Session (TH- 4)
An interactive discussion of current events in Information Security

Abstract: Information Security issues and incidents are common fodder for today's press. The quality of this coverage varies widely and it is often difficult to differentiate between those incidents that represent cataclysmic events and those that are novel hacks that have captured the interest of reporters. in this session, we'll consider a set of issues and the events that highlight them, ranging from pure hype to harbingers of major disasters. Where interesting, we'll take a look at the lapses that enable the problems and explore those analytic protocols that allow one to discern hype from real problem. Furthermore, we'll explore whether these incidents suggest common requirements, not addressed by current security technologies, that might represent the basis for new security research endeavors.

Session (F-2)
Towards a vision of Active Compliance Mechanisms

In the seemingly endless economic analyses of the financial industry, one might reasonably ask what checks and balances might have prevented the current market collapse. As the execution of most financial activities are conducted on IT systems, is it time to consider more active compliance technologies to prevent the problems associated with unduly risky activities? In this session we'll discuss the requirements for such functions, in light of lessons learned as we've used system audit and intrusion detection mechanisms.

Session TH1 & F3: Ten Things Lawyers Should Know About the Internet

Updating legal frameworks to accommodate technological advancement of communications capabilities requires first updating other legal frameworks to accommodate empirically grounded research into what we have built, how it is used, and what it costs to sustain. Unfortunately for -- and due to -- well-intentioned policymakers, our scientific knowledge about the Internet is weak because researchers are typically not allowed access to any data on operational network infrastructure for privacy reasons. This data access problem was recognized long ago for its detrimental impact on infrastructure protection capabilities; many public and private sector efforts have failed to solve it. Public policy intended to protect individual user privacy places the research community in the absurd situation of not being able to do the most basic network research even on the networks established explicitly to support academic network research. Despite the methodological limitations of Internet science today, the few data points available suggest a dire picture of the future. But while the situation overwhelmingly indicates the need for a closer objective look, the only people with measurement capability on publicly accessible network infrastructure today are tasked with inferring as much private information on individual users as possible-- whether it's to target terrorists or ads. The traditional mode of getting data from public infrastructures to inform policymaking-- regulating its collection -- is a quixotic path, since the government regulatory agencies have as much reason to be reluctant as providers regarding disclosure of how the Internet is engineered, used, and financed. Less surprising with hindsight, the opaqueness of the infrastructure to empirical analysis has generated many problematic responses from rigidly circumscribed communities trying to get their jobs done. As dismal as it sounds though, the news is not all bad -- there is a reason everyone wants to be connected to all the world's knowledge, as well as eachother, besides its status as the most powerful complex system ever created by man. The Internet's practical promise for individual freedom, democratic engagement, and economic empowerment is also unparalleled. Moreover, even in the dim light of the profoundly needed but underattended interdisciplinary research into the network, we can ascertain some concrete constraints on the possible range of policy solutions, which all involve increasing the congruity between what we legislate and what we know.

Reading beforehand:
http://www.caida.org/publications/papers/2008/lawyers_top_ten/

Session T3: Developing Secure Technology: The People Factor

Increasing amounts of personal information are being exchanged every day. Whereas this brings about many ethical and technical questions with regard to data protection, numerous researchers are engaged in developing new techniques and methods for dealing with the associated problems. When developing and analyzing new protective technologies, it is important to consider the perceptions and responses of end users. Users are typically concerned about privacy and security, but do not necessarily understand how these issues are impacted by the use of new technologies. If the end users are reluctant to accept a new technology, then we have made minimal progress. In this talk, I will discuss the results of our most significant surveys that capture end user perceptions of information security and privacy. The results are impacting the design of current and future systems, as well as organizational and U.S. policy.

Session W1: Privacy Policy

U.S. legislation at both the federal and state levels mandates certain organizations to inform customers about information uses through appropriate disclosures. Such disclosures are typically accomplished through privacy policies, both online and offline. Unfortunately, the policies are not easy to comprehend, and consumers do not typically read the policies provided by these organizations. Furthermore, the policies do not always accurately represent the true practices of the organization. Specific legislation such as HIPAA and GLBA also have language that addresses the disclosure of privacy practices to consumers. Since the policies are so closely tied to the technologies in use, it is important to consider this dimension of the privacy and security challenge. In this talk, I will describe some of our research that addresses the intersection of consumers, privacy policy and legislation. The results of our work and other studies, pose interesting ethical questions for industry and society at large, and help illustrate the significance of the privacy policy problem and how it relates to the development of today’s complex systems.

Suggested readings beforehand are:
Please note these are optional and simply describe the studies I will be discussing.

Vail, M., J.B. Earp and A.I. Antón. “An Empirical Study of Consumer
Perceptions and Comprehension of Website Privacy Policies,” /IEEE
Transactions on Engineering Management/, 55(3), pp.442-454, August 2008.

