tag:www.tssg.org,2010:/trustandsecurity//97 2010-09-06T10:51:52Z Information on trust & security research within the TSSG Movable Type 3.34 tag:www.tssg.org,2010:/trustandsecurity//97.1537 2010-08-20T15:26:42Z 2010-09-06T10:51:52Z

Bruce Schneier has a recent article on the topic Security Vulnerabilities of Smart Electricity Meters, there's nothing particularly surprising about it, most readers of this blog will appreciate both the short-term and long-term security implications for such systems. The effect...

Barry Mulcahy Security Vulnerabilities of Smart Electricity Meters, there's nothing particularly surprising about it, most readers of this blog will appreciate both the short-term and long-term security implications for such systems. The effect on how the metering business itself operates will be quite large. How long has the electricity meter been installed in your premises ... many upgrades? Introducing a smart meter for any utility (the same technology is being rolled out for water meters) will introduce so many issues that software upgrades and physical replacement of old devices will be commonplace and very costly. What security system (in particular embedded systems) from 10 or more years ago would be safe against attack today? The motivation (malicious through to economic) to break any widely deployed utility system is huge. The lifetime of these smart meters I suspect will be much shorter than the traditional 'dumb' models. I think this is going to be a growth market for security long into the future.]]> tag:www.tssg.org,2010:/trustandsecurity//97.1523 2010-08-10T08:39:48Z 2010-08-17T16:14:52Z

Vehicles for organisations to manage risk with regard to cloud computing and present users with more knowledge and confidence? The LinkedIn group CSA Cloud Security Alliance have been investigating this and have developed an industry standard and certification aimed at...

Zeta Dooly press release boasts a Certificate of Cloud Security Knowledge (CCSK) designed to ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud. This is good news for industry as often IT professionals make decisions based on best practice but not supported by sufficient evidence that their clients data is protected and the company is following regulatory frameworks. Thus this additional step should armour the Infrastructure dept with sufficient evidence to promote cloud computing at the board of management. While I don't have experience of the newly released certification process I am impressed with the CSA's deliverables to date and with the additional ENISA whitepaper forming part of their considerations I believe that it is a step in the right direction. Already the portfolio of companies signing up include eBay, Lockheed Martin and Sallie Mae, ING, Symantec, CA, Trend Micro and Zynga who have commited to adoption of the CCSK ]]> tag:www.tssg.org,2010:/trustandsecurity//97.1510 2010-07-16T10:12:07Z 2010-07-16T10:22:31Z

The Mercyhurst College Institute for Intelligence Studies (MCIIS) this week brought together leading practitioners from around the world in intelligence analysis for The Dungarvan Conference 2010: Global Intelligence Forum. For those who attended I'm sure you found it as interesting...

