Team for Research in
Ubiquitous Secure Technology

2009 TRUST Research Experiences for Undergraduates

Program Overview

The Team for Research in Ubiquitous Secure Technology sponsored ten undergraduate students to participate in the summer 2009 TRUST-REU program. Below are descriptions of the 2009 TRUST-REU research projects and links to each student's or team's research report, poster, and final presentation.

Research Projects

Shannon Canty

Clemson University

User Control of Flash Cookies
The use of flash cookies has raised new concerns about tracking individuals online. Often companies claim to use cookies to enable users to access all parts of a website or to expedite processes. Other uses include tracking individuals and assessing their interests for advertising purposes. Like html cookies, flash cookies allow companies to assign unique identifiers to individual computers, which allow them to be tracked. Html cookies can be readily deleted, but flash cookies often remain on hard drives because of a lack of easy-to-use controls and a lack of knowledge of their existence. In this pilot study, the user's control of flash cookies was investigated by adjusting the Adobe website settings, and using BetterPrivacy to determine what content is stored on the user's computer for Quantcast's top 100 sites, as well as how the functionality of these sites were compromised after these adjustments. The purpose of this study was to increase knowledge about flash cookies, their use, and the adequacy of consumer controls to better inform consumers, businesses, and policymakers about potential invasive uses of this technology. We found that use of the appropriate flash player settings rendered more user control of flash content, but also caused the user to encounter functionality issues, as well as provided a trail of sites with which the user could be tracked.

Benjamin Christen

Youngstown State University

Michael Walker
Youngstown State University

Privacy Scrubber: Means to Obfuscate Personal Data from Benign Application Leakage
A wide range of personal information is distributed over the Internet by benign software applications. These applications have access to user name, host name, a list of components in and attached to the computer and many other pieces of information that can be used for tracking or profiling purposes. These benign applications can and do send such private information to not only the developers, but also to marketing and tracking services.

Jerald Dawson
Jackson State University

Identification of Bad Data
A power grid is a complex system that connects electrical power generators to consumers through power transmission and distribution networks across a large area. In order to protect these grids, the systems have to be monitored. This type of monitoring, known as state estimation, has been used to help detect bad measurements that would not allow the system function properly. The techniques take down any problem it encountered, whether or not it is done by an attacker. That scenario is incorrect even though those types of attacks should be considered as a bad measurement.

In this paper, a fairly new class of attacks is presented against state estimation. This type of attack is known as false data injection. This paper is model by the paper, "False Data Injection Attacks against State Estimation in Electric Power Grids," written by Yao Liu, Peng Ning, and Michael K. Reiter. The goals of this project are to investigate attacks against state estimation algorithms, investigate attacks that are undetected given currently-used fault detection algorithms and see if we can propose new detection algorithms that are better for identifying false data injection attacks. We are going to have two different case types. In one, the attacker will be constrained to specific meters and the other will have limitations in the resources required to give and take meters. We show how both cases are attackable. We use an IEEE 14-bus system to demonstrate by simulation. We also run the chi-squared and normalized residual tests on different attacks and evaluate their detection abilities. Our research will show that the security of power grids needs to be reevaluated.

Elie El Chartouni
San Jose State University

Diaminatou Goudiaby
Elizabeth City State University

Brice Sorrells
University of Minnesota

Development of a Children's Health Game for the Android Mobile Platform
This project is part of a larger endeavor to promote and monitor healthy activity using a distributed body sensor network. By using a variety of wearable sensors such as accelerometers, gyroscopes, gps, and air sensors along with a mobile base station, a person's health activity can be monitored and transmitted to doctors for analysis. Professor Ruzena Bajscy's research group has developed this technological framework, which they call DexterNet. DexterNet is being ported over to the Android Mobile platform and it needs health games and applications to go alongside it. This paper will discuss the motivation behind and the development of a children's health game created to be a part of the application suite that accompanies DexterNet.

Adam Magana
Youngstown State University

Tomorrow's Smart Power Grid:Crafting Security Measures Using State Estimation
The United States power grid is an advanced, robust piece of modern engineering. With the present revolution to make the power grid a 'smarter' system, using two-way data transmission between power usage meters and a control center (Supervisory Control and Data Aquisