focuses on all four aspects of the technology we use daily.
To subscribe digitally to IEEE S&P magazine, go here.
From the Editors
Games without Frontiers: Whither Information Security and Privacy?
Abstract: The past decade has clearly shown that even the best security solutions won’t eliminate threats once and for all, and that there will always be “unknown unknowns.” However, new large-scale technologies and threat types require novel, sophisticated solutions to meet our current and future security and privacy demands.
Silver Bullet Talks with Peiter (Mudge) Zatko
Gary McGraw, Cigital
Abstract: Gary McGraw interviews Peiter Zatko, known in the security community as Mudge, about the origins of the L0pht hacker collective, managing cybersecurity projects for DARPA, and much more.
Guest Editor’s Introduction
Shari Lawrence Pfleeger
Abstract: IEEE Security & Privacy‘s readers are concerned with not only security and privacy but also safety and dependability. In this issue, we focus on all four aspects of the technology we use daily.
Mettle Fatigue: VW’s Single-Point-of-Failure Ethics
Roland L. Trope, Trope and Schramm LLP
Eugene K. Ressler, US Military Academy Emeritus Faculty
DOI: 10.1109/MSP.2016.6 [paywall]
Abstract: After a year of denials, Volkswagen admitted in August/September 2015 that multiple makes and models of its diesel vehicles contained defeat device software. The decisions leading to “Dieselgate” involved a corruption of engineering ethics that the profession ought to address.
Looking into Software Transparency
Charles P. Pfleeger
DOI: 10.1109/MSP.2016.5 [paywall]
Abstract: A recent Volkswagen emissions incident has raised calls for greater transparency of the software on which much of modern life depends. The argument posed is that if the emissions control system code had been available for public scrutiny, someone would have seen the relevant segment and blown the whistle. However, this reasoning is faulty.
Learning Internet-of-Things Security “Hands-On”
Constantinos Kolias, George Mason University
Angelos Stavrou, George Mason University
Jeffrey Voas, National Institute of Standards and Technology
Irena Bojanova, National Institute of Standards and Technology
Richard Kuhn, National Institute of Standards and Technology
DOI: 10.1109/MSP.2016.4 [paywall]
Abstract: What can you glean from using inexpensive, off-the-shelf parts to create Internet of Things (IoT) use cases? As it turns out, a lot. The fast productization of IoT technologies is leaving users vulnerable to security and privacy risks.
A Communications Jamming Taxonomy
Marc Lichtman, Virginia Tech
Jeffrey D. Poston, Virginia Tech
SaiDhiraj Amuru, Virginia Tech
Chowdhury Shahriar, Virginia Tech
T. Charles Clancy, Virginia Tech
R. Michael Buehrer, Virginia Tech
Jeffrey H. Reed, Virginia Tech
DOI: 10.1109/MSP.2016.13 [paywall]
Abstract: With the now widespread availability of software-defined radio technology for wireless networks, the distinction between jamming in the original electronic warfare sense and wireless cybersecurity attacks becomes hazy. A taxonomy delineates these concepts in the rapidly expanding field of wireless security, classifying communication jammers’ theoretical behaviors and characteristics.
Evaluating Protection Capability for Visual Privacy Information
Yuta Nakashima, Nara Institute of Science and Technology
Tomoaki Ikeno, Osaka University
Noboru Babaguchi, Osaka University
DOI: 10.1109/MSP.2016.3 [paywall]
Abstract: One way to prevent privacy intrusion is by blurring or blocking out facial images using image processing. However, this technique’s effectiveness depends on viewers’ familiarity with the subjects as well as on the subjects’ conspicuousness.
Fully Homomorphic Encryption: Computations with a Blindfold
Marc Beunardeau, École normale supérieure
Aisling Connolly, École normale supérieure
Rémi Géraud, École normale supérieure
David Naccache, École normale supérieure
DOI: 10.1109/MSP.2016.8 [paywall]
Abstract: To leverage the power of cloud computing, you can no longer encrypt data the traditional way. However, anyone (including the cloud service itself) can easily read unencrypted data. Fully homomorphic encryption reconciles this dilemma.
It All Depends
Binary Rejuvenation: Applications and Challenges
Angelos Oikonomopoulos, VU University Amsterdam
Cristiano Giuffrida, VU University Amsterdam
Sanjay Rawat, VU University Amsterdam
Herbert Bos, VU University Amsterdam
DOI: 10.1109/MSP.2016.20 [paywall]
Abstract: Software engineers have long performed source code rejuvenation, or rewriting of obsolete or outdated programming idioms to modern counterparts. Inspired by this practice, the authors propose binary rejuvenation by updating selected binary files.
Addressing Gender Gaps in Teens’ Cybersecurity Engagement and Self-Efficacy
Laura Amo, University at Buffalo
DOI: 10.1109/MSP.2016.12 [paywall]
Abstract: To increase women’s representation in technology careers, it’s important to spark and nurture their interest and confidence during middle and high school. A pilot study compares gender differences in cybersecurity self-efficacy and interest among teens at a five-day cybersecurity camp. Although males initially scored higher on the Cybersecurity Engagement and Self-Efficacy Scale, the females caught up by week’s end.
The DARPA Cyber Grand Challenge: A Competitor’s Perspective, Part 2
Jia Song, University of Idaho
Jim Alves-Foss, University of Idaho
DOI: 10.1109/MSP.2016.14 [paywall]
Abstract: DARPA initiated the Cyber Grand Challenge (CGC) in 2014 to encourage innovation in fully automated software vulnerability analysis and repair. In the June 2015 CGC Qualifying Event, the competitors’ automated systems were given one day to evaluate 131 challenges. The top seven teams, including the University of Idaho’s Center for Secure and Dependable Systems, will compete in the August 2016 CGC Final Event. This second of two CGC articles describes lessons learned about automated cybersecurity defensive systems.
Security & Privacy Economics
Action, Inaction, Trust, and Cybersecurity’s Common Property Problem
Karen Elliott, Newcastle University Business School
Fabio Massacci, University of Trento
Julian Williams, Durham University Business School
DOI: 10.1109/MSP.2016.2 [paywall]
Abstract: Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing “nothing” is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors’ anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.
Cryptography Is Harder than It Looks
Bruce Schneier, Resilient Systems
Abstract: Security vulnerabilities, whether deliberate back door access mechanisms or accidental flaws, make us all less secure. Getting security right is harder than it looks, and our best chance is to make the cryptography as simple and public as possible.