"On the Road" - Reflections on the Security of Vehicular Communication Systems

Vehicular communication (VC) systems have recently drawn the attention of industry, authorities, and academia. A consensus on the need to secure VC systems and protect the privacy of their users led to concerted efforts to design security architectures. Interestingly, the results different project contributed thus far bear extensive similarities in terms of objectives and mechanisms. As a result, this appears to be an auspicious time for setting the corner-stone of trustworthy VC systems. Nonetheless, there is a considerable distance to cover till their deployment. This paper ponders on the road ahead. First, it presents a distillation of the state of the art, covering the perceived threat model, security requirements, and basic secure VC system components. Then, it dissects predominant assumptions and design choices and considers alternatives. Under the prism of what is necessary to render secure VC systems practical, and given possible non-technical influences, the paper attempts to chart the landscape towards the deployment of secure VC systems

Designing Interactive Secure Systems: CHI 2013 Special Interest Group

Despite a growing interest in the design and engineering of interactive secure systems, there is also a noticeable amount of fragmentation. This has led to a lack of awareness about what research is currently being carried out, and misunderstandings about how different fields can contribute to the design of usable and secure systems. By drawing interested members of the CHI community from design, user experience, engineering, and HCI Security, this SIG will take the first steps towards creating a research agenda for interactive secure system design. In the SIG, we will summarise recent initiatives to develop a research programme in interactive secure system design, network members of the CHI community with an interest in this research area, and initiate a roadmap towards addressing identified research challenges and building an interactive secure system design community

Utilising socio-technical systems design principles to implement new ICT systems

The optimum joint design of social and technical systems (socio-technical systems) is a pre-requisite for successful implementation of technological innovation in organizations, which is ultimately pivotal for competitive performance. Literature suggests a lack of consideration towards socio-technical systems design in the implementation of new Information and Communication Technology (ICT) systems. This results in system failure or less than optimum systems and organization performance. This paper attempts to address this gap by proposing a methodology based on socio-technical systems design principles to guide ICT managers in implementing new ICT systems within construction organizations. Essential features of this methodology include proactively involving the user in the design process and involving them in design decisions. Appropriate use of this methodology should secure user support and commitment, which should ultimately help to reduce resistance to change, enhance user acceptance and organizational competitiveness

Proceedings of International Workshop "Global Computing: Programming Environments, Languages, Security and Analysis of Systems"

According to the IST/ FET proactive initiative on GLOBAL COMPUTING, the goal is to obtain techniques (models, frameworks, methods, algorithms) for constructing systems that are flexible, dependable, secure, robust and efficient. The dominant concerns are not those of representing and manipulating data efficiently but rather those of handling the co-ordination and interaction, security, reliability, robustness, failure modes, and control of risk of the entities in the system and the overall design, description and performance of the system itself. Completely different paradigms of computer science may have to be developed to tackle these issues effectively. The research should concentrate on systems having the following characteristics: • The systems are composed of autonomous computational entities where activity is not centrally controlled, either because global control is impossible or impractical, or because the entities are created or controlled by different owners. • The computational entities are mobile, due to the movement of the physical platforms or by movement of the entity from one platform to another. • The configuration varies over time. For instance, the system is open to the introduction of new computational entities and likewise their deletion. The behaviour of the entities may vary over time. • The systems operate with incomplete information about the environment. For instance, information becomes rapidly out of date and mobility requires information about the environment to be discovered. The ultimate goal of the research action is to provide a solid scientific foundation for the design of such systems, and to lay the groundwork for achieving effective principles for building and analysing such systems. This workshop covers the aspects related to languages and programming environments as well as analysis of systems and resources involving 9 projects (AGILE , DART, DEGAS , MIKADO, MRG, MYTHS, PEPITO, PROFUNDIS, SECURE) out of the 13 founded under the initiative. After an year from the start of the projects, the goal of the workshop is to fix the state of the art on the topics covered by the two clusters related to programming environments and analysis of systems as well as to devise strategies and new ideas to profitably continue the research effort towards the overall objective of the initiative. We acknowledge the Dipartimento di Informatica and Tlc of the University of Trento, the Comune di Rovereto, the project DEGAS for partially funding the event and the Events and Meetings Office of the University of Trento for the valuable collaboration

E-infrastructures fostering multi-centre collaborative research into the intensive care management of patients with brain injury

Clinical research is becoming ever more collaborative with multi-centre trials now a common practice. With this in mind, never has it been more important to have secure access to data and, in so doing, tackle the challenges of inter-organisational data access and usage. This is especially the case for research conducted within the brain injury domain due to the complicated multi-trauma nature of the disease with its associated complex collation of time-series data of varying resolution and quality. It is now widely accepted that advances in treatment within this group of patients will only be delivered if the technical infrastructures underpinning the collection and validation of multi-centre research data for clinical trials is improved. In recognition of this need, IT-based multi-centre e-Infrastructures such as the Brain Monitoring with Information Technology group (BrainIT - www.brainit.org) and Cooperative Study on Brain Injury Depolarisations (COSBID - www.cosbid.de) have been formed. A serious impediment to the effective implementation of these networks is access to the know-how and experience needed to install, deploy and manage security-oriented middleware systems that provide secure access to distributed hospital based datasets and especially the linkage of these data sets across sites. The recently funded EU framework VII ICT project Advanced Arterial Hypotension Adverse Event prediction through a Novel Bayesian Neural Network (AVERT-IT) is focused upon tackling these challenges. This chapter describes the problems inherent to data collection within the brain injury medical domain, the current IT-based solutions designed to address these problems and how they perform in practice. We outline how the authors have collaborated towards developing Grid solutions to address the major technical issues. Towards this end we describe a prototype solution which ultimately formed the basis for the AVERT-IT project. We describe the design of the underlying Grid infrastructure for AVERT-IT and how it will be used to produce novel approaches to data collection, data validation and clinical trial design is also presented

What is a Secure Programming Language?

