Fall 2005
September 2, 2005
Speaker: Lorrie Cranor
Associate Research Professor
Computer Science and Engineering & Public Policy
Carnegie Mellon University
Title
Towards Usable Web Privacy and Security
Abstract:
Internet users now rely on a whole arsenal of tools to protect their security and privacy. Experts recommend that computer users install personal firewalls, anti-virus software, spyware blockers, spam filters, cookie managers, and a variety of other tools to keep themselves safe. Users are told to pick hard-to-guess passwords, use a different password at every Web site, and not to write any of their passwords down. They are told to read privacy policies before providing personal information to Web sites, look for lock icons before typing in a credit card number, refrain from opening email attachments from people they don't know, and even to think twice about opening email attachments from people they do know. With so many do's and don'ts, it is not surprising that much of this advice is ignored. In this talk I will highlight usability problems that make it difficult for people to protect their privacy and security on the Web, and I will discuss a number of approaches to addressing these problems.
Biography
Dr. Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science at Carnegie Mellon University. She is a faculty member in the Institute for Software Research, International and in the Engineering and Public Policy department. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research. While at AT&T she also taught in the Stern School of Business at New York University. Dr. Cranor's research has focused on a variety of areas where technology and policy issues interact, including online privacy, electronic voting, and spam. She is chair of the Platform for Privacy Preferences Project (P3P) Specification Working Group at the World Wide Web Consortium and author of the book Web Privacy with P3P (O'Reilly 2002). In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine. Dr. Cranor received her doctorate degree in Engineering & Policy from Washington University in St. Louis in 1996. While in graduate school she helped found Crossroads, the ACM Student Magazine, and served as the publication's editor-in-chief for two years. Dr. Cranor was chair of the Tenth Conference on Computers Freedom and Privacy (CFP2000) and program committee chair for the 29th Research Conference on Communication, Information and Internet Policy (TPRC 2001). In the Spring of 2000 she served on the Federal Trade Commission Advisory Committee on Online Access and Security. She also serves on the editorial boards of the journals ACM Transactions on Internet Technology, The Information Society, and Journal of Privacy Technology. Dr. Cranor has been studying electronic voting systems since 1994 and in 2000 served on the executive committee of a National Science Foundation sponsored Internet voting taskforce. Dr. Cranor was also a member of the project team that developed the Publius censorship-resistant publishing system. In February 2001, the Publius team was honored by Index on Censorship magazine for the "Best Circumvention of Censorship." Dr. Cranor spends most of her free time with her husband, Chuck, her son, Shane, and her daughter Maya, but sometimes she finds time to play the tenor saxophone or design and create award-winning quilts.
More Information:
September 16, 2005
Speaker: Nabil R. Adam
Department of Management Science and Information Systems
CIMIC, Rutgers, The State University of New Jersey
Title
Semantically Enhanced System for Enforcing Privacy Preferences of Mobile Consumers
Abstract:
A key challenge for Location-based services (LBSs) is to offer personalized contents while preserving the privacy of consumers. Consumers’ privacy preferences are typically expressed as policies where they state the rules under which access is granted or denied to their information. We propose a solution that includes an access control model for protecting customer profiles and location information. We also propose a mechanism that enforces the spatio-temporal policies. We extend our solution by employing semantic knowledge and reasoning techniques to be able to address other challenges such as enforcing privacy preferences that are based on incentives offered in promotions. Our solution uses the Ontology Web Language (OWL) to create an ontology that includes taxonomies for Location, Time, Merchants, Incentives, and Products. In our solution, we model both consumer preferences and merchant queries as Description Logic expressions and answer merchant queries by reasoning about consumer preferences that match the queries. We present the system architecture and show how this architecture is related to other e-commerce applications.
