ICS

Cyber Security

November 25, 2009

Guiding Cybersecurity Principles for a Swiftly Changing World

Ravi Sandhu, executive director of the Institute for Cyber Security, had an article published a couple of days ago at Technology News on cyber security. The article begins with an excellent summary: "Two principles need to be part of the consciousness of every cybersecurity practitioner: First, security cannot hold back productivity. Technology that makes us more productive will get deployed and used even if it makes information less secure. Second, cyber and physical space will be increasingly entangled to the point where our activities and their impacts will seamlessly transition from one to the other."

Read the full article here.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 09:02 AM in CIAS, Cyber Security, News, Security | | Comments (0) | TrackBack (0)

November 23, 2009

ICS in the News: Ravi Sandhu on Security Threats to Smart Grid Technologies

Ravi Sandhu, executive director of the Institute for Cyber Security, was covered in a release on security threats to smart grid technologies. From the article:

"'Public Utility Commissions have the unique opportunity to determine the security and integrity of the security metering system,' [said] Ravi Sandhu, Executive Director of The University of Texas at San Antonio’s Institute for Cyber Security. 'Historically, the stand-alone, proprietary nature of the mechanical metering system provided a level of security but limited options for expanded utility and flexibility. Networking these systems requires all parties to re-think the security impact on closed networks and their ecosystems. The integrity of the system network must be maintained and the privacy of the consumers’ data must remain confidential'."

The rest of the release can be found here: http://java.sys-con.com/node/1194413.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 12:22 PM in CIAS, Cyber Security, Security, Threat Modeling | | Comments (0) | TrackBack (0)

November 18, 2009

ICS Startup SafeMashups Forms MashSSL Alliance

The latest Institute for Cyber Security startup to go live, SafeMashups, Inc., has just announced the launch of the MashSSL alliance. Read the press release below:

MOUNTAIN VIEW, CA--(Marketwire - November 12, 2009) - A consortium of leading technology companies today announced the creation of the MashSSL Alliance, an organization dedicated to evangelizing the use of the MashSSL technology and specification. MashSSL is an innovative way to use the proven and trusted SSL protocol and trust infrastructure to solve the tricky and serious problem of trust establishment between web applications communicating through an end user at a browser. This is a hard problem as the web applications have to assume that the user in the middle could be a malicious hacker or a legitimate user with a malware infected browser.

The founding members of the Alliance include leading SSL certificate vendors Comodo, DigiCert, Entrust and VeriSign; leading providers of security technology and services Arcot, Cenzic, ChosenSecurity, Denim Group, OneHealthPort, QuoVadis, SafeMashups and Venafi; leading security research institutions Institute for Cyber Security, UTSA, MIT Kerberos Consortium and Secure Business Austria, and noted industry security experts.

"Having been both a vendor and security practitioner, what makes MashSSL such an innovative and elegant solution is the fact that it sits on top of SSL at the application layer and does not disrupt the existing ecosystem -- no new crypto protocols to analyze, no changes to the browser and no new types of credentials," said Lynn Terwoerds, Former Head of Security Architecture & Standards, Barclays GRCB, former Senior Security Strategist, Microsoft, and member of the Cloud Security Alliance. "The ability to significantly reduce the risk involved with online collaboration and transactions opens up a whole new realm of opportunities to both product developers and to security practitioners who need to live in a highly virtualized and cloud based world, where applications and data no longer reside in a single location."

"End users' Web experiences, be it in healthcare or any other vertical, are increasingly an aggregation of data and processing from cooperating Web applications that communicate wholly or partially through the user's browser," said Sue Merk, vice president of business development and product management at OneHealthPort, a coalition of health plans, physicians and hospitals that joined together to build a trusted community where business and clinical information could be shared securely. "Unfortunately, a malicious man-in-the-middle attack or a user infected with man-in-the-browser malware can easily subvert such communications. An open standard to solve this universal problem once, and not in a piece meal ad hoc fashion, has been a long time coming. That it is based on the trusted and familiar SSL certificate infrastructure is a bonus."

MashSSL, which was first developed by application authentication pioneer SafeMashups, has now become an open specification with an open source reference implementation, and is in the process of being standardized.