Barry Mulcahy MCIIS) this week brought together leading practitioners from around the world in intelligence analysis for The Dungarvan Conference 2010: Global Intelligence Forum. For those who attended I'm sure you found it as interesting as I did. The quality of speakers was exceptional, this combined with the range and diversity of fields represented made for an engaging experience. It's interesting to see how diverse fields of study can potentially use similar analytic techniques. Case studies and examples were drawn from and/or applicable to: forensic pathology, archaeology, medicine, intelligence studies, etc. Many best practices exhibit common features such as the quality of information being more important than the quantity of information; the value of viewing problems from multiple perspectives; using different assumptions; and how these can promote analytic tension (which isn't always a bad thing). However, the fields from which analytic techniques are drawn should be compared and contrasted with the perspective field of study to ensure that there is more than a superficial similarity between the fields. An example of this divergence is that intelligence corroboration is often more important than repeatability. This 'idea confirmation path' is in contrast to the of the traditional scientific method of repeating experiments. One of the take-home messages was to use the right analytic technique for the right job, with more than 500 different techniques listed in some text books, it's important to choose the right one. How to make this choice is an open problem and often domain specific. Some of the described best practices have ICT equivalents such as inventing an idealised system intruder (highly skilled and motivated with substantial resources) and red-team penetration tests which are, in effect, promoting analytic tension. For me, the use of best practice in an alternative field was highlighted in the final part of the conference where attendees participated in applying two analytical techniques in a practical exercise "Who Poisoned Karinna Moskalenko?". The techniques used were 1) a key assumptions check and 2) the pre-mortem assessment. Both of these analytic techniques are, in my opinion, ideally suited for application to intrusion detection and hardening of ICT systems. Successful use might just save ICT security specialists from having to perform a post-mortem analysis and a presentation on how a business critical system failed. There were numerous other valuable messages that emerged from the conference such as the importance of knowing your audience and their abilities in order to best communicate your results to them. I look forward to applying the lessons learned and to attending this event again next year. As a follow-up here is an article from the Irish Times: "The Institute for Intelligence Studies at Mercyhurst, in the Pennsylvanian city of Erie, is understood to be in advanced talks with Waterford Institute of Technology and the local authorities." So it looks like this event may well continue to be hosted in Waterford, and that we can look forward to deepening ties with Mercyhurst. ]]> tag:www.tssg.org,2010:/trustandsecurity//97.1502 2010-07-09T16:36:26Z 2010-07-09T16:42:48Z

An interesting article from the WSJ about the NSA monitoring Critical infrastructures (CI). It highlights the value of collaborative approaches to identifying threats in distributed systems. From the article: 'The federal government is launching an expansive program dubbed "Perfect Citizen"...

Barry Mulcahy NSA monitoring Critical infrastructures (CI). It highlights the value of collaborative approaches to identifying threats in distributed systems. From the article: 'The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants' A follow-up article can be found on Wired. We're doing some similar work in the CoMiFin project to protect Financial CI. The system facilitates information exchange between participants with distributed event processing for identifying emerging threats. Among other things WIT-TSSG is responsible for a Trust Management component that provides mechanisms to dynamically compute the reputation of participants. For more see: http://www.comifin.eu/ ]]> tag:www.tssg.org,2010:/trustandsecurity//97.1482 2010-06-03T10:02:42Z 2010-06-03T10:15:18Z

One of the security team here in the TSSG brought the following three articles to everyone's attention: One: The Fundamental Limits of Privacy For Social Networks ...privacy in social recommender systems; based on a paper from Microsoft researchers who were...

Kieran Sullivan The Fundamental Limits of Privacy For Social Networks ...privacy in social recommender systems; based on a paper from Microsoft researchers who were able to break Amazon's recommender system. Two: Social Networks Keep Privacy in the Closet ...discusses the concept of privacy in different social networks. Three: Privacy requires security, not abstinence: protecting an inalienableright in the age of Facebook ...The title says it all... Thanks to Ahmed for the above links.]]> tag:www.tssg.org,2010:/trustandsecurity//97.1465 2010-05-06T15:03:06Z 2010-05-07T12:01:01Z

The DG-INFSO F5 Trust and Security project INCO-TRUST held a workshop on 4-5th May 2010 in New York City. The workshop was co-organised by the National Science Foundation, Rutgers University and the INCO-TRUST project. The main focus of the workshop...

Barry Mulcahy DG-INFSO F5 Trust and Security project INCO-TRUST held a workshop on 4-5th May 2010 in New York City. The workshop was co-organised by the National Science Foundation, Rutgers University and the INCO-TRUST project. The main focus of the workshop was International Data Exchange with Security and Privacy: Applications, Policy, Technology, and Use. There were delegates from EU, US, Korea, Japan, Australia, Canada, South Africa and Brazil. The workshop slides will be available shortly at the workshop web site. ]]> tag:www.tssg.org,2010:/trustandsecurity//97.1441 2010-04-16T09:21:04Z 2010-04-26T09:02:01Z

With the current volcanic ash catastrophe for European travel unfolding this week there is a lot of cloud activity, however this article will focus on cloud computing and specifically identity in the cloud. Cloud computing comprises infrastructure services built on...