Biography
Nabil R. Adam is a Professor of Computers and Information Systems, the Founding Director of the Center for Information Management, Integration and Connectivity (CIMIC), Director of the Meadowlands Environmental Research Institute, and the Director of the Laboratory for Water Security at Rutgers University, Newark, New Jersey. Dr. Adam published numerous technical papers in such journals as IEEE Transactions on Software Engineering, IEEE Transactions on Knowledge and Data Engineering, ACM Computing Surveys, Communications of the ACM, Journal of Management
Information Systems, and Int. Journal of Intelligent and Cooperative Information Systems. He coauthored/ co-edited ten books including "Electronic Commerce: Technical, Business, and Legal Issues", Prentice Hall, 1998, a book on Databases Issues in GIS, Kluwer Academic Publisher, 1997 and one on Electronic Commerce (1996), published as part of the Springer Verlag Lecture Notes Series in Computer Science. He serves as the Editor-in-Chief of the International Journal on Digital Libraries and serves on the Editorial board of a number of journals including Journal of Management Information Systems and the Journal of Electronic Commerce and the Journal of Electronic Commerce Research and Applications. He also served as a guest editor for the Communications of the ACM, Operations Research, and Journal of Management Information Systems.
Dr. Adam’s research work has been supported for over $14 million from various federal, state agencies including the National Science Foundation (NSF), the National Security Agency (NSA), NOAA, US Environmental Protection Agency, the Defense Logistics Agency (DLA), the NJ Meadowlands Commission, and NASA.
He is the co-founder of the IEEE Technical Committee on Digital Libraries and served as the General Chair of the 1997 "IEEE International Conference on the Advances in Digital Libraries (IEEE ADL'97)", the Program Chair of the 1996 the "Forum on Research and Technology Advances in Digital Libraries", the Program Co-chair of the 1995 "Forum on Research and Technology Advances in Digital Libraries", and the Program Chair of the 1994 "International Conference on Information and Knowledge Management". He was elected as a distinguished speaker in the IEEE Computer Society's Distinguished Visitors Program (DVP) for the period 1997-2000.
He was invited to lecture on Digital Libraries, E-Commerce and other related topics at several national and international institutions/forum including, Hungarian US R&D Workshop - Information Society technology and Research Challenges, Sponsored by NSF and ELTE Ithaka, Budapest, Hosted by Hungarian Ministry for Information & Telecommunications and Ministry of Education, Hungary, 2004; The National Conference for Digital Government Research, May 2002 (Featured speaker); The National Research Council’s Workshop on Coping with Increasing Demands on Government Data Centers, 2002; The IEEE/ARL/NASA Workshop on Information Assurance, 2001; The International Symposium on Government and E-commerce Development, Ningbo, China, 2001 (Keynote speaker). Co-sponsored by the United Nations Department of Economic and Social Affairs, the Ningbo Municipality, the Chinese Academy of Science, the Chinese Academy of Engineering, the Ministry of Information Industry of China, and Zhejiang University of China; The Second European Conference on Research and Advanced Technology for Digital Libraries, Crete, Greece, 1998; The international Conference on the Digital Libraries and Information Services for the 21st Century, Seoul, Korea, 1996; Matsushita Information Technology Lab, Panasonic Technologies, Inc., Princeton, NJ, 1996; The Development and Practice of Law in the Age of the Internet, Washington College of Law Centennial Week Symposium, April 1996; The Bilkent University-sponsored Symposium on Environment, Space, and Communications, Bilkent, Ankara, Turkey, 1996; The Computer Science and Industrial Engineering departments, Ben-Gurion University in Beer-Sheva, Israel, 1996; 2nd International Workshop on Next Generation Info. Technologies & Systems, The Technion and Neaman Institute, Israel, 1995.
More Information:
September 23, 2005
Speaker: Patrick Heim
Vice President Enterprise Security,
McKesson Corporation
Title
Managing Information Security at a Fortune 100 - a View from the Trenches
Abstract:
Information security is a complicated problem to which there are many different perspectives. Mr. Heim will share his experiences as an auditor, penetration tester, security consultant, security product manager, CTO of a software company, and finally in managing information security for McKesson Corporation - a Fortune 16 health care company. The objective will be to provide a real world perspective on the challenges of information security and how the same problem can be viewed differently depending on the perspective one takes. The challenge to information security professionals is to understand these perspectives and ensure that the solutions that are developed address their individual needs.
Biography
Mr. Heim is the Vice President Enterprise Security for McKesson Corporation. As the world's largest healthcare services company with more than $80 billion in annual sales, McKesson Corporation ranks as the 16st largest industrial company in the United States. McKesson provides pharmaceutical supply management and information technologies across the entire continuum of healthcare.
Mr. Heim's responsibilities include defining and enforcing enterprise-wide information security policy and providing information security leadership across the enterprise. Patrick is also responsible for security architecture, engineering, administration, enforcement, and incident response.
