Claire Vishik

Privacy preserving actions of older adults on social media: Exploring the behavior of opting out of information sharing

Social media are being fast adopted by older adults for extending their social relationships. However along with the adoption, there have been concerns about risky issues regarding privacy leakages and information sharing hazards. Such risks are partially due to the fact that seniors (knowingly or unknowingly) share private information that may be misused by others. In this paper we explore the privacy-preserving actions regarding information sharing for this demography on one social media platform - Facebook. Facebook is the largest social networking platform today and many of its privacy related practices have been in the news recently. More specifically, we study the information sharing behavior of the elderly by observing the extent to which they opt out of sharing information publicly about themselves on their profile pages. In addition, we also observe how much overlap exists between these older Facebook users and their respective friends in terms of their public information sharing habits and explore the differences across gender. Finally for comparative purposes we also collect data on a sample of younger Facebook users and conduct an analysis.

TPM Virtualization: Building a General Framework

Trusted Computing has been widely recognized as a useful and necessary extension of more traditional security mechanisms. In today’s complex multi-device environment, it is essential to be assured that devices participating in transactions can be trusted. The Trusted Computing Group (TCG) has created a set of specifications and accompanying infrastructure defining means of assurance necessary to build a trusted environment. Continuing interest in virtualization as a way to extend flexibility in diverse computing environments while addressing issues of underutilization of equipment and energy consumption brings additional complexities to current and future models of trusted computing.

A practical device authentication scheme using SRAM PUFs

The contamination of electronic component supply chains by counterfeit hardware devices is a serious and growing risk in todays globalized marketplace. Current practice for detecting counterfeit semiconductors includes visual checking, electrical testing, and reliability testing which can require significant investments in expertise, equipment, and time. Additionally, best practices have been developed in industry worldwide to combat counterfeiting in many of its variants. Although the current approaches improve the situation significantly, they do not provide extensive technical means to detect counterfeiting. However, new approaches in this area are beginning to emerge. Suh and Devadas recently proposed a low cost device authentication scheme which relies on Physically Unclonable Functions (PUFs) to implement a challenge-response authentication protocol. There are several constraints in their authentication scheme, e.g., their scheme requires a secure online database and relies on PUF constructions that exhibit a large number of challenge-response pairs. In this paper, we introduce a new device authentication scheme using PUFs for device anticounterfeiting. Our scheme is simple and practical as it does not require any online databases and is not tied to any PUF implementations. For hardware devices which already have SRAM and non-volatile storage embedded, our scheme takes almost no additional cost.

Moving Toward Trustworthy Systems: R&D Essentials

Under the game-change metaphor, strategies developed to address hard problems will potentially lead to breakthroughs in many different interrelated cybersecurity areas. For software assurance, a game change should focus on improving resiliency and hardening new technologies that implement moving-target defenses and tailored trustworthy spaces.

Trusted Privacy Domains --- Challenges for Trusted Computing in Privacy-Protecting Information Sharing

With the growing use of the Internet, users need to reveal an increasing amount of private information when accessing online services, and, with growing integration, this information is shared among services. Although progress was achieved in acknowledging the need to design privacy-friendly systems and protocols, there are still no satisfactory technical privacy-protecting solutions that reliably enforce user-defined flexible privacy policies. Today, the users can assess and analyze privacy policies of data controllers, but they cannot control access to and usage of their private data beyond their own computing environment. In this paper, we propose a conceptual framework for user-controlled formal privacy policies and examine elements of its design and implementation. In our vision, a Trusted Personal Information Wallet manages private data according to a user-defined privacy policies. We build on Trusted Virtual Domains (TVDs), leveraging trusted computing and virtualization to construct privacy domains for enforcing the users policy. We present protocols for establishing these domains, and describe the implementation of the building blocks of our framework. Additionally, a simple privacy policy for trusted privacy domains functioning between different organizations and entities across networks is described as an example. Finally, we identify future research challenges in this area.

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Cybersecurity practice lags behind cyber technology achievements. Solutions designed to address many problems may and do exist but frequently cannot be broadly deployed due to economic constraints. Whereas security economics focuses on the cost/benefit analysis and supply/demand, we believe that more sophisticated theoretical approaches, such as economic modeling, rarely utilized, would derive greater societal benefits. Unfortunately, today technologists pursuing interesting and elegant solutions have little knowledge of the feasibility for broad deployment of their results and cannot anticipate the influences of other technologies, existing infrastructure, and technology evolution, nor bring the solutions lifecycle into the equation. Additionally, potentially viable solutions are not adopted because the risk perceptions by potential providers and users far outweighs the economic incentives to support introduction/adoption of new best practices and technologies that are not well enough defined. In some cases, there is no alignment with predominant and future business models as well as regulatory and policy requirements.