Antón, A., J.B. Earp, M. Vail, N. Jain, C. Gheen and J. Frink. “An
Analysis of Web Site Privacy Policy Evolution in the Presence of HIPAA,”
/IEEE Security and Privacy/, pp.45-52, January/February 2007.

Earp, J.B., A.I. Antón, L.Aiman-Smith, W.Stufflebeam. “Examining
Internet Privacy Policies within the Context of User Privacy Values.”
/IEEE Transactions on Engineering Management/, 52(2), pp.227-237, May 2005.

Antón, A., J.B. Earp, D. Bolchini, Q. He, C. Jensen and W. Stufflebeam.
“The Lack of Clarity in Financial Privacy Policies and the Need for
Standardization,” /IEEE Security and Privacy,/ 2(2), pp.36-45,
March-April 2004.

Session T4 & F4: Security’s Role in an Agile Software Development Lifecycle

Integration of security into the software development lifecycle has been studied intensively; however, in an environment where products are constantly evolving, merging, being deprecated, and rising from the ashes, existing models and prototypes are not sufficient.

Application of these models can lead to:
- unnecessary direct involvement from security professionals;
- inconsistent application of security controls, and;
- identification of security issues only after they are in production.

Tackling these challenges is always complicated by limited resources and the drive for both business and technology innovation. A successful team will be attuned to a dynamic risk map and integrated with the changing processes.

This talk will cover the efforts eBay has undergone and lessons learned in adapting industry-accepted strategies into its environment. How do you integrate with existing processes while not increasing overhead? How do you avoid security involvement in every project without disengaging completely through automation?

Suggested readings beforehand are:
The Trustworthy Computing Security Development Lifecycle
URL: http://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic3
Microsoft Security Brief: SDL Embraces the Web:
URL: http://msdn.microsoft.com/en-us/magazine/cc794277.aspx

Session W4 & TH2: Behavioral Advertising - Influencing the Policy Landscape

Behavioral Advertising - Influencing the Policy Landscape. In 2007 through 2008, Congress and the FTC decided to take a good look at the Behavioral Advertising practices of advertising networks, ISPs, large portals and publishers. The Chair of the FTC made a strong call to industry to self-regulate or "else." Early in 2008, the FTC issued guidelines for Behavioral Advertising and since then publishers, advertisers, networks, and industry groups are trying to come together to meet the self-regulatory call without compromising the business models. Finally, TRUSTe certifies and monitors a number of publishers, NY Times for example, who distribute behavioral advertising and are looking to TRUSTe for guidance on this issue. And others who probably would like their own industry group (not TRUSTe) to take the lead. What is behavioral advertising? Is this really a privacy issue? Has the technology gone amuck? How best to influence the policy-makers and the market makers? And if you're TRUSTe, what do you do?

Suggested readings beforehand are: Most are short and provide some background on the players

Recent NY Times article on ad tracking
http://www.nytimes.com/2009/05/31/business/media/31ad.html?_r=1&emc=eta1

FTC Report on Behavioral Advertising:
http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf

Center for Democracy and Technology Report
http://www.cdt.org/privacy/20090128threshold.pdf

Network Advertising Association Principles
http://www.networkadvertising.org/networks/principles_comments.asp

EFF Discusses Google
http://www.eff.org/deeplinks/2009/03/google-begins-behavioral-targeting-ad-program

Online Blog and Reporting on Behavioral Activities
http://www.mediapost.com/publications/?fa=Archives.showArchive&art_type=31

Session T1: De-identification vs. Anonymity
Brief Abstract: Every day, often unbeknownst to us, our personal information is collected and stored in the databases of various organizations.  Images of an individual's automobile are recorded on different highway video cameras; the IP address of a personal computer is logged at multiple websites; and a patient's DNA can be sequenced and recorded by numerous hospitals.  To adhere to privacy laws, organizations remove personal identifiers prior to sharing sensitive person-specific data.  In this talk, however, I will show that seemingly anonymous data can be re-identified without hacking into secure computer systems.  I will review various principles for re-identification.  On the flipside, I will show that formal anonymity protections can be designed and that algorithms to generate data to satisfy such models can be efficient.  This lecture will draw upon topics from databases, algorithms, policy, but will also provide illustrative examples with real world data derived from biomedical records and publicly-available resources.
 
Session W2: Automated Policy Extraction through Data Mining
Brief Abstract: Healthcare organizations (HCOs) are increasingly adopting clinical information systems for managing patients’ electronic medical records (EMRs).  To support these activities, various model-based software platforms have been proposed to assist in the rapid development and evaluation of formal systems based on service oriented architectures.  At the same time, these systems have integrated robust privacy and security policy specification and validation languages.  However, a significant remaining question is “what policies should be specified for data protection?”  This question is difficult to address because healthcare environments are inherently dynamic, such that system have fuzzy underspecified rules, and both users and patients are constantly moving in and out of the system.  In this lecture, we will explore data intensive approaches to automatically assist healthcare organizations (HCOs) in discovering and defining policies for access to their clinical information systems.  Topics to be covered include model-based computing, access log data mining, social network analysis, and anomaly discovery. We will also discuss how such practices have been integrated into working software and applied in a large scale academic medical center.

