http://www.computer.org/security Organizations relying on the Internet face significant challenges to ensure that their networks operate safely. And that their systems continue to provide critical services even in the face of attacks. Denial of service, worms, DNS, and router attacks are increasing. To help you stay one step ahead of these and other threats, the IEEE Computer Society has published a new periodical in 2003, IEEE Security & Privacy magazine. en-us Tue, 18 Jun 2013 10:00:06 GMT http://csdl.computer.org/common/images/logos/security.gif List of recently published journal articles http://www.computer.org/security http://doi.ieeecomputersociety.org/10.1109/MSP.2013.55 Distributed denial of service (DDoS) attacks pose a serious threat to the Internet. We discuss the Internet’s vulnerability to Bandwidth Distributed Denial of Service (BW-DDoS) attacks, where many hosts send a huge number of packets exceeding network capacity and causing congestion and losses, thereby disrupting legitimate traffic. TCP and other protocols employ congestion control mechanisms that respond to losses and delays by reducing network usage, hence, their performance may be degraded sharply due to such attacks. Attackers may disrupt connectivity to servers, networks, autonomous systems, or whole countries or regions. In this paper we survey BW-DDoS attacks and defenses. We argue that so far, BW-DDoS employed relatively crude, inefficient, ‘brute force’ mechanisms; future attacks may be significantly more effective, and hence much more harmful. We discuss currently deployed and proposed defenses. We argue that to meet the increasing threats, more advanced defenses should be deployed. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.55 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.54 As software is becoming more and more pervasive and complex, it is increasingly important to assure that a system will be safe even in the presence of residual software faults (``bugs''). Software Fault Injection consists in the deliberate introduction of software faults for assessing the impact of faults on the system and improving fault tolerance. Software Fault Injection has been included as a recommended practice in recent safety standards, and it has therefore gained interest among practitioners, but it is still unclear how it can be effectively used for certification purposes. In this paper, we discuss the adoption of Software Fault Injection in the context of safety certification, present a tool for the injection of realistic software faults, namely SAFE (SoftwAre Fault Emulator), and show the usage of the tool in the evaluation and improvement of robustness of a RTOS adopted in the avionic domain. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.54 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.50 This paper presents a method of iOS data recovery by extracting data image directly from low level NAND storage and analyzing the redundancy caused by its FTL behavior. An on-device brute-force method is adopted to address the passcode encryption issue which is identified as a block on current iOS forensic procedure. Further analysis on Garbage Collection Strategy adopted by iOS devices could provide certain guidance to iOS data recovery personnel. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.50 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.49 Incidents due to malfunctioning medical devices are a major cause of serious injury and death in the United States. During 2006–2011, 5,294 recalls and around 1.2 million adverse events were reported to the U.S. Food and Drug Administration (FDA). Almost 23% of these recalls were due to computer-related failures, of which around 94% presented medium-to-high risk of severe health consequences (such as serious injury or death) to patients. This paper investigates the causes of failures in computer-based medical devices and their impact on patients, by analyzing human-written descriptions of recalls and adverse event reports, obtained from public FDA databases. We characterize computer-related failures by deriving fault classes, failure modes, recovery actions, and number of devices affected by the recalls. This analysis is used as a basis for identifying safety issues in life-critical medical devices and providing insights on the future challenges in the design of safety-critical medical devices. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.49 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.24 Communities are under attack from a variety of threat agents. The repercussions from these attacks will grow more severe as communities become increasingly reliant upon cyberspace. Communities must be prepared to prevent, detect, respond to, and recover from a wide variety of cyber incidents. The timely and useful detection of cyber attacks is a first step towards a fast and effective response and recovery. Centralized community cyber incident detection scales poorly. Additionally, community members are understandably hesitant to share sensitive security information. Anonymity is vital to protecting the privacy of participants, and thereby encouraging their participation. We present a useful community cyber incident detection framework based upon an anonymous, distributed, and scalable information sharing architecture. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.24 http://doi.ieeecomputersociety.org/10.1109/MSP.2012.137 Personal Data Stores (PDS) are considered by a growing number of actors to be the solution to the issue of online privacy. The PDS promise is that people can choose to share or restrict access to specific personal information with other interested parties. Ascertaining the extent to which users are willing to adopt PDS was the objective of a small-scale test involving job applicants and employers. After describing the context leading to the PDS solution developed within the European Framework 7 project TAS3, this paper explores whether PDS are a practical solution to addressing personal data insecurity on the web. Can PDSs respond to actual user needs? Are users ready to adopt PDS technology to ‘claim data back’? To what extent can PDS really enforce online privacy? What other approaches are emerging as alternatives to PDS? http://doi.ieeecomputersociety.org/10.1109/MSP.2012.137 http://doi.ieeecomputersociety.org/10.1109/MSP.2012.83 WEB services have increasingly been adopted nowadays and therefore been targeted by attackers. The underlying technologies used by them bring known vulnerabilities to this new environment. The classical approach for attack detection either produce high false positive detection rates or cannot detect attack variations − leading to zero-day attacks. This paper applies ontology to build a strategy-based knowledge attack database. It is a novel hybrid attack detection engine, bringing together the main advantages of signature and knowledge-based classical approaches. Moreover, it is capable of mitigating zero-day attacks for XML injection, with no false positive detection rate. http://doi.ieeecomputersociety.org/10.1109/MSP.2012.83 http://www.computer.org/portal/site/security/ IEEE Security and Privacy http://www.computer.org/portal/site/security/