Monitoring of security properties using BeepBeep

Runtime enforcement is an effective method to ensure the compliance of program with user-defined security policies. In this paper we show how the stream event processor tool BeepBeep can be used to monitor the security properties of Java programs. The proposed approach relies on AspectJ to generate a trace capturing the program’s runtime behavior. This trace is then processed by BeepBeep, a complex event processing tool that allows complex data-driven policies to be stated and verified with ease. Depending on the result returned by BeepBeep, AspectJ can then be used to halt the execution or take other corrective action. The proposed method offers multiple advantages, notable flexibility in devising and stating expressive user-defined security policies

How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems

Recently security researchers have started to look into automated generation of attack trees from socio-technical system models. The obvious next step in this trend of automated risk analysis is automating the selection of security controls to treat the detected threats. However, the existing socio-technical models are too abstract to represent all security controls recommended by practitioners and standards. In this paper we propose an attack-defence model, consisting of a set of attack-defence bundles, to be generated and maintained with the socio-technical model. The attack-defence bundles can be used to synthesise attack-defence trees directly from the model to offer basic attack-defence analysis, but also they can be used to select and maintain the security controls that cannot be handled by the model itself.Comment: GraMSec 2015, 16 page

Semi-Annual Report to Congress for the Period of April 1, 2006 to September 30, 2006

[Excerpt] I am pleased to submit this Semiannual Report to the Congress, which highlights the significant activities and accomplishments of the Office of Inspector General (OIG) for the six-month period ending September 30, 2006. During this reporting period, our investigative work led to 295 indictments, 260 convictions, and over $76 million in monetary accomplishments. In addition, we issued 66 audit reports and questioned$90.2 million in costs. During this reporting period, the OIG continued to provide audit and investigative oversight of the Department of Labor’s (DOL’s) response to Hurricanes Katrina and Rita. We issued six management letters related to this effort. One of the letters identified individuals who had received disaster unemployment assistance (DUA) from one state, while also receiving DUA or state unemployment compensation from another state. In addition, an OIG investigation led to the indictment of a disaster-reconstruction company owner who had allegedly neglected to pay approximately $1.4 million in employee taxes owed to the Federal and state governments. OIG audits included significant recommendations to address vulnerabilities identified in DOL programs and operations. For example, we issued a performance audit that determined that DOL’s coal mine hazardous condition complaint process needed improvement. We also conducted several audits assessing the adequacy of the Department’s information security program and identified challenges in the areas of access controls and protection over personally identifiable information. Our investigations continue to combat labor racketeering in the workplace and fraud involving DOL programs. One particular investigation resulted in several former high-ranking officials of Laborers’ International Union of North America Local 91 in the State of New York either pleading guilty or being sentenced for conspiring to commit violations of the Hobbs Act. Another significant case involved Ralphs Grocery Company. Ralphs pled guilty to several felony counts related to charges that it illegally rehired locked-out workers during the supermarket labor dispute in Southern California more than two years ago. In June 2006, the company agreed to pay$70 million in fines and restitution. Finally, recognizing the need to collaboratively combat document and benefit fraud, the OIG joined with the Departments of Homeland Security, Justice, State, and other agencies to form task forces in 10 major cities. Led by the U.S. Immigration and Customs Enforcement, the task forces have been highly effective in targeting criminal organizations and ineligible beneficiaries engaged in this type of fraud. In one case, an investigation found that the owner of a labor leasing company used counterfeit labor certification forms to apply for at least 250 green cards. The owner of the company pled guilty to charges and faces 37 to 46 months’ incarceration. The OIG remains committed to promoting the economy, integrity, effectiveness, and efficiency of DOL programs and detecting waste, fraud, and abuse against those programs. I would like to express my sincere appreciation to a professional and dedicated OIG staff for their significant achievements during this reporting period

Semi-Annual Report to Congress for the Period of October 1, 2002 to March 31, 2003

