Using a public key registry for improved trust and scalability in national E-health systems

An increasing number of countries are faced with an aging population increasingly needing healthcare services. For any e-health information system, the need for increased trust by such clients with potentially little knowledge of any security scheme involved is paramount. In addition notable scalability of any system has become a critical aspect of system design, development and ongoing management. Meanwhile cryptographic systems provide the security provisions needed for confidentiality, authentication, integrity and non-repudiation. Cryptographic key management, however, must be secure, yet efficient and effective in developing an attitude of trust in system users. Digital certificate-based Public Key Infrastructure has long been the technology of choice or availability for information security/assurance; however, there appears to be a notable lack of successful implementations and deployments globally. Moreover, recent issues with associated Certificate Authority security have damaged trust in these schemes. This paper proposes the adoption of a centralised public key registry structure, a non-certificate based scheme, for large scale e-health information systems. The proposed structure removes complex certificate management, revocation and a complex certificate validation structure while maintaining overall system security. Moreover, the registry concept may be easier for both healthcare professionals and patients to understand and trust.

Cryptanalysis of the convex hull click human identification protocol

Recently a convex hull based human identification protocol was proposed by Sobrado and Birget, whose steps can be performed by humans without additional aid. The main part of the protocol involves the user mentally forming a convex hull of secret icons in a set of graphical icons and then clicking randomly within this convex hull. In this paper we show two efficient probabilistic attacks on this protocol which reveal the user’s secret after the observation of only a handful of authentication sessions. We show that while the first attack can be mitigated through appropriately chosen values of system parameters, the second attack succeeds with a non-negligible probability even with large system parameter values which cross the threshold of usability.

Social engineering in social networking sites : how good becomes evil

Social Engineering (ES) is now considered the great security threat to people and organizations. Ever since the existence of human beings, fraudulent and deceptive people have used social engineering tricks and tactics to trick victims into obeying them. There are a number of social engineering techniques that are used in information technology to compromise security defences and attack people or organizations such as phishing, identity theft, spamming, impersonation, and spaying. Recently, researchers have suggested that social networking sites (SNSs) are the most common source and best breeding grounds for exploiting the vulnerabilities of people and launching a variety of social engineering based attacks. However, the literature shows a lack of information about what types of social engineering threats exist on SNSs. This study is part of a project that attempts to predict a persons’ vulnerability to SE based on demographic factors. In this paper, we demonstrate the different types of social engineering based attacks that exist on SNSs, the purposes of these attacks, reasons why people fell (or did not fall) for these attacks, based on users’ opinions. A qualitative questionnaire-based survey was conducted to collect and analyse people’s experiences with social engineering tricks, deceptions, or attacks on SNSs.

Social engineering in social networking sites : the art of impersonation

Social networking sites (SNSs), with their large number of users and large information base, seem to be the perfect breeding ground for exploiting the vulnerabilities of people, who are considered the weakest link in security. Deceiving, persuading, or influencing people to provide information or to perform an action that will benefit the attacker is known as “social engineering.” Fraudulent and deceptive people use social engineering traps and tactics through SNSs to trick users into obeying them, accepting threats, and falling victim to various crimes such as phishing, sexual abuse, financial abuse, identity theft, and physical crime. Although organizations, researchers, and practitioners recognize the serious risks of social engineering, there is a severe lack of understanding and control of such threats. This may be partly due to the complexity of human behaviors in approaching, accepting, and failing to recognize social engineering tricks. This research aims to investigate the impact of source characteristics on users’ susceptibility to social engineering victimization in SNSs, particularly Facebook. Using grounded theory method, we develop a model that explains what and how source characteristics influence Facebook users to judge the attacker as credible.

Designing and implementing usable and useful Accountable-eHealth systems

This tutorial primarily focuses on the technical challenges surrounding the design and implementation of Accountable-eHealth (AeH) systems. The potential benefits of shared eHealth records systems are promising for the future of improved healthcare; however, their uptake is hindered by concerns over the privacy and security of patient information. In the current eHealth environment, there are competing requirements between healthcare consumers' (i.e. patients) requirements and healthcare professionals' requirements. While consumers want control over their information, healthcare professionals want access to as much information as required in order to make well informed decisions. This conflict is evident in the review of Australia's PCEHR system. Accountable-eHealth systems aim to balance these concerns by implementing Information Accountability (IA) mechanisms. AeH systems create an eHealth environment where health information is available to the right person at the right time without rigid barriers whilst empowering the consumers with information control and transparency, thus, enabling the creation of shared eHealth records that can be useful to both patients and HCPs. In this half-day tutorial, we will discuss and describe the technical challenges surrounding the implementation of AeH systems and the solutions we have devised. A prototype AeH system will be used to demonstrate the functionality of AeH systems, and illustrate some of the proposed solutions. The topics that will be covered include: designing for usability in AeH systems, the privacy and security of audit mechanisms, providing for diversity of users, the scalability of AeH systems, and finally the challenges of enabling research and Big Data Analytics on shared eHealth Records while ensuring accountability and privacy are maintained.

Implementing a new genre of eHealth system in a reticent environment

This tutorial primarily focuses on the social aspects of implementing a novel eHealth systems called Accountable-eHealth (AeH) systems. The main focus of AeH systems is mitigating information privacy concerns whilst facilitating appropriate access to information for users, and is based on the principles of information accountability (IA).

Improving out-domain PLDA speaker verification using unsupervised inter-dataset variability compensation approach

Experimental studies have found that when the state-of-the-art probabilistic linear discriminant analysis (PLDA) speaker verification systems are trained using out-domain data, it significantly affects speaker verification performance due to the mismatch between development data and evaluation data. To overcome this problem we propose a novel unsupervised inter dataset variability (IDV) compensation approach to compensate the dataset mismatch. IDV-compensated PLDA system achieves over 10% relative improvement in EER values over out-domain PLDA system by effectively compensating the mismatch between in-domain and out-domain data.

Transaction-based QoS management in a Hybrid Wireless Superstore Environment

Hybrid wireless networks are extensively used in the superstores, market places, malls, etc. and provide high QoS (Quality of Service) to the end-users has become a challenging task. In this paper, we propose a policy-based transaction-aware QoS management architecture in a hybrid wireless superstore environment. The proposed scheme operates at the transaction level, for the downlink QoS management. We derive a policy for the estimation of QoS parameters, like, delay, jitter, bandwidth, availability, packet loss for every transaction before scheduling on the downlink. We also propose a QoS monitor which monitors the specified QoS and automatically adjusts the QoS according to the requirement. The proposed scheme has been simulated in hybrid wireless superstore environment and tested for various superstore transactions. The results shows that the policy-based transaction QoS management is enhance the performance and utilize network resources efficiently at the peak time of the superstore business.

A dynamic topology management in a hybrid wireless superstore network

with the development of large scale wireless networks, there has been short comings and limitations in traditional network topology management systems. In this paper, an adaptive algorithm is proposed to maintain topology of hybrid wireless superstore network by considering the transactions and individual network load. The adaptations include to choose the best network connection for the response, and to perform network Connection switching when network situation changes. At the same time, in terms of the design for topology management systems, aiming at intelligence, real-time, the study makes a step-by-step argument and research on the overall topology management scheme. Architecture for the adaptive topology management of hybrid wireless networking resources is available to user’s mobile device. Simulation results describes that the new scheme has outperformed the original topology management and it is simpler than the original rate borrowing scheme.

High accuracy android malware detection using ensemble learning

With over 50 billion downloads and more than 1.3 million apps in Google’s official market, Android has continued to gain popularity amongst smartphone users worldwide. At the same time there has been a rise in malware targeting the platform, with more recent strains employing highly sophisticated detection avoidance techniques. As traditional signature based methods become less potent in detecting unknown malware, alternatives are needed for timely zero-day discovery. Thus this paper proposes an approach that utilizes ensemble learning for Android malware detection. It combines advantages of static analysis with the efficiency and performance of ensemble machine learning to improve Android malware detection accuracy. The machine learning models are built using a large repository of malware samples and benign apps from a leading antivirus vendor. Experimental results and analysis presented shows that the proposed method which uses a large feature space to leverage the power of ensemble learning is capable of 97.3 % to 99% detection accuracy with very low false positive rates.

Nature des perceptions entourant les qualités écologiques des objets à caractère artisanal

Depuis quelques temps, on note que les objets d’apparence artisanale symbolisent souvent des qualités écologiques telles que des matériaux naturels et une fabrication éthique. Les visées de l’étude ont été d’explorer les perceptions à l’égard des objets à caractère artisanal et cela, en vue de reconnaître quelles qualités écologiques sont attribuées à ces derniers, tout en tentant de comprendre les raisons qui se cachent derrière ces associations. Une étude auprès d’usagers a permis d’explorer l’ensemble des qualités pouvant être liées à ce type d’objet, en considérant plus précisément le rapport entre les qualités écologiques leur étant accordées et leur durée de vie projetée. Pour ce faire, au cours d’entretiens individuels, des thèmes comme l’appréciation à long terme, la signification et la considération de la diversité culturelle ont été examinés. Les résultats montrent entre autres que les objets à caractère artisanal sont caractérisés comme étant composés de matériaux naturels et sains pour la santé des usagers. Leur usure est reconnue comme éveillant les représentations quant à leur « histoire », alors que leur originalité leur confère une « âme ». Enfin, car ils sont considérés comme ayant été fabriqués par des créateurs autonomes, ces objets sont associés à des conditions de travail éthiques et sont perçus comme étant capables de faire tourner l’économie locale. Les renseignements recueillis peuvent informer les théories et la pratique en design industriel quant à la disposition des objets à caractère artisanal à être appréciés par les usagers, de leur durée de vie projetée et du désir de les entretenir et de les léguer. Ce projet constitue un premier répertoire des perceptions entourant ce type d’objet, un champ de recherche encore très peu documenté, malgré qu’il s’inscrive à l’intérieur d’un contexte environnemental et social bien actuel. Les résultats obtenus contribuent à leur façon à la perspective d’une conception, d’une fabrication et d’une consommation davantage viables.