"Using different proprietary security methods and a multitude of quasi-trusted credentials to solve this fundamental problem is clearly inefficient and will lead to administrative errors which underlie many vulnerabilities," said Siddharth Bajaj, Principal in the Innovation Group at VeriSign and steering committee chair of both the MashSSL Alliance and W3C MashSSL XG. "MashSSL repurposes SSL to create a secure application layer pipe through which open protocols like OAuth, OpenID, OpenAJAX, etc., and proprietary applications like payment provider interfaces can flow in a more secure fashion while leveraging the already existing trust and credential infrastructure."

While MashSSL was originally developed for use with newer mashup technologies, it became rapidly apparent that the protocol can be used in any situation where two Web applications need to communicate through a user's browser, where the user may be malicious or the browser infected with malware. Consequently, the potential field of use for MashSSL is very broad, including potentially underlying identity federation protocols, payment button interfaces, etc.

The initial MashSSL specification and open source reference implementation have been made generally available at www.mashssl.org.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 10:49 AM in Cyber Security, Incubator, Kerberos, MashSSL, Mashups, News, SafeMashups, Security, SSL/TLS, Startups, Trust Computing, Web/Tech | | Comments (0) | TrackBack (0)

November 16, 2009

Speaking at San Antonio Cyber Vision on December 1

Jeff Reich, our director of research operations, will be representing the Institute for Cyber Security at the  San Antonio Cyber Vision Hi-Tech Mixer. Jeff will share the panel with San Antonio Mayor Julian Castro and MGen Richard Webber of the 24th Air Force discussing San Antonio's transformation into a "cyber city". Folks in the San Antonio area who are interested in cyber security should definitely plan to attend the talk that evening.

From the San Antonio Tech News site:

"Please join Technology Connexus Association Board of Directors with Special Guest Speaker, San Antonio Mayor Julian Castro to hear about transforming San Antonio into Cyber City USA. We also welcome MGen Richard Webber (Invited), Commander, 24th Air Force and Jeff Reich, Director of Research Operations, UTSA Institute for Cyber Security.

It's the original San Antonio Hi-Tech Mixer featuring fantastic food, great beverages, fabulous door prizes, and the best power networking in San Antonio."

Date: Tuesday, December 1st, 2009, 5:30PM
Location: Chisolm Building, Brass Professional Center 4400 NW Loop 410 San Antonio, TX 78229
Phone: (210) 582-5814

For more details, go to the conference site.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 07:05 AM in CIAS, Cyber Security, Email, News | | Comments (0) | TrackBack (0)

November 14, 2009

Ravi Sandhu Speaking on the Future of Cyber Security in Shreveport on Tuesday

Ravi Sandhu, executive director of the Institute for Cyber Security, will be representing ICS at the Ark-La-Tex Chapter of AFCEA, discussing the future of cyber security. Consider attending the talk if you have an interest in cyber security and will be in the Shreveport area.

From the Shreveport Times:

"Ravi Sandhu, founder and executive director of the Institute for Cyber Security at the University of Texas at San Antonio, will be guest speaker at Tuesday's monthly luncheon of the Ark-La-Tex Chapter of AFCEA, the Armed Forces Communications and Electronics Association. Sandhu's topic will be 'Speculations on the future of cyber security in 2025.'"

Date: Tuesday, November 17th, 2009, 11:30AM
Location: DiamondJack's Casino, 711 Diamond Jack's Blvd,Bossier City, LA 71111
Phone: (318) 678-7777

For more details, go to the chapter site.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 04:10 PM in CIAS, Cyber Security, Events, Security | | Comments (0) | TrackBack (0)

November 13, 2009

ICS Facilitating Inaugural ACM Conference on Data and Application Security and Privacy

The Institute for Cyber Security will be facilitating a conference for the SIGSAC in the Association of Computing Machinery in February 2011 in San Antonio, Texas. The conference, called the Conference on Data and Application Security and Privacy (Or CODASPY) will cover topics on cyber security, data privacy, access control, and other fields related to security.

See the announcement below, and at the the CODASPY site.