Our most sensitive and important software systems are written in programming languages that are inherently insecure, making the security of the systems themselves extremely challenging. It is often said that these systems were written with the best tools available at the time, so over time with newer languages will come more security. But we contend that all of today\u27s mainstream programming languages are insecure, including even the most recent ones that come with claims that they are designed to be "secure". Our real criticism is the lack of a common understanding of what "secure" might mean in the context of programming language design. We propose a simple data-driven definition for a secure programming language: that it provides first-class language support to address the causes for the most common, significant vulnerabilities found in real-world software. To discover what these vulnerabilities actually are, we have analysed the National Vulnerability Database and devised a novel categorisation of the software defects reported in the database. This leads us to propose three broad categories, which account for over 50% of all reported software vulnerabilities, that as a minimum any secure language should address. While most mainstream languages address at least one of these categories, interestingly, we find that none address all three. Looking at today\u27s real-world software systems, we observe a paradigm shift in design and implementation towards service-oriented architectures, such as microservices. Such systems consist of many fine-grained processes, typically implemented in multiple languages, that communicate over the network using simple web-based protocols, often relying on multiple software environments such as databases. In traditional software systems, these features are the most common locations for security vulnerabilities, and so are often kept internal to the system. In microservice systems, these features are no longer internal but external, and now represent the attack surface of the software system as a whole. The need for secure programming languages is probably greater now than it has ever been

Malware-Resistant Protocols for Real-World Systems

Cryptographic protocols are widely used to protect real-world systems from attacks. Paying for goods in a shop, withdrawing money or browsing the Web; all these activities are backed by cryptographic protocols. However, in recent years a potent threat became apparent. Malware is increasingly used in attacks to bypass existing security mechanisms. Many cryptographic protocols that are used in real-world systems today have been found to be susceptible to malware attacks. One reason for this is that most of these protocols were designed with respect to the Dolev-Yao attack model that assumes an attacker to control the network between computer systems but not the systems themselves. Furthermore, most real-world protocols do not provide a formal proof of security and thus lack a precise definition of the security goals the designers tried to achieve. This work tackles the design of cryptographic protocols that are resilient to malware attacks, applicable to real-world systems, and provably secure. In this regard, we investigate three real-world use cases: electronic payment, web authentication, and data aggregation. We analyze the security of existing protocols and confirm results from prior work that most protocols are not resilient to malware. Furthermore, we provide guidelines for the design of malware-resistant protocols and propose such protocols. In addition, we formalize security notions for malware-resistance and use a formal proof of security to verify the security guarantees of our protocols. In this work we show that designing malware-resistant protocols for real-world systems is possible. We present a new security notion for electronic payment and web authentication, called one-out-of-two security, that does not require a single device to be trusted and ensures that a protocol stays secure as long as one of two devices is not compromised. Furthermore, we propose L-Pay, a cryptographic protocol for paying at the point of sale (POS) or withdrawing money at an automated teller machine (ATM) satisfying one-out-of-two security, FIDO2 With Two Displays (FIDO2D) a cryptographic protocol to secure transactions in the Web with one-out-of-two security and Secure Aggregation Grouped by Multiple Attributes (SAGMA), a cryptographic protocol for secure data aggregation in encrypted databases. In this work, we take important steps towards the use of malware-resistant protocols in real-world systems. Our guidelines and protocols can serve as templates to design new cryptographic protocols and improve security in further use cases

Components of effective safety and health management system towards the awareness of Occupational Safety and Health Administration (OSHA) at Government Owned Company Kuala Lumpur / Noorlaila Hj Yunus and Nur ‘Aliya Hj Abdullah Tahmidi

Every organization should put safety and health of employees at the top of priority. A safety and health management system or safety program can help the employees to improve job performance, boost employee’s motivation and satisfaction. The most important is employers and employees will feel secure and safe at the workplace. Occupational Safety and Health Administration (OSHA) in an organization could help to prevent any possible illnesses, injuries and accidents happen in working environment. Several studies have been conducted that clarified some of the components of effective safety and health management systems towards the awareness of OSHA. The focus of this study is to identify the most influential components of effective safety and health management systems towards the awareness of OSHA and also to examine the relationship between the components of effective safety and health management systems towards the awareness of OSHA. Thus, the researcher chooses correlational research design in order to achieve the objectives of the study. In this study, 250 employees who are working in GOC, Kuala Lumpur have been involved in a survey

Components of effective safety and health management system towards the awareness of Occupational Safety and Health Administration (OSHA) at government owned company Kuala Lumpur / Noorlaila Hj Yunus and Nur ‘Aliya Hj Abdullah Tahmidi

Every organization should put safety and health of employees at the top of priority. A safety and health management system or safety program can help the employees to improve job performance, boost employee’s motivation and satisfaction. The most important is employers and employees will feel secure and safe at the workplace. Occupational Safety and Health Administration (OSHA) in an organization could help to prevent any possible illnesses, injuries and accidents happen in working environment. Several studies have been conducted that clarified some of the components of effective safety and health management systems towards the awareness of OSHA. The focus of this study is to identify the most influential components of effective safety and health management systems towards the awareness of OSHA and also to examine the relationship between the components of effective safety and health management systems towards the awareness of OSHA. Thus, the researcher chooses correlational research design in order to achieve the objectives of the study. In this study, 250 employees who are working in GOC, Kuala Lumpur have been involved in a survey