PROTECT_U: Un système communautaire pour la protection des usagers de Facebook

Article publié dans le journal « Journal of Information Security Research ». March 2012.

Cadre juridique de l'utilisation de la biométrie au Québec : sécurité et vie privée

La biométrie, appliquée dans un contexte de traitement automatisé des données et de reconnaissance des identités, fait partie de ces technologies nouvelles dont la complexité d’utilisation fait émerger de nouveaux enjeux et où ses effets à long terme sont incalculables. L’envergure des risques suscite des questionnements dont il est essentiel de trouver les réponses. On justifie le recours à cette technologie dans le but d’apporter plus de sécurité, mais, vient-elle vraiment apporter plus de protection dans le contexte actuel? En outre, le régime législatif québécois est-il suffisant pour encadrer tous les risques qu’elle génère? Les technologies biométriques sont flexibles en ce sens qu’elles permettent de saisir une multitude de caractéristiques biométriques et offrent aux utilisateurs plusieurs modalités de fonctionnement. Par exemple, on peut l’utiliser pour l’identification tout comme pour l’authentification. Bien que la différence entre les deux concepts puisse être difficile à saisir, nous verrons qu’ils auront des répercussions différentes sur nos droits et ne comporteront pas les mêmes risques. Par ailleurs, le droit fondamental qui sera le plus touché par l’utilisation de la biométrie sera évidemment le droit à la vie privée. Encore non bien compris, le droit à la vie privée est complexe et son application est difficile dans le contexte des nouvelles technologies. La circulation des données biométriques, la surveillance accrue, le détournement d’usage et l’usurpation d’identité figurent au tableau des risques connus de la biométrie. De plus, nous verrons que son utilisation pourra avoir des conséquences sur d’autres droits fondamentaux, selon la manière dont le système est employé. Les tests de nécessité du projet et de proportionnalité de l’atteinte à nos droits seront les éléments clés pour évaluer la conformité d’un système biométrique. Ensuite, le succès de la technologie dépendra des mesures de sécurité mises en place pour assurer la protection des données biométriques, leur intégrité et leur accès, une fois la légitimité du système établie.

Percepción de los trabajadores acerca del sistema de seguridad y salud en el trabajo en un hospital de III nivel, Bogotá-Colombia. 2014.

Objetivo: Evaluar la percepción que tienen los trabajadores acerca del sistema de seguridad y salud en el trabajo en la población asistencial y administrativa en un Hospital de III nivel de atención., Bogotá-Colombia. Materiales y métodos: Estudio de corte transversal en población de trabajadores asistenciales y administrativos. Se aplicó el “Cuestionario Nórdico Sobre Seguridad en el Trabajo NOSACQ 50 Spanish” validado. La muestra fue probabilística estratificada aleatoria, en 308 trabajadores (230 asistenciales y 78 administrativos). Resultados: El promedio de edad fue 39.5± 12 años, con mayor frecuencia de género femenino (74.68%), estado civil soltero (38.96%) y nivel educativo técnico (34.40%). La percepción que tienen los trabajadores acerca del sistema de seguridad y salud en el trabajo fue independiente de su tipo de actividad laboral administrativa y asistencial (p>0.05), la mayor percepción en ambos grupos fue la confianza de los trabajadores en la eficacia del sistema de seguridad (2.71 y 2.77), y las de menor percepción presentaron el empoderamiento de seguridad de gestión (2.35 y 2.46) y la seguridad como prioridad de los empleados y rechazo del riesgo (2.35 y 2.40). Conclusiones: Los trabajadores del Hospital tienen un nivel adecuado de buena percepción acerca de los aspectos de seguridad y salud en el trabajo donde se evidenció que la fortaleza es la confianza de los trabajadores en la eficacia del sistema y la debilidad del sistema se encuentra en la falta de empoderamiento y rechazo al riesgo.