IEEE Security & Privacy最新文献

{"title":"Cybersecurity Advocates: Force Multipliers in Security Behavior Change.","authors":"Julie Haney,&nbsp;Wayne Lutters,&nbsp;Jody Jacobs","doi":"10.1109/msec.2021.3077405","DOIUrl":"https://doi.org/10.1109/msec.2021.3077405","url":null,"abstract":"<p><p>Cybersecurity advocates motivate individuals and organizations to adopt positive security behaviors. Based on our research, we describe qualities of successful advocates. Our findings have practical implications for expanding the cybersecurity workforce by recruiting and developing professionals who can be effective in advocate or other people-oriented security roles.</p>","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"19 4","pages":""},"PeriodicalIF":1.9,"publicationDate":"2021-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10087777/pdf/nihms-1873181.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"9297835","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Decade of Reoccurring Software Weaknesses.","authors":"Assane Gueye,&nbsp;Carlos E C Galhardo,&nbsp;Irena Bojanova,&nbsp;Peter Mell","doi":"10.1109/msec.2021.3082757","DOIUrl":"https://doi.org/10.1109/msec.2021.3082757","url":null,"abstract":"<p><p>The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency over exploitability and impact. We provide a metric to mitigate this bias and discuss the most significant software weaknesses over the last ten years.</p>","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"19 6","pages":""},"PeriodicalIF":1.9,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10021008/pdf/nihms-1873177.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"9143555","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cryptography Standards in Quantum Time: New wine in old wineskin?","authors":"Lidong Chen","doi":"10.1109/MSP.2017.3151339","DOIUrl":"https://doi.org/10.1109/MSP.2017.3151339","url":null,"abstract":"The history of cryptography standards is reviewed, with a view to planning for the challenges, uncertainties, and strategies that the standardization of postquantum cryptography will entail.","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"15 4","pages":"51-57"},"PeriodicalIF":1.9,"publicationDate":"2017-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1109/MSP.2017.3151339","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"35735495","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations.","authors":"Chad Brubaker,&nbsp;Suman Jana,&nbsp;Baishakhi Ray,&nbsp;Sarfraz Khurshid,&nbsp;Vitaly Shmatikov","doi":"","DOIUrl":"","url":null,"abstract":"<p><p>Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is \"frankencerts,\" synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version 1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired-a low-risk, often ignored error-but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.</p>","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"2014 ","pages":"114-129"},"PeriodicalIF":1.9,"publicationDate":"2014-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4232952/pdf/nihms612855.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"32821558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Securing Information Technology in Healthcare.","authors":"Denise Anthony, Andrew T Campbell, Thomas Candon, Andrew Gettinger, David Kotz, Lisa A Marsch, Andrés Molina-Markham, Karen Page, Sean W Smith, Carl A Gunter, M Eric Johnson","doi":"10.1109/MSP.2013.104","DOIUrl":"10.1109/MSP.2013.104","url":null,"abstract":"<p><p>Dartmouth College's Institute for Security, Technology, and Society conducted three workshops on securing information technology in healthcare, attended by a diverse range of experts in the field. This article summarizes the three workshops.</p>","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"11 6","pages":"25-33"},"PeriodicalIF":1.9,"publicationDate":"2013-08-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4219362/pdf/nihms570981.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"32800177","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems.","authors":"Carl A Gunter,&nbsp;David Liebovitz,&nbsp;Bradley Malin","doi":"10.1109/MSP.2011.72","DOIUrl":"https://doi.org/10.1109/MSP.2011.72","url":null,"abstract":"<p><p>Experience-based access management incorporates models, techniques, and tools to reconcile differences between the ideal access model and the enforced access control.</p>","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"9 5","pages":"48-55"},"PeriodicalIF":1.9,"publicationDate":"2011-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1109/MSP.2011.72","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"30239507","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}