Making Sense of Future Cybersecurity Technologies: Using Ontologies for Multidisciplinary Domain Analysis

Security experts have difficulties achieving quick vulnerability mitigation because cybersecurity is a complex multi-disciplinary subject that yields itself with great difficulty to traditional methods of risk analysis. In particular, the effectiveness of mitigation strategies depends on an accurate understanding of the relationships among the components of systems that need to be protected, their functional requirements, and of the trade-off between security protection and core functionality. Mitigation strategies may have undesired ripple-effects, such as unexpectedly modifying functions that other system components rely upon. If some of the side-effects of a mitigation strategy are not clearly understood by a security expert, the consequences may be costly. Thus, vulnerability mitigation requires a deep understanding of the subtle interdependencies that exist between domains that are different in nature. This is especially difficult for new technology use models, such as Cloud-based computing and IoT, in which cyber and physical components are combined and interdependent. By their own design, ontologies and the associated inference mechanisms permit us to reason about connections between diverse domains and contexts that are pertinent for the general threat picture, and to highlight the effects and ramifications of the mitigation strategies considered. In this paper, we position ontologies as crucial tools for understanding the threat space for new technology space, for increasing security experts’ situational awareness, and, ultimately, as decision-support tools for rapid development of mitigation strategies. We follow with the discussion of the new information and insights gleaned from the ontology-based study of the root of trust in cyber-physical systems.

Infrastructure for Trusted Environment: In Search of a Solution

Millions of PCs are currently sold equipped with a Trusted Platform Module, TPM, serving as a root of trust on the platform. Trusted Computing as an area of security has acquired significant visibility, and many new products and a growing number of research projects in areas ranging from virtualization to network security are based on Trusted Computing technologies and vision. In order to fully realize the vision of the Trusted Computing community, dedicated or compatible trust infrastructure for verification and attestation is required. Similar to other trust-enabling technologies, Trusted Computing needs an infrastructure that can verify the claim that a device is genuine and can be trusted to take part in a transaction, in which it is involved. Such an infrastructure will enable an environment where individuals can use the technology for protected transactions and potentially employ less risky authentication methods. This paper explores the role of infrastructure in Trusted Computing, starting with the discussion of the infrastructure’s importance and issues in trust establishment, followed by the description of the basics of Trusted Computing functionality requiring infrastructure support. We use examples of other trust enabling infrastructures, such as general-purpose PKI and infrastructure for Identity Federation to highlight common approaches. Finally, we touch upon economics of trust and intermediation, in order to define potential models for building enabling infrastructure for Trusted Computing.. While the paper doesn’t propose concrete solutions for the infrastructure problem in Trusted Computing, some possible avenues of building the necessary framework are outlined.

Building Technologies that Help Cyber-Defense: Hardware-enabled Trust

The paper discusses evolution of civil disobedience in cyberspace and real world. The result of comparison of both brings author to the conclusion of high impact of the deteriorating economic situation on the civil disobedience in both, cyberspace and real world, supporting each other. There is expectation of professionalization of movements in cyberspace slowly changing nature of attack to cyberterrorist-like attacks. The effort to bound free flow of information, governments will attempt to limit or circumscribe cyberspace in particular with reference to the fight against terrorism, which could lead to more aggressive civil disobedience in cyberspace.

Silicon PUFs in Practice

Low cost computing devices have become a key enabler of the digital economy, supporting everyday activities such as banking, access control, and travel. These devices often present highly resource constrained environments which impede the introduction of technologies that can improve the safety of the transactions performed on them. Several approaches have been proposed which strive to enhance the security of the user application without significantly increasing the associated cost, for example foregoing the use of higher grade smart cards supporting efficient public-key cryptography. In high volume scenarios the cost saving associated with such a decision can be compelling and security is invariably compromised as a result. This paper proposes realistic scenarios for the use of silicon PUFs (Physically Unclonable Functions) to enable lower cost and more secure implementations of smartcards and similar technologies. Silicon PUFs leverage the unique manufacturing variation present on all ICs to support authentication that is conceptually similar to biometric functionality as well as the generation of cryptographic key material. We recognize that significant improvements in PUF implementation will need to be achieved in order to make the technology commercially deployable. With these improvements, we can anticipate the potential applicability of PUFs to meeting the authentication, confidentiality and integrity requirements of many everyday transactions. In addition, the volatility of PUF-based secrets offers an attractive alternative to storing cryptographic keys in non-volatile memory.