|
|
|
|
|
|
In consumer products, security is generally seen as an impediment to
development, sales, and the overall user value proposition. This is due in
large part that the primary drivers for security in these products have been the
protection of the value chain FROM the consumer. Examples include the
protection of copyrighted content via Digital Rights Management (DRM), the
protection of conditional access mechanisms in set top boxes, and the protection
of carrier subsidy locks in cellphones. Early attempts at providing device
security that would benefit the consumer (such as PIN-based phone locks) have
generally been a failure. As result, many, if not most, manufacturers have
tended towards the absolute minimum level of security that would meet the market
needs. In so doing, we are not preparing ourselves adequately to deliver new
applications that are coming such as mobile commerce and e-health, where the
need for security will be greater and the consumer WILL have a vested interest
in stronger security. While applications that are coming will drive a need for greater security, for the most part it will be the implementation of the applications, and not the stronger security itself that will be the basis for competition. As a result, there would be value to the industry as a whole to explore ways to minimize the total investment required to achieve the right baseline levels of security to support these new applications. Some of these include: - Collaboration / agreement on security requirements among manufacturers, for example in the cell phone area - Collaboration / sharing of security IP among semiconductor suppliers providing silicon to manufacturers - Pooling of funds to support university research on challenging problems in the security area as well as to support the inclusion of security in the engineering curricula to help enlighten our next generation of engineers This talk will discuss the current situation, discuss steps that have been taken in this direction, and outline additional ways that industry and academia could work together to address this problem. |
| Morris Moore is Vice President of Security Technology in Motorola Labs. Morris graduated from Michigan State University in 1976 with a B.S. in Electrical Engineering. Morris joined Motorola research labs and engaged in and eventually led research including queuing system analysis and simulation, paging protocol development, and digital signal processing application to modulation, demodulation, speech coding, and speech recognition, and in-building RF propagation. Later, he led product development teams for two-way paging products, including the first such product as well as the PageWriter 2000, which added to the permanent collection of the Smithsonian as the first personal two-way wireless messaging device. Additional roles included platform architecture for smart phones as well as multi-generational platform architecture for cellular chipsets. He currently has responsibility for Security Technology in Motorola Labs as well as strategy for the Physical and Digital Realization research within Motorola labs. He is active in Motorola’s university relations activities as well as in their annual Technology Outlook process. He has been recognized for his technical contributions within Motorola by membership in their Science Advisory Board Association, and appointment as a Dan Noble Fellow. He has 25 issued patents. |
| The government operational environment presents unique challenges when trying to integrate security features into the development, and deployment of operational systems. Most researchers are unaware of these challenges, which can make it difficult to craft a winning technical transition strategy. This presentation will outline several of the issues, both from a development and research perspective, to hopefully facilitate research transition planning and stimulate discussion on how to better position research for transition into operations. |
|
Lee Beausoleil, over the last 20 years, has held a variety of
positions either in operations or in the development of operational systems
within the DoD and Intelligence Community. She has worked as analyst/operator,
systems programmer, security test engineer and more recently in several
information security engineering positions supporting the development of
operational systems. She has a firm belief that integrating security into system
engineering and development should be a painless process. Because of that belief
she has a personal mission to educate developers and end users on the most
effective approach to integration. Her recent assignment in IARPA has given her
an appreciation of the technical transition challenges that face researchers,
which has added another dimension to The Mission. Her ultimate goal is to change
the operational mindset from merely tolerating security to actually liking it. |
|
This talk (based on a book of the same title co-authored by Greg Hoglund)
frankly describes controversial security issues surrounding MMORPGs such as
World of Warcraft. This no-holds-barred approach is fully loaded with code
examples, debuggers, bots, and hacks, of interest whether you are a gamer, a
game developer, a software security person, or an interested bystander. I will
cover: • Why online games are a harbinger of software security issues to come • How millions of gamers have created billion-dollar virtual economies • How game companies invade your privacy • Why some gamers cheat • Techniques for breaking online game security • How to build a bot to play a game for you • Methods for total conversion and advanced mods Ultimately, this talk is mostly about security problems associated with advanced massively distributed software. With hundreds of thousands of interacting users, today's online games are a bellwether of modern software yet to come. The kinds of attack and defense techniques I describe are tomorrow's security techniques on display today. |
| Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C., area. He is a globally recognized authority on software security and the author of six best-selling books on this topic. The latest, Software Security: Building Security In, was released in 2006, with Exploiting Online Games slated for release this year. His other titles include Java Security, Building Secure Software, and Exploiting Software; and he is editor of the Addison-Wesley Software Security series. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. |
|
Traditionally, digital forensic analysis is performed "post mortem" on a disk,
after it has been seized by law enforcement officials and the power cord to the
computer has been unceremoniously yanked out of the wall. In recent years, two
forces have been changing this practice. First, as the disk space on a typical
system grows, and court orders for shutting down all machines become harder to
obtain, it is getting more difficult to perform a complete "old school"
analysis. And second, a new generation of tools has been created that look at
volatile information that helps provide context to the static analysis. In this talk, we will first describe "old school" forensics, the important principles behind the techniques, and the information they yield. Then we will present live forensics, the type of information that is available, and how it can be used, not as a replacement for, but in concert with static analysis to help investigators understand what happened and what is happening now to a system. We will conclude with some predictions on how the field will change based on current trends. |
| Dr. Frank Adelstein is the technical
director of computer security at ATC-NY in Ithaca, NY. He is the principal
designer of a live forensic investigation product (marketed as Online
Digital Forensic Suite and LiveWire Investigator) and has worked in the area
of live investigation for the last 5 years. He has also been the principal
investigator on numerous research and development projects including
security, wireless networking, intrusion detection, and training. Adelstein is the vice-chair of the Digital Forensic Research Workshop, the premier workshop on research advances in the area of digital forensics and a co-authored of the the book Fundamentals of Mobile and Pervasive Computing (McGraw-Hill). |