[Excerpt] It is a privilege to transmit this Semiannual Report to the Congress covering the period October 1, 2002, through March 31, 2003, summarizing the significant audit and investigative activities of the Office of Inspector General (OIG), U.S. Department of Labor (DOL). Moreover, I am pleased to introduce a new format for our report that makes use of advances in information technology and moves the OIG forward in the e-government environment. Readers will now receive a “Highlights” summary that emphasizes key audits and investigations conducted by the OIG. The Highlights contains information on how to visit our website and download the complete report. Our goal is to allow you to review snapshots of our work and quickly access those issues of most interest to you. Of special note during this reporting period was the inclusion of statutory law enforcement authority for our investigators in the Homeland Security Act of 2002 (P.L. 107-296). This authority enhances our ability to investigate labor racketeering and fraud against pension plans, which has become increasingly important as other Federal law enforcement agencies redirect their resources toward homeland security activities. Among our significant investigative accomplishments during this period was the indictment of 42 individuals including members and associates of the Genovese and Colombo La Cosa Nostra (LCN) organized crime families and Locals 14 and 15 of the Operating Engineers, for unlawful labor payments as well as other charges. Another investigation led to guilty pleas by associates of the Gambino LCN Family. In total, during this reporting period, our investigative work resulted in 337 indictments, 191 convictions, and over $55.6 million in monetary accomplishments. From an audit perspective, we issued a series of reports during this period related to the Workforce Investment Act (WIA) including youth training programs, individual training accounts, and the amount of WIA funding available to states. We hope these reports and recommendations will offer valuable information as the Congress considers WIA reauthorization. We also reported the results of our work with respect to Florida’s closeout of its job training grants, which identified significant discrepancies between the State\u27s financial status reports and its official accounting records. Also significant this period was our follow-up audit of overcharges by the Internal Revenue Service to the Unemployment Trust Fund that totaled$174 million for fiscal years 1999–2002. This targeted work, as well as other audit work, identified nearly $184 million in questioned costs. I am proud of the work of all OIG employees and their continued commitment to serving American workers and taxpayers. My staff and I look forward to continuing to work constructively with the Secretary and the DOL team to further our common goal of ensuring the effectiveness, efficiency, and integrity of the programs that serve and protect the rights and benefits of American workers and retirees

The Truth-On-The-Market Defense and its Relevance in SEC Enforcement Actions

In this paper we describe an approach for information system design that aims at constructing the social reality in which the system is used. Thus, rather than designing the information system in a given context, the design target is the context itself, including the information system. The expertise knowledge of users and information system designers are jointly utilized in co-constructing the context, which is structured as a particular form of workpractice called the activity domain. In the activity domain, coordinating elements of a practice are integrated into a coherent whole. The the­ory behind the approach – the Activity Domain Theory – originated in the Ericsson telecommunication company where it has been gradually refined over more than a decade by the author. It has profoundly influenced the coordination of the development of the 3rd generation of mobile systems at Ericsson

Improving the SGP: Taxes and Delegation Rather than Fines

We analyze motivations for, and possible alternatives to, the Stability and Growth Pact (SGP). With regard to the former, we identify domestic policy failures and various cross-country spillover effects; with regard to the latter, we contrast an "economic-theory" perspective on optimal corrective measures with the "legalistic" perspective adopted in the SGP.We discuss the advantages of replacing the Pact's rigid rules backed by fines with corrective taxes (as far as spillover effects are concerned) and procedural rules and limited delegation of fiscal powers (as far as domestic policy failures are concerned). This would not only enhance the efficiency of the Pact, but also render it easier to enforce.Stability and Growth Pact; spillover effects; policy failures; Pigouvian taxes; policy delegation

Confidentiality and Disclosure in Accreditation

The law and the internal policies of accrediting entities have protected the confidentiality of accreditation information, but regulators who rely on accreditation decisions for public purposes are demanding greater access to this information. The litigation involving access to accrediting information is examined

Improving the SGP: Taxes and Delegation rather than Fines

We analyze motivations for, and possible alternatives to, the Stability and Growth Pact (SGP). With regard to the former, we identify domestic policy failures and various cross-country spillover effects; with regard to the latter, we contrast an “economic-theory" perspective on optimal corrective measures with the “legalistic" perspective adopted in the SGP. We discuss the advantages of replacing the Pact's rigid rules backed by fines with corrective taxes (as far as spillover effects are concerned) and procedural rules and limited delegation of fiscal powers (as far as domestic policy failures are concerned). This would not only enhance the efficiency of the Pact, but also render it easier to enforce.Stability and Growth Pact, spillover effects, policy failures, Pigouvian taxes, policy delegation