Prior to McKesson, Mr. Heim was the CTO of eNetSecure, and was also employed as the Director of Professional Services at nCircle. Patrick also acted as a Senior Manager in Ernst & Young's security consulting and audit practice in the Pacific Northwest region.
At McKesson he has had the opportunity to build an enterprise-wide IT security function and lay down a solid security foundation for the corporation.
Mr. Heim has examined the problem of information security from the angles of a: system administrator, auditor, security consultant, security product vendor, and a manager of information security. Each of these experiences has provided him with valuable insight and a different perspective into the same problem.
September 30, 2005
Speaker: George Cybenko
Dorothy and Walter Gramm Professor of Engineering
Dartmouth College
Title
Process Detection in Network Security and Autonomic Computing
Abstract:
Multiple process detection is the problem of identifying instances of several dynamical processes and estimating their states from a sequence of unlabeled, noisy and ambiguous observations of the processes. This talk will demonstrate that several important challenges in secure computing and autonomic systems can be naturally formulated as multiple process detection problems. Those problems include detection of multi-stage, multi-host computer attacks and self-aware computing systems. This talk will also provide an introduction to the growing body of theory and applications of process detection, including applications to other areas. A software implementation of a general-purpose process detection system, called a Process Query System (PQS), will be presented as well. See www.pqsnet.net for papers and more information about Process Query Systems.
Biography
George Cybenko is the Dorothy and Walter Gramm Professor of Engineering at Dartmouth. Cybenko's current research interests are distributed information and control systems, with a special focus on process detection in cybersecurity, sensor network tracking and infrastructure protection applications. He is the founding Editor-in-Chief of IEEE Security and Privacy and an investigator on projects funded by DHS, DARPA and ARDA. Cybenko received a BSc in mathematics from the University of Toronto and a Ph.D. in applied mathematics from Princeton. He is a fellow of the IEEE.
More Information:
October 7, 2005
Speaker: José Carlos Brustolony
Assistant Professor
Department of Computer Science
University of Pittsburgh
Title
Using Secure Coprocessors to Protect Access to Enterprise Networks
Abstract:
Enterprise firewalls can be easily circumvented, e.g. by attack agents aboard infected mobile computers or telecommuters' computers, or by attackers exploiting rogue access points or modems. Techniques that prevent connection to enterprise networks of nodes whose configuration does not conform to enterprise policies could greatly reduce such vulnerabilities. Network Admission Control (NAC) and Network Access Protection (NAP) are recent industrial initiatives to achieve such policy enforcement. However, as currently specified, NAC and NAP assume that users are not malicious. We propose novel techniques using secure coprocessors to protect access to enterprise networks. Experiments demonstrate that the proposed techniques are effective against malicious users and have acceptable overhead.
Biography
José Carlos Brustoloni obtained his Ph.D. degree in Computer Science from Carnegie Mellon University, after getting an M.S. degree in Electrical Engineering from University of São Paulo, Brazil, and a B.E. degree in Electronics Engineering from Instituto Tecnológico de Aeronáutica, Brazil. José joined the University of Pittsburgh's faculty in August of 2002. Previously, he was a researcher at Bell Laboratories, Lucent Technologies. His research interests include computer networks, operating systems, security, quality of service, and embedded systems.
More Information:
October 21, 2005
Speaker: Andrew Myers
Associate Professor, Department of Computer Science
Cornell University
Title
Toward distributed systems secure by construction
Abstract:
Building secure distributed systems typically involves the use of a variety of different mechanisms, such as encryption, digital signatures, access control, and replication. Once the system is built, it is difficult to know that system-level security objectives have been achieved.
In this talk I will present a new way to enforce security policies for data confidentiality and integrity in a distributed environment. Programs annotated with security policies are statically checked and then transformed by the compiler to run securely on a distributed system with untrusted hosts. The code and data of the computation are partitioned and replicated across the available hosts in accordance with the security policies, and the compiler automatically generates secure run-time protocols for communication among the replicated code partitions. We have shown that programs such as games and auctions can be automatically transformed to run securely and with reasonable efficiency.
