A new HP Labs Technical Report has been recently released: “Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation” (Authors: Kounga, Gina; Casassa Mont, Marco; Bramhall, Pete):
“Data protection regulations, such as the UK Data Protection Act, require organisations to process personal data according to the conditions consented by the data subjects. Such conditions can be expressed with data items or preferences collected from data subjects and stored in data repositories. Then, enforcing consent requires the policy decision point (PDP) to return authorization decisions based on access control policies and preferences. However, as security good practice requires using different entities for making authorisation decisions and accessing data, the PDP cannot return privacy-aware authorisation decisions if no solution is defined which allows the PDP to identify whether access requests fulfil the consented conditions without accessing the preferences. Existing standards do not solve this issue and previously proposed solutions transfer the decision making to the policy enforcement point. In this paper, we propose a solution that extends the eXtensible Access Control Markup Language standard and improves privacy-aware access control.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, November 27, 2009
New MS Research paper: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users"
An interesting paper, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users", has been recently published by Cormac Herley (MS Research) exploring the reasons why often users reject security advices:
"It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we Find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
"It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we Find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, November 20, 2009
ENISA Cloud Computing Risk Assessment Report
ENISA has recently released three documents related to Cloud Computing, all of them available online:
· Cloud Computing Risk Assessment
· Cloud Computing Information Assurance
· Cloud Computing SME Perspective Survey
Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
· Cloud Computing Risk Assessment
· Cloud Computing Information Assurance
· Cloud Computing SME Perspective Survey
Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
On the T-Mobile Incident and Open Questions on Trading Personal Data Online
There has been an incident this week where employees of T-Mobile have been caught selling customer data.
On one hand this has shown that there is a thriving market for this kind of data …
On the other hand, this has also highlighted “interesting issues as under the Data protection Act, it is a criminal offence knowingly or recklessly to obtain or disclose personal data (or to get someone else to do it for you) without the consent of the organisation responsible for that data. ...", as discussed in this article.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
On one hand this has shown that there is a thriving market for this kind of data …
On the other hand, this has also highlighted “interesting issues as under the Data protection Act, it is a criminal offence knowingly or recklessly to obtain or disclose personal data (or to get someone else to do it for you) without the consent of the organisation responsible for that data. ...", as discussed in this article.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Whitepaper – Avoid the 7 Most Common Mistakes of Compliance
Here is a recent whitepaper that might be of interest to the IAM and security community, “Avoiding the 7 Most Common Mistakes of Compliance” (registration is required to get a copy …):
“At the most basic level, there is no single standardized framework or terminology that explicitly defines what your organization must do for compliance. Instead, there are many frameworks with conflicting requirements. Terminology is often vague or interpreted differently within organizations and between geographic regions. Ambiguity abounds due to lack of a universal philosophy of compliance.
A big challenge for security professionals is navigating this ambiguity. Check out this white paper for an in-depth review of the seven most common mistakes of security compliance and tips on using these lessons to meet your compliance goals.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“At the most basic level, there is no single standardized framework or terminology that explicitly defines what your organization must do for compliance. Instead, there are many frameworks with conflicting requirements. Terminology is often vague or interpreted differently within organizations and between geographic regions. Ambiguity abounds due to lack of a universal philosophy of compliance.
A big challenge for security professionals is navigating this ambiguity. Check out this white paper for an in-depth review of the seven most common mistakes of security compliance and tips on using these lessons to meet your compliance goals.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, November 16, 2009
W3C Workshop on Access Control Application Scenarios – Papers Available Online
The position papers submitted to the W3C Workshop on Access Control Application Scenarios (17/18 November 2009, Luxembourg) are now available online.
A few interesting positions have been made by various authors: I am sure the debates at the workshop are going to be useful and interesting for the security and access control community.
The workshop agenda, shows the accepted papers and planned presentations.
One of the accepted position papers is the one I co-authored with a few colleagues:
“Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies, Marco Casassa Mont, Siani Pearson (Systems Security Lab, HP Labs, Bristol, UK), and Sadie Creese, Michael Goldsmith, Nick Papanikolaou (International Digital Library, University of Warwick, UK)”
We make a strong position point about the existing gap between risk assessment and management - driven by a variety of business, legal, social and security requirements - and current low level technical access control languages, policies and frameworks (control points), that can only partially take into account the richness and variety of these requirements.
We believe that the community, instead of focusing their effort in producing yet another access control language and framework might need to make progress on bridging this gap – to get their proposals leveraged by the industry. In our paper we make an initial proposal based on introducing an intermediate “conceptual model” to reason and identify the nature of existing gaps – as well as ways to address them/drive new technical requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
A few interesting positions have been made by various authors: I am sure the debates at the workshop are going to be useful and interesting for the security and access control community.