Suggested readings beforehand are:

Recommended Reading Materials for Talk 1:
-         P. Golle. Revisiting the uniqueness of simple demographics in the US population. ACM Workshop on Privacy in the Electronic Society; 2006 October 30; Alexandria; VA; USA. NY: ACM; 2006; 77-80. (attached)

-         B. Malin. An Evaluation of the current state of genomic data privacy protection technology and a roadmap for the future. Journal of the American Medical Informatics Association, 2005; 12(1): 28-34. (attached)


Recommended Reading Materials for Talk 2:
-         L. Røstad and O. Edsberg. A study of access control requirements for healthcare systems based on audit trails from access logs. In Proceedings of the  Annual Computer Security Applications Conference (ACSAC). 2006: 175-186. (attached)

-         E. Chen and J. Cimino. Automated discovery of patient-specific clinician information needs using clinical information system log files. In Proceedings of the 2003 American Medical Informatics Association Annual Symposium. 2003: 145-149.

-        http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pubmed&pubmedid=14728151

Session TH3: Advancing the science of cybersecurity experimentation

Cyber threats today are more frequent and dangerous than ever before.
This is due to two factors: (1) Increased target value - It is unthinkable today to run a business without the public Internet. Critical infrastructure providers such as power and water industry, traffic schedulers, etc. also rely on the public Internet for physical system monitoring and control. Even medical monitoring devices such as pacemakers are using public networks to communicate private data to doctors and receive treatment modifications. This combination of vulnerable public communication and systems controlling life-critical or business-critical functions attracts attackers. (2) Natural evolution of attacker communities from amateur hackers to organized crime. Attackers today are better organized, funded and knowledgeable than are defenders.

Both industry and governments have increased their funding for cybersecurity over the past decade, which produced a dearth of defense systems. But, none has been widely deployed and none was proven effective enough to handle old threats, let alone hinder new ones. While attacks are evolving, defenses are stagnating. This talk will address the reasons for this stagnation, namely: (1) lack of scientific rigor in security experimentation for defense testing and evaluation, (2) difficulties in faithfully reconstructing large- scale, dynamic or platform-specific threats, (3) lack of easy-to-use experimentation platforms, network and traffic models and generation tools and (4) lack of data on representative attacks, attack and target networks, and the background environment.

The second part of the talk will describe three government-funded testbeds that aim to address the above problems: the DETER - research and open testbed for security experimentation at USC/ISI and UC Berkeley, the planned nation-wide, fully programmable, open and research GENI testbed and the National Cyber Range, for professional, realistic, quantitative and qualitative evaluation of classified and unclassified cyber programs. The talk will also provide more details about the newest research directions of DETER staff - testbed federations, experiment health and risky experiment management - which will likely propagate into other testbeds.

Suggested reading:

1. Managing the Health of Security Experiments. J. Mirkovic, K. Sollins and J. Wroclawski. In Proceedings of the CyberSecurity Experimentation and Test (CSET) Workshop, July 2008.
http://www.usenix.org/events/cset08/tech/full_papers/mirkovic/
mirkovic_html/

2. Access Control for Federation of Emulab-based Network Testbeds. T. Faber and J. Wroclawski. In Proceedings of the CyberSecurity Experimentation and Test (CSET) Workshop, July 2008.
http://www.usenix.org/events/cset08/tech/full_papers/faber/ faber_html/

3. Design, Deployment, and Use of the DETER Testbed, Terry Benzel, Robert Braden, Dongho Kim, Anthony Joseph, Clifford Neuman, Ron Ostrenga, Stephen Schwab, Keith Sklower. In Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test, August 2007.
http://www.usenix.org/events/deter07/tech/full_papers/benzel/ benzel.pdf

4. How to Test DDoS Defenses, J. Mirkovic, S. Fahmy, P. Reiher and R. Thomas, Proceedings of the Cybersecurity Applications & Technology Conference For Homeland Security (CATCH 2009), March 2009.
http://www.isi.edu/~mirkovic/publications/catch-ddos.pdf

5. A Two-Constraint Approach to Risky Cybersecurity Experiment Management,
J. Wroclawski, J. Mirkovic, T. Faber and S. Schwab, Invited paper at the Sarnoff Symposium, April 2008. http://www.isi.edu/~mirkovic/publications/sarnoff.pdf