Zeta Dooly volcanic ash catastrophe for European travel unfolding this week there is a lot of cloud activity, however this article will focus on cloud computing and specifically identity in the cloud. Cloud computing comprises infrastructure services built on data centres; businesses outsource their computing infrastructure needs, managed through Service Level Agreements (SLAs) and Quality of Service (QoS) criteria. With all this outsourcing going on it is difficult to ascertain who is accountable and/or responsible for your data or indeed where your personal information is going and who has access to it. It is increasingly difficult to maintain online anonymity, but some apps carry their own methods Twitter's OAuth, Facebook Connect and OpenID. There are many guides out there that have recommendations, both technical solutions such as disguising your IP address and less technical moves such as revealing less data on your website or blog. Indeed from the results of some searches it seems that maintaining online anonymity has an array of tools, forums and followers of its own with many companies offering internet privacy as its main product. Key considerations should include authorization issues around vendors partners and 3rd parties, right to audit, standards, assurance of security, vendor transparency and privileged user access and access segregation (vendor vs user access). Then in relation to data and privacy, where does the data originate and reside, there will be a requirement for Data Monitoring (loss prevention) and storage segregation and management (includes data destruction practices, access controls on structured and unstructured data, access reporting). With Cloud Computing contrary to traditional infrastructure solutions each component of the data chain may reside in a different country and thus be under a different legal system, which adds further complexity but once acknowledged these challenges may be overcome. Regulatory Compliance resides in the country of origin and business need to know their responsibilities, the Data Protection Commissioner’s website provides further information. Any regulatory compliance issues (international, local, regional) will be subject to rigorous inspection and follow-up. Identity, defined in the dictionary as the condition of being oneself or itself, and not another. Unique is used to describe one’s identity, however we are all aware that one identity can play many roles often with diverse priorities, professional, consultant, movie addict, gambler, sport enthusiast, mother, armchair traveller where our online identities need to be segregated and the use of alias’s or other mechanisms to support these strands are devised. I’m not really sure of the implications of cloud computing but as I’ve mentioned in this article the main challenges are that where infrastructure is outsourced, policy and control is replaced by SLAs and QoS policies and that is where the details of cloud computing identity and access management lie. There may be some skepticism that moving toward Amazon EC2 or Google holding the lions share of data centres that conflicting single sign on (SSO) solutions will jeopardize the current models and identity in the cloud will bring new challenges. Already there are products available to limit and mitigate risk for identity in the cloud and this paper from the Aspen Institute will provide some additional information on this topic and even more information on third-party login which is becoming the norm! Back to the title of this article - who is guarding our identity - its you the user, citizen, employee. It is up to you to ensure that you are compliant and that you are confident of where your data is accessed, stored and that your identity or identities are safe. Happy reading! ]]> tag:www.tssg.org,2010:/trustandsecurity//97.1426 2010-04-01T09:57:49Z 2010-04-01T10:13:12Z

The RISEPTIS report, ‘Trust in the Information Society’, which makes recommendations on future trust and security research challenges, was published in November, 2009. To date, over 1,500 hard copies of the report have been disseminated to various interested parties, both...

Kieran Sullivan RISEPTIS report, ‘Trust in the Information Society’, which makes recommendations on future trust and security research challenges, was published in November, 2009. To date, over 1,500 hard copies of the report have been disseminated to various interested parties, both across Europe and globally. Additionally, the Report has been downloaded from the Think-Trust website 3,332 times, giving a total distribution of over 4,800 copies of ‘Trust in the Information Society’. To provide an accessibility point for its high-level recommendations, the Report tells six interwoven short-stories about a young couple – Jorge and Theresa – and their (mostly) electronic interactions with the surrounding environment as they go on their merry way. Think-Trust supported the RISEPTIS Advisory Board throughout its lifecycle and the publication and wide dissemination of the RISEPTIS Report is a major result for the project. P.S. The six main RISEPTIS recommendations formed the basis for the recent Trustworthy ICT conference in Leon, Spain.]]> tag:www.tssg.org,2010:/trustandsecurity//97.1402 2010-02-18T10:20:32Z 2010-02-18T10:25:28Z

I was asked about my previous post on green security what the 'angle' was. Well, the environmental impact of security is hard to dispute, be it in technology, construction, policy, etc. but it's an impact that in many cases we...