The workshop agenda, shows the accepted papers and planned presentations.
One of the accepted position papers is the one I co-authored with a few colleagues:
“Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies, Marco Casassa Mont, Siani Pearson (Systems Security Lab, HP Labs, Bristol, UK), and Sadie Creese, Michael Goldsmith, Nick Papanikolaou (International Digital Library, University of Warwick, UK)”
We make a strong position point about the existing gap between risk assessment and management - driven by a variety of business, legal, social and security requirements - and current low level technical access control languages, policies and frameworks (control points), that can only partially take into account the richness and variety of these requirements.
We believe that the community, instead of focusing their effort in producing yet another access control language and framework might need to make progress on bridging this gap – to get their proposals leveraged by the industry. In our paper we make an initial proposal based on introducing an intermediate “conceptual model” to reason and identify the nature of existing gaps – as well as ways to address them/drive new technical requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
CfP Workshop – Security and Privacy of Pervasive Systems and Smart Devices
Please consider submitting a paper at the WISTP 2010 workshop focusing on security and privacy topics for pervasive systems and smart devices. The submission deadline is November, 10th:
“The impact of pervasive and smart devices on our daily lives is ever increasing, and the rapid technological development of information technologies ensures that this impact is constantly changing. It is imperative that these complex and resource constrained technologies are not vulnerable to attack. This workshop will consider the full impact of the use of pervasive and smart technologies on individuals, and society at large, with regard to the security and privacy of the systems that make use of them.The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of pervasive systems and smart devices, as well as experimental studies of fielded systems.We encourage submissions that address the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“The impact of pervasive and smart devices on our daily lives is ever increasing, and the rapid technological development of information technologies ensures that this impact is constantly changing. It is imperative that these complex and resource constrained technologies are not vulnerable to attack. This workshop will consider the full impact of the use of pervasive and smart technologies on individuals, and society at large, with regard to the security and privacy of the systems that make use of them.The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of pervasive systems and smart devices, as well as experimental studies of fielded systems.We encourage submissions that address the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Updated HPL Web Page with my R&D Work and Other Topics
I eventually found time to update my HP Labs personal web page, where I describe my current R&D work in the security and identity management, research activities.
I received a few emails related to a recent post of mine (where I announced an extension of the topics discussed in this blog) asking for more details. Now you can find additional details in my HPL web page.
My focus is indeed on Security, Identity Management and Privacy. In my web page you can find project descriptions, recent publications and HPL technical reports of mine. Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I received a few emails related to a recent post of mine (where I announced an extension of the topics discussed in this blog) asking for more details. Now you can find additional details in my HPL web page.
My focus is indeed on Security, Identity Management and Privacy. In my web page you can find project descriptions, recent publications and HPL technical reports of mine. Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, November 2, 2009
Security Trends Report by Microsoft and McAfee: Phishing Scams Relying More Heavily on Worms and Trojans
Based on a recent security trends report by Microsoft and MAfee, it looks like that social networks have been targeted with phishing scams and relying more heavily on worms and Trojans to attack computers. Rogue security software also remains a big issue.
Some related articles on this topic can also be found here and here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Some related articles on this topic can also be found here and here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
3rd PrivacyOS meeting
The 3rd PrivacyOS meeting has taken place in Vienna, 26-27 October 2009.
I attended, along with a few colleagues from HP Labs Bristol, the 3rd PrivacyOS meeting, in Vienna.
It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.
A summary of presentations and related notes can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I attended, along with a few colleagues from HP Labs Bristol, the 3rd PrivacyOS meeting, in Vienna.
It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.
A summary of presentations and related notes can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Article - Malware is bound to hit smartphone devices as users do not consider security
Interesting article, by Dan Raywood (called “Malware is bound to hit smartphone devices as users do not consider security”):
“Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. …”
I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.
I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. …”
I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.
I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Update about TSB UK EnCoRe Project – Ensuring Consent and Revocation
The 5th Quarter Summary of EnCoRe (http://www.encore-project.info) R&D activities in the space of Consent and Revocation management is now available online at: http://www.encore-project.info/press_archive/Q5%20summary.pdf
In addition, a new “service” has been launched, about “Latest EnCoRe Tidbits” aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1
More to come. Enjoy.
]--- NOTE: my original HP blog can be found here ---
In addition, a new “service” has been launched, about “Latest EnCoRe Tidbits” aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1
More to come. Enjoy.
]--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)