1st ACM Conference on Data and Application Security and Privacy

February 2011, San Antonio, Texas
Pending ACM Approval

Announcement: ACM SIGSAC announces the creation of a new annual ACM Conference on Data and Applications Security. The inaugural conference will be held in February 2011 in San Antonio, Texas (exact dates and hotel to be announced). With rapid global penetration of the Internet and smart phones and the resulting productivity and social gains, the world is becoming increasingly dependent on its cyber infrastructure. Criminals, spies and predators of all kinds have learnt to exploit this landscape much quicker than defenders have advanced in their technologies. Security and Privacy has become an essential concern of applications and systems throughout their lifecycle. Security concerns have rapidly moved up the software stack as the Internet and web have matured. The security, privacy, functionality, cost and usability tradeoffs necessary in any practical system can only be effectively achieved at the data and application layers. This new conference provides a dedicated venue for high-quality research in this arena, and seeks to foster a community with this focus in cyber security.

Scope: Data and the applications that manipulate data are the crucial assets in today's information age. With the increasing drive towards availability of data and services anytime anywhere, security and privacy risks have increased. Vast amounts of privacy-sensitive data are being collected today by organizations for a variety of reasons. Unauthorized disclosure, modification, usage or denial of access to these data and corresponding services may result in high human and financial costs. New applications such as social networking and social computing provide value by aggregating input from numerous individual users and/or the mobile devices they carry with them and computing new information of value to society and individuals. To achieve efficiency and effectiveness in traditional domains such as healthcare there is a drive to make these records electronic and highly available. The need for organizations and government agencies to share information effectively is underscored by rapid innovations in the business world that require close collaboration across traditional boundaries and the dramatic failure of old-style approaches to information protection in government agencies in keeping information too secret to connect the dots. Security and privacy in these and other arenas can be meaningfully achieved only in context of the application domain. Data and applications security and privacy has rapidly expanded as a research field with many important challenges to be addressed. The goal of the conference is to discuss novel exciting research topics in data and application security and privacy and to lay out directions for further research and development in this area. The conference seeks submissions from diverse communities, including corporate and academic researchers, open source projects, standardization bodies, governments, system and security administrators, software engineers and application domain experts.

Topics: Include but not limited to

  • Application layer security policies
  • Authorization /Access Control for Applications
  • Authorization/Access Control for Databases
  • Data dissemination controls
  • Data forensics
  • Enforcement layer security policies
  • Privacy preserving techniques
  • Private information retrieval
  • Search on protected/encrypted data
  • Secure auditing
  • Secure collaboration
  • Secure data provenance
  • Secure electronic commerce
  • Secure information sharing
  • Secure knowledge management
  • Secure multiparty computations
  • Secure software development
  • Securing data/apps on untrusted platforms
  • Securing the semantic web
  • Security and Privacy in GIS/Spatial Data
  • Security and Privacy in Healthcare
  • Security policies for databases
  • Social computing security and privacy
  • Social networking security and privacy
  • Application, data and user trust metrics
  • Web application security

General Chair: Ravi Sandhu, Institute for Cyber Security (ICS), University of Texas at San Antonio

Program Chair: Elisa Bertino, Center for Education and Research in Information Assurance and Security (CERIAS), Purdue U.

Local Arrangements Chair: Jeffrey Reich, Institute for Cyber Security (ICS), University of Texas at San Antonio

Program Committee: To be announced

Conference Web Site: www.codaspy.org

Important Dates: To be announced

Interested Volunteers: Contact Ravi Sandhu at ravi.sandhu@utsa.edu or Elisa Bertino at bertino@purdue.edu as appropriate

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 11:18 AM in Access Control, Browsers, CIAS, Cloud Computing, Conference, Cryptography, Cyber Security, News, Privacy, Risk Management, Secure Hashing, Security, Single Sign-on, Software, SSL/TLS, Threat Modeling, Trust Computing, Web/Tech | | Comments (0) | TrackBack (0)

November 06, 2009

Edify Friday: Parallel Computing in .NET 4.0 with PLINQ

The Institute for Cyber Security uses C# and the .NET Framework for our startups in incubation, internal research projects, community exercises, and more. With the second beta of Visual Studio 2010 out, we've been really interested in the framework and language changes, and are evaluating it for integration into our software process. One change in particular is PLINQ, which stands for Parallel Language Integrated Query. This builds on LINQ, introduced two years ago, which added native data querying capabilities to .NET languages. Thus, today's Edify Friday covers a simple way to use PLINQ in C# code.