Barry Mulcahy green security what the 'angle' was. Well, the environmental impact of security is hard to dispute, be it in technology, construction, policy, etc. but it's an impact that in many cases we have not tried to find a solution for. A technological example would be cryptography; compression algorithms can't really be applied to encrypted data. As a result, encrypted data may well take up more storage and/or bandwidth (read: energy) than unencrypted data*. The moderation of environmental impacts that are attributable to security is something that is only recently being considered, and like security, it is something that should be factored in at design-time with ongoing assessment if it is to be effective. *one solution here is to compress the data prior to encryption, though this introduces it's own issues; if the data is not easily compressed or if the cost of the compression algorithm is relatively high, it can lead to overall higher environmental costs. How to go about doing this? Well, for me the logical starting point would be the incorporation of green concerns to the threat and risk assessment processes used in both ICT and in the real-world. This would naturally lead on to balanced green-secure solutions for a given problem, of course there is going to be a trade-off in each case. For example, I would like my phone sim to be biodegradable, but for such a small piece of plastic I would be quite concerned about the security of the sim and its associated account. If making the sim biodegradable allows for easier attacks I would have an issue with it. The car charger for the phone on the other hand has a much bigger environmental impact and I would be less concerned about security there, so a potential win-win. Another example would be the encryption algorithm used for an application, energy consumption is usually factored into the choice of algorithm if the deployment environment is battery powered (think mobile devices). A green-concious approach might also consider desktop deployments and the like, even when there is not a technological necessity to do so. What to take from this is that there is no silver bullet for security and its green-related issues, only tools that can be applied to solve problems. Reading into the question, an angle is something that can be exploited. Making devices 'smarter', well yes, but for what purpose? While we are not as interested in say construction we should not discount physical security altogether as there are security applications with strong ICT elements that may be of interest. I'm reminded of AAL and sensor networks, where ICT can form a key part of the solution. For example, consider border controls and other types of checkpoints where cars and HGVs are idling for long periods of time. A secure way of reducing emissions in all those parked vehicles or of protecting staff from a build-up of fumes is of interest. Ordering a remote switch-off of engines might be a quick and effective solution, but not a safe one! So, in these few examples we see a couple of different avenues for 'an angle'. One is where applying technology as a solution to green issues can introduce potential security vulnerabilities that need to be addressed. Another is the idea that security itself is inherently un-green and existing security solutions may need to be reassessed to make them more eco-friendly. Given the difficulty in reconciling security with the green agenda, it should be viewed as an opportunity. I would suggest that when formulating solutions the incorporation of tools and techniques that measurably reduce environmental impact as part of the project would, in general, help provide a competitive edge over alternative approaches. The angle is: Be Green. ]]> tag:www.tssg.org,2010:/trustandsecurity//97.1401 2010-02-16T16:34:17Z 2010-02-16T16:39:51Z

This is an interesting (4 page) article on Green Technology and its often rocky relationship with Security. Note, that the notion of security here goes beyond ICT into the realm of the 'real-world', something we at the TSSG have a...