Biography
Andrew Myers is an Associate Professor at Cornell University. He received a Ph.D. in Computer Science from MIT in 1999. His research interests include computer security, programming languages, and distributed object systems. His recent work has focused on using language-based information flow to specify and build trustworthy computing system.
More Information:
November 4, 2005
Speaker: Ling Liu
Associate Professor, College of Computing
Georgia Institute of Technology
Title
Countering Targeted File Attacks using LocationGuard
Abstract:
Serverless distributed computing has received significant attention from both the industry and the research community. Among the most popular applications are the wide area network file systems, exemplified by CFS, Farsite and OceanStore. These file systems store filbes on a large collection of untrusted nodes that form an overlay network. They use cryptographic techniques to secure files from malicious nodes. Unfortunately, cryptographic techniques cannot protect a file holder from a Denial-of-Service (DoS) or a host compromise attack. Hence, most of these distributed file systems are vulnerable to targeted file attacks, wherein an adversary attempts to attack a small (chosen) set of files by attacking the nodes that host them.
In this talk, I will describe LocationGuard - a location hiding technique for securing overlay file storage systems from targeted file attacks. LocationGuard has three essential components: (i) location key that serves as the key to the location of a file, (ii) lookup guard, a secure algorithm to locate a file in the overlay network such that neither the key nor the location is revealed to an adversary, and (iii) a set of location inference guards against various inference attacks such as lookup frequency, IP-address, file replica, and file size inference attacks. We show that the combination of location key, lookup guard, and location inference guards makes it very hard for an adversary to infer the location of a target file by either actively or passively observing the overlay network. LocationGuard can be used to mitigate Denial-of-Service (DoS) and host compromise attacks by constructing an efficient file access control mechanism, while adding almost zero performance overhead and very minimal storage overhead to the overlay file system.
Biography
Ling Liu is currently an associate professor at the College of Computing at Georgia Tech. She directs the research programs in Distributed Data Intensive Systems, examining research issues and technical challenges in building scalable and secure distributed data intensive systems. Her current research interests include performance, security, and privacy issues in peer to peer and grid computing, mobile location based services, sensor network systems, and distributed enterprise computing technology. Her recent research in security has been focused on developing safe guards for securing wide area distributed data intensive systems, including event guards, content guards, location guards, trust guards. She has published over 150 international journal and conference articles. She currently serves as co-chair of several IEEE conferences, including the co-PC chair of IEEE 2006 International Conference on Data Engineering (ICDE 06), the vice chair of the Internet Computing track of the IEEE 2006 International Conference on Distributed Computing (ICDCS 06), and is on the editorial board of several international journals, including an associate editor of IEEE Transactions on Knowledge and Data Engineering (TKDE), International Journal of Very Large Databases (VLDBJ), and International Journal of Web Service Research. Most of Dr. Liu's current research has been sponsored by NSF, DoE, DARPA, IBM, and HP.
More Information:
November 18, 2005
Speaker: Csilla Farkas
Department of Computer Science and Engineering
University of South Carolina
Title
Security in Web Applications
Abstract:
Web-based application security requires that both the supporting technologies and the applications are secure. Until recently, Web data security research focused mainly on developing security models for semi-structured data, like XML. These efforts addressed XML syntax, ignoring data and application specific semantics conveyed by the XML documents. While the existing models are suitable for custom tailored applications, like data exchange between participants, the lack of semantics make them insufficient to provide high assurance security for future Web-based applications.
This talk gives an overview of current efforts to provide data and application security in the context of the WWW and identifies unexplored research areas. Two main research directions to extend the XML model with semantics are discussed. The first approach extends the XML model with traditional database concepts, like keys and database constraints. The second approach aims to associate XML documents with semantic languages supporting Web-based applications. The security needs of Web metadata, like RDF, RDFS, and OWL, and the risk of inference and data aggregation problems supported by these languages are also studied.
Biography
Csilla Farkas is an Assistant Professor in the Department of Computer Science and Engineering and Director of the Center for Information Assurance Engineering at the University of South Carolina. Farkas’ research interests include information security, data inference problem, economic and legal analysis of cyber crime, and security and privacy on the Semantic Web. She is a recipient of the National Science Foundation Career award. The topic of her award is “Semantic Web: Interoperation vs. Security – A New Paradigm of Confidentiality Threats.” She actively participates in international scientific communities as program committee member and reviewer.