First, let's take a look at a simple LINQ example. Below is a simple program that counts the number of even numbers up to a ceiling (see Listing 1 below):

using System;
using System.Linq;
using System.Collections.Generic;
using System.Diagnostics;

namespace PlinqExample {
  class HelloWorldPlinq {
    static void Main(string[] args) {
      Stopwatch sw = Stopwatch.StartNew();
      int numEven = CountEven(1000000);
      Console.Write("Found {0} even numbers. ", numEven);
      Console.WriteLine("Elapsed: {0} ms", sw.ElapsedMilliseconds);
    }

    private static int CountEven(int top) {
      IEnumerable<int> allNumbers = Enumerable.Range(1, top);
      var q = from i in allNumbers where (i % 2 == 0) select i;
      return q.Count();
    }
  }
}

Listing 1: HelloWorldPlinq.cs

When running the application, one should get something similar to the following: "Found 500000 even numbers. Elapsed: 18 ms." (naturally, the elapsed time will vary based on CPU power and processor availability).

Now, we'll modify one line from above to make use of PLINQ (see Listing 2 below):

private static int CountEven(int top) {
  IEnumerable<int> allNumbers = Enumerable.Range(1, top);
  var q = from i in allNumbers.AsParallel() where (i % 2 == 0) select i;
  return q.Count();
}

Listing 2: Partial Listing of HelloWorldPlinq.cs

By using the AsParralel() method, we effectively cast q as a different object entirely that can take advantage of threading for its calculations. Now running the application may give you something similar to the following: "Found 500000 even numbers. Elapsed: 14 ms."

Got a topic that you'd like to see covered in Edify Friday? Leave a comment below or email me!

Erhan J Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 10:12 AM in .NET, CIAS, Cyber Security, Database, Edify Friday, Education, Programming | | Comments (0) | TrackBack (0)

November 04, 2009

ICS in the News: ICS Advises the Air Force Association on its Cyber Defense Competition

Reuters had an interesting article on the operations division at ICS, covering the Air Force Association's Cyber Defense Competition. In the article, the AFA mentions that competition benefits greatly through the advice and assistance of ICS's Greg White, director of ICS's operations division. Through Greg's efforts, ICS also created and conducts the National Collegiate Cyber Defense Competition.

Additionally, The Journal covered the announcement as well, covering how the 125,000-member AFA is geared to promote public understanding of aerospace power and its critical relationship to national security. The article also describes Greg White as a "cyber security expert" and discusses his service as an advisor for the competition.

For more information on ICS and its operations, commercialization, and research divisions, visit the ICS site.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 11:46 AM in CIAS, Contests, Cyber Security, Education, Incubator, News | | Comments (0) | TrackBack (0)

November 02, 2009

Speaking at InnoTech 2009 Oklahoma City on November 4

Jeff Reich, our director of research operations, will be representing the Institute for Cyber Security at the InnoTech 2009 conference, speaking on securing the present and future of cloud computing on Wednesday, November 4. Folks in the Oklahoma City area who are interested in cloud computing or security (or both!) should plan to attend the talk on Wednesday afternoon.

From the InnoTech site

"In April of 2009, the Cloud Security Alliance published version 1 of Security Guidance for Critical Areas of Focus in Cloud Computing. Version 2 of this guidance is scheduled for release in October of 2009.

In this session, Jeff Reich will provide an overview of the updated guidance and identify some of the key security risks being introduced to the enterprise by the rapid adoption of cloud computing, a look ahead to how cloud computing will transform business and the nature of IT."

Date: Wednesday, November 4th, 2009
Location: Oklahoma City Cox Business Services Convention Center, 51 Myriad Gardens, Oklahoma City, OK 73102-9219
Phone: (405) 602-8500

For more details, go to the conference site.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 09:46 AM in CIAS, Cloud Computing, Conference, Cyber Security, Events, Security | | Comments (0) | TrackBack (0)

October 31, 2009

ICS in the New York Times

Ravi Sandhu, executive director of the Institute for Cyber Security, and Dwayne Williams, associate director of special projects at ICS, were covered in an article for the New York Times. The article covers the San Antonio involvement in Cyberwarfare, and discusses the Institute and, our "Dark Screen" exercise for different municipalities across the country, and the Air Force 24th Command. An interesting read on San Antonio's involvement with DHS, NIS, ICS, and other acronyms, the full article can be found here.

Erhan J. Kartaltepe, PMP
erhan.kartaltepe-at-utsa.edu

Posted at 02:00 PM in CIAS, Cyber Security, Interview, News, Security | | Comments (0) | TrackBack (0)

Next »