From Passwords to Biometrics - In Pursuit of a Panacea
Steven Furnell, University of Plymouth, United Kingdom
Hiding in a Panopticon - Grand Challenges in Internet Anonymity
Bryan Ford, Yale University, United States
Privacy in Social Networks - Existing Challenges and Proposals for Solution
Günther Pernul, University of Regensburg, Germany
Current Research Topics in Information Security
Edgar Weippl, University of Vienna, SBA Research, Austria
From Passwords to Biometrics - In Pursuit of a Panacea
Steven Furnell
University of Plymouth
United Kingdom
Brief Bio
Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) - namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 240 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). He is also the editor-in-chief of Information Management & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium (www.haisa.org). Steve is active in a variety of professional bodies, and is a Fellow of the BCS, a Senior Member of the IEEE, and a full member of the Institute of Information Security Professionals. Further details can be found at www.plymouth.ac.uk/cscan, with a variety of security podcasts also available via www.cscan.org/podcasts. Steve can also be followed on Twitter (@smfurnell).
Abstract
Achieving effective and acceptable means of user authentication has been a long-recognised challenge of IT security. While passwords are still dominant, today's implementations are exhibiting a much greater diversity of techniques and technologies, particularly in relation to those used on mobile devices. We can now readily see examples of alternative forms of secret-based approach, as well as techniques that replace or supplement secrets with tokens and biometrics. However, the rationale in some cases is not specifically to make the security stronger, but rather to make it more accessible and easier to use, which in turn increases the chances of users having some protection rather than none at all. This presentation examines the situation, and considers the fact that while the range of authentication opportunities has diversified, we are still some way from having a universally applicable and effective solution.
Hiding in a Panopticon - Grand Challenges in Internet Anonymity
Bryan Ford
Yale University
United States
Brief Bio
Bryan Ford leads the Decentralized/Distributed Systems (DeDiS) research group at Yale University. His work focuses broadly on building secure systems, touching on many particular topics including secure and certified OS kernels, parallel and distributed computing, privacy-preserving technologies, and Internet architecture. He has received the Jay Lepreau Best Paper Award at OSDI, and multiple grants from NSF, DARPA, and ONR, including the NSF CAREER award. His pedagogical achievements include PIOS, the first OS course framework leading students through development of a working, native multiprocessor OS kernel. Prof. Ford earned his B.S. at the University of Utah and his Ph.D. at MIT, while researching topics including mobile device naming and routing, virtualization, microkernel architectures, and touching on programming languages and formal methods.
Abstract
Many people have legitimate needs to avoid their online activities being tracked and linked to their real-world identities - from citizens of authoritarian regimes, to everyday victims of domestic abuse or law enforcement officers investigating organized crime. Current state-of-the-art anonymous communication systems are based on onion routing, an approach effective against localized adversaries with a limited ability to monitor or tamper with network traffic. In an environment of increasingly powerful and all-seeing state-level adversaries, however, onion routing is showing cracks, and may not offer reliable security for much longer. All current anonymity systems are vulnerable in varying degrees to five major classes of attacks: global passive traffic analysis, active attacks, "denial-of-security" or DoSec attacks, intersection attacks, and software exploits. Achieving tracking resistance in the future Internet will require solving the grand challenges presented by these classes of attacks.
The Dissent project is prototyping a next-generation anonymity system representing a ground-up redesign of current approaches. Dissent is the first anonymity and pseudonymity architecture incorporating protection against the five major classes of known attacks. By switching from onion routing to alternate anonymity primitives offering provable resistance to traffic analysis, Dissent makes anonymity possible even against an adversary who can monitor most, or all, network communication. A collective control plane renders a group of participants in an online community indistinguishable even if an adversary interferes actively, such as by delaying messages or forcing users offline. Protocol-level accountability enables groups to identify and expel misbehaving nodes, preserving availability, and preventing adversaries from using denial-of-service attacks to weaken anonymity. The system computes anonymity metrics that give users realistic indicators of anonymity protection, even against adversaries capable of long-term intersection and statistical disclosure attacks, and gives users control over tradeoffs between anonymity loss and communication responsiveness. Finally, virtual machine isolation offers anonymity protection against browser software exploits of the kind recently employed to de-anonymize Tor users. Dissent is still an early proof-of-concept with many limitations and missing pieces, but we hope it serves to illustrate directions in which solutions to the grand challenges of online anonymity might be found.
Privacy in Social Networks - Existing Challenges and Proposals for Solution
Günther Pernul
University of Regensburg
Germany
Brief Bio
Günther Pernul has been a professor since 2002 at the University of Regensburg, Germany, heading the Department of Information Systems. Prior, he held a similar position at the University of Essen, Germany. He was post-doctoral scholar at the University of Florida, Gainesville, FL, as well as at the Georgia Institute of Technology, Atlanta, GA. His research interests are security and privacy in data-centered applications, information systems security, individual privacy and data protection, identity and access management and advanced database applications. Dr. Pernul has written or edited more than 10 books and published more than 100 papers in scientific journals and conference proceedings on various information systems topics. He serves on several committees and advisory boards. He has participated in many national and international research projects including as coordinator in the European FP7 projects SPIKE and IPICS and the nationally funded SecPat and FORSec research projects. The website of his research group may be reached at www-ifs.uni-regensburg.de
Abstract
Social Networks play an increasingly important role for social interaction, allowing their users to bridge spatial and temporal communication boundaries.
However, through their rising pervasiveness and the use of sensitive data such as geospatial information, the rise of social networks has also prompted privacy concerns. On the one hand, in the current oligopolistic landscape of social networks, few service providers gather large amounts of personal data that can be used for profiling and targeted advertising. On the other hand, the users’ contacts threaten privacy. Users are unaware of which contacts have access to items they shared on their profile and lack suitable tools to control the visibility of these items. This talk presents existing challenges in the field of social network privacy and discusses new solutions such as serious games and visualizations to address these issues.
Current Research Topics in Information Security
Edgar Weippl
University of Vienna, SBA Research
Austria
Brief Bio
After graduating with a Ph.D. from the Vienna University of Technology, Edgar Weippl worked in a re-search startup for two years. He then spent one year teaching as an assistant professor at Beloit College, WI. From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant in New York, Albany, U.S.A., and in Frankfurt, Germany. In 2004 he joined the Vienna University of Technology and founded the research center SBA Re-search together with A Min Tjoa and Markus Klemen.
Abstract
NOTE: This was a replacement keynote.
Over the last years, there is an increasing number of descriptive works observing and describing complex phenomena, e.g., the efficiency of different spam campaigns, the distribution of bots, or the likelihood of users to accept false identities as friends in social networks. These studies are characterized by large sets of samples.
Future research will focus on networks and cloud systems; the research methodology will be empirical systems security: (1) passively observing large systems and (2) active probing that stimulates revealing behavior of the systems. The research contribution lies in observing, describing and inferring the behavior of complex systems that cannot be directly observed and have a large impact on users.