http://www.computer.org/security Organizations relying on the Internet face significant challenges to ensure that their networks operate safely. And that their systems continue to provide critical services even in the face of attacks. Denial of service, worms, DNS, and router attacks are increasing. To help you stay one step ahead of these and other threats, the IEEE Computer Society has published a new periodical in 2003, IEEE Security & Privacy magazine. en-us Sun, 19 May 2013 10:00:07 GMT http://csdl.computer.org/common/images/logos/security.gif List of recently published journal articles http://www.computer.org/security http://doi.ieeecomputersociety.org/10.1109/MSP.2013.50 This paper presents a method of iOS data recovery by extracting data image directly from low level NAND storage and analyzing the redundancy caused by its FTL behavior. An on-device brute-force method is adopted to address the passcode encryption issue which is identified as a block on current iOS forensic procedure. Further analysis on Garbage Collection Strategy adopted by iOS devices could provide certain guidance to iOS data recovery personnel. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.50 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.49 Incidents due to malfunctioning medical devices are a major cause of serious injury and death in the United States. During 2006–2011, 5,294 recalls and around 1.2 million adverse events were reported to the U.S. Food and Drug Administration (FDA). Almost 23% of these recalls were due to computer-related failures, of which around 94% presented medium-to-high risk of severe health consequences (such as serious injury or death) to patients. This paper investigates the causes of failures in computer-based medical devices and their impact on patients, by analyzing human-written descriptions of recalls and adverse event reports, obtained from public FDA databases. We characterize computer-related failures by deriving fault classes, failure modes, recovery actions, and number of devices affected by the recalls. This analysis is used as a basis for identifying safety issues in life-critical medical devices and providing insights on the future challenges in the design of safety-critical medical devices. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.49 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.47 Privacy is one of the friction points that emerges when communications get mediated in Online Social Networks (OSNs). Different communities of computer science researchers have framed the 'OSN privacy problem' as one of surveillance, institutional or social privacy. In tackling these problems they have also treated them as if they were independent. We argue that the different privacy problems are entangled and that research on privacy in OSNs would benefit from a more holistic approach. In this article, we first provide an introduction to the surveillance and social privacy perspectives emphasizing the narratives that inform them, as well as their assumptions, goals and methods. We then juxtapose the differences between these two approaches in order to understand their complementarity, and to identify potential integration challenges as well as research questions that so far have been left unanswered. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.47 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.24 Communities are under attack from a variety of threat agents. The repercussions from these attacks will grow more severe as communities become increasingly reliant upon cyberspace. Communities must be prepared to prevent, detect, respond to, and recover from a wide variety of cyber incidents. The timely and useful detection of cyber attacks is a first step towards a fast and effective response and recovery. Centralized community cyber incident detection scales poorly. Additionally, community members are understandably hesitant to share sensitive security information. Anonymity is vital to protecting the privacy of participants, and thereby encouraging their participation. We present a useful community cyber incident detection framework based upon an anonymous, distributed, and scalable information sharing architecture. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.24 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.23 People often assume that to use online social networks is to give up on privacy. This assumption is sometimes justified by the cynical observation that "You're not the customer... you're the commodity." This business model is taken for granted, but does it have to be so? Must online social networks be incompatible with privacy, or is this just the way it is today? In this article, we investigate regions of the social networking design space that have largely been left unexplored because of a premature committment to particular performance--price--privacy trade-offs. We demonstrate that it is possible to build systems with different trade-offs, that require less trust from users and give users more control without necessarily sacrificing performance. These new trade-offs require the relaxation of built-in assumptions about cost, but they demonstrate that today's most popular business model is just one among many: privacy is not inherently incompatible with social networking. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.23 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.22 Focusing primarily on popular online social networks like Facebook, this article provides an overview of the main social and legal challenges attending the use of facial recognition technologies on these platforms and explores ways of governing the associated privacy implications, specifically from a European data protection perspective. It then discusses potential legal, technological, and business model responses to these developments. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.22 http://doi.ieeecomputersociety.org/10.1109/MSP.2013.3 While most OSNs today provide some form of privacy controls so that their users can protect their shared content from other users, these controls are typically not sufficiently expressive and/or do not provide fine-grained protection.In this article, we introduce Twitsper, which allows users to have fine-grained control over who sees their messages. Specifically, we demonstrate that such a privacy control can be offered to users of Twitter today without having to wait for Twitter to make changes. We do so by designing and implementing Twitsper as a wrapper around Twitter that enables private group communication while preserving Twitter’s commercial interests. Our design preserves the privacy of group information (i.e., who communicates with whom) both from the Twitsper server as well as from undesired Twitsper users. Our Twitsper client for Android-based devices has been downloaded by over 1000 users and its utility has been noted by several media articles. http://doi.ieeecomputersociety.org/10.1109/MSP.2013.3 http://doi.ieeecomputersociety.org/10.1109/MSP.2012.137 Personal Data Stores (PDS) are considered by a growing number of actors to be the solution to the issue of online privacy. The PDS promise is that people can choose to share or restrict access to specific personal information with other interested parties. Ascertaining the extent to which users are willing to adopt PDS was the objective of a small-scale test involving job applicants and employers. After describing the context leading to the PDS solution developed within the European Framework 7 project TAS3, this paper explores whether PDS are a practical solution to addressing personal data insecurity on the web. Can PDSs respond to actual user needs? Are users ready to adopt PDS technology to ‘claim data back’? To what extent can PDS really enforce online privacy? What other approaches are emerging as alternatives to PDS? http://doi.ieeecomputersociety.org/10.1109/MSP.2012.137 http://doi.ieeecomputersociety.org/10.1109/MSP.2012.83 WEB services have increasingly been adopted nowadays and therefore been targeted by attackers. The underlying technologies used by them bring known vulnerabilities to this new environment. The classical approach for attack detection either produce high false positive detection rates or cannot detect attack variations − leading to zero-day attacks. This paper applies ontology to build a strategy-based knowledge attack database. It is a novel hybrid attack detection engine, bringing together the main advantages of signature and knowledge-based classical approaches. Moreover, it is capable of mitigating zero-day attacks for XML injection, with no false positive detection rate. http://doi.ieeecomputersociety.org/10.1109/MSP.2012.83 http://www.computer.org/portal/site/security/ IEEE Security and Privacy http://www.computer.org/portal/site/security/