Barry Mulcahy This is an interesting (4 page) article on Green Technology and its often rocky relationship with Security. Note, that the notion of security here goes beyond ICT into the realm of the 'real-world', something we at the TSSG have a keen interest in. http://www.facilitiesnet.com/security/article/Green-Building-Goals-and-Security-Initiatives-Can-Find-Common-Ground--11349 I think this particular cross-domain interaction is a growth area given security threats and vulnerabilities are not going away and that energy costs are rising, this combined with 'being green' is a recipe for success. So is it time for security to stop and smell the roses? tag:www.tssg.org,2010:/WEBLOG-NAME//97.1399 2010-02-10T15:57:21Z 2010-02-10T16:02:15Z

This webinar looks pretty interesting - many of the challenges we've seen in European research in security has been in the non-technical areas of legislation and citizen knowledge. The sub-session on cyber security legislation should provide much sought clarity in...

Zeta Dooly webinar looks pretty interesting - many of the challenges we've seen in European research in security has been in the non-technical areas of legislation and citizen knowledge. The sub-session on cyber security legislation should provide much sought clarity in this area and the privacy in social networks may be an eye opener for some internet users!]]> tag:www.tssg.org,2009:/WEBLOG-NAME//97.1354 2009-11-25T15:19:21Z 2009-11-25T15:52:37Z

Welcome to the TSSG trust and security blog. This blog contains information on the trust and security research being carried out within the TSSG. Topics covered include projects and initiatives we're involved in, as well as our core security competencies...

Kieran Sullivan CoMiFin, Communication Middleware for Monitoring Financial Critical Infrastructure, (FP7-SEC) The CoMiFin STREP aims to provide an infrastructure-level monitoring, notification and mitigation middleware as an essential element of Financial Infrastructure Protection (FIP). A key objective of CoMiFin is to prove the advantages of having a cooperative approach in the rapid detection of threats. This approach allows groups of financial actors to take advantage of the CoMiFin system for exchanging and processing information, thereby allowing them to take proactive steps in protecting their business continuity. INCO-TRUST, International Co-operation in Trustworthy, Secure and Dependable ICT infrastructures, (FP7-ICT) The main purpose of INCO-TRUST is to specifically target international cooperation, which will: (a) promote collaboration and partnerships between programme managers and researchers between the EU and USA, Japan, Korea, Canada and Australia; and, (b) leverage and harmonise global efforts related to the building and maintenance of large-scale trustworthy ICT systems and infrastructures and the services they deliver. PARSIFAL, Protection And tRuSt In FinanciAL infrastructures, (FP7-SEC) PARSIFAL is assessing how to better protect Critical Financial Infrastructures (CFI) as well as information infrastructures that link CFI with other sector Critical Infrastructures (CI). Think-Trust, Think Tank for Converging Technical and Non-Technical Consumer Needs in ICT Trust, Security and Dependability, (FP7-ICT) Think-Trust is investigating Trust, Security, Dependability, Privacy & Identity from both ICT and societal perspectives. The project has a mandate to return recommendations on future policy environments and research agenda. Within Think-Trust, there was support for the establishment of RISEPTIS (Research and Innovation for SEcurity, Privacy and Trustworthiness in the Information Society), a high-level advisory body in ICT research on security and trust aiming at providing visionary guidance on policy and research challenges in the field of security and trust in the Information Society. RISEPTIS released their final report in October 2009. Future Internet Assembly: Trust and Identity Cluster WIT-TSSG are a nominated “caretaker” along with HP and SAP. A “caretaker” role is to coordinate the activities in the cross domain clusters within the FIA and provide a link between the FIA and the FIA Bled signatory projects. ENISA, European Network and Information Security Agency ENISA could be considered the “Cyber Security” agency of the EU and their mission is helping the European Commission, the Member States and the business communities to address, respond and especially to prevent Network and Information Security problems. Jim Clarke of WIT-TSSG is a Permanent Stakeholder Group (PSG) member of ENISA. The PSG is composed of 30 experts from all over Europe. They are drawn from relevant stakeholder groups such as the information and communication technologies (ICT) industry, ICT user organisations and academic experts in network and information security. The purpose and role of the PSG is to advise the Executive Director of ENISA. ]]>