6. Intro to GENI
http://www.geni.net/wp-content/uploads/2009/04/geni-50-minute-talk.pdf

Session F1: Faithful reproduction of worm spread events

Internet-scale worm incidents are becoming increasingly common, and the researchers need tools to replicate and study them in a controlled setting. Current network simulators, mathematical event models and testbed emulation cannot faithfully replicate events at such a large scale. They either omit or simplify the relevant features of the Internet environment to meet the scale challenge, thus compromising fidelity. The first part of my talk presents a distributed worm spread simulator, called PAWS, that builds a realistic Internet model, including the AS-level topology, the limited link bandwidths, and the legitimate traffic patterns. PAWS can support diversity of Internet participants at any desired granularity, because it simulates each vulnerable host individually. Faithful replication of Internet environment, its diversity and its interaction with the simulated event, all lead to a high-fidelity simulation that can be used to study event dynamics and evaluate possible defenses. While PAWS is customized for worm spread simulation, it is a modular large-scale simulator with a realistic Internet model, that can be easily extended to simulate other Internet-scale events. I will show results that support our claim that PAWS is both more realistic and more efficient than existing worm spread simulators.

The second part of my talk addresses the lack of ground truth in worm research, which prevents calibration of worm simulators and emulators. Network telescopes have been invaluable for collecting information about dynamics of large-scale worm events. Yet, a telescope’s observation may be incomplete due to scan congestion drops, hardware limitations, filtering and presence of NATs, a worm’s non-uniform scanning strategy or its short life. The work I will present investigates inaccuracies in telescope observations that arise from worm-induced congestion drops of worm scans and we show that they may lead to significant underestimates of the number of infectees and their scanning rate. We propose a method to infer worm-induced congestion drops from telescope’s observations and use them to accurately estimate global worm dynamics. We apply our methods to CAIDA telescope’s observations of Witty worm’s spread, and release corrected statistics of worm dynamics for public use.

Reading beforehand:
S. Wei and J. Mirkovic, Correcting Congestion-Based Error in Network Telescope's Observations of Worm Dynamics, Proceedings of Internet Measurement Conference, October 2008. (short
paper) http://www.isi.edu/~mirkovic/publications/imc08.pdf

S. Wei, C. Ko, J. Mirkovic and A. Hussain, Tools for Worm Experimentation on the DETER testbed,
Proceedings of the Tridentcom 2009, April 2009. http://www.isi.edu/~mirkovic/publications/trident09.pdf

Session T2: Ken Bamberger Reframing Privacy: Regulators, Firms and the New American Metric

Ken Bamberger Reframing Privacy: Regulators, Firms and the New American Metric. The sufficiency of U.S. information privacy law is the subject of heated debate. A majority of privacy scholars and advocates contend that the existing patchwork of U.S. regulation fails to ensure across-the-board conformity with the standard measure of privacy protection: Fair Information Practice Principles (FIPPS) first articulated in the early 1970s. U.S. law, they argue, further falls far short of the EU’s omnibus privacy regime thereby failing to protect against a variety of privacy based harms. A smaller group of scholars similarly fault the U.S. for latching onto a watered-down version of FIPPS that emphasizes the procedural requirements of notice and individual choice to the exclusion of a substantive consideration of the harms and benefits to society as a whole that result from flows of personal information, and in the process created bureaucracy in lieu of privacy protection.

These critiques’ positive claims regarding U.S. law’s departure from FIPPS are largely true. Yet, we argue, these debates generates far more heat than light as to the question of what laws provide meaningful privacy protection. The emphasis on measuring U.S. privacy protection by the FIPPS metric simply misses the mark, focusing on a largely procedural standard offers limited utility in guiding corporate decisionmaking to protect privacy. It thus ignores important shifts in the conception of privacy—and therefore, perhaps, how the success of its protection should be assessed—in the United States.

This paper—the first in a series drawing on a qualitative empirical study of privacy practices in U.S. corporations—argues instead that FIPPS no longer represents either the exclusive goal of U.S. privacy policy or the sole metric appropriate for assessing privacy protection. By contrast, this article demonstrates that U.S. information privacy policy over the last decade, as understood by both regulators and those firms implementing privacy measures through regulatory compliance, evidences a second—and very “American”—definition of informational privacy. As demonstrated both by the institutional choices regarding privacy regulation and by qualitative data regarding corporate privacy practices, informational privacy protection in the U.S. today is rooted, not in fair notice and process, but in substantive notions of consumer expectations and consumer harm. The corporate practices resulting from the “expectations and harm” definition of privacy, in turn, often offer the promise of far greater substantive privacy protection than any FIPPS regime could provide.

This initial effort to inquire as to how the form and oversight structure of information privacy law influences its implementation and effect illustrates the value of “holistic evaluation(s) of privacy protection systems” recommended by Charles Raab. Looking at rights and obligations on paper is insufficient to guide policy: better privacy protection requires analysis of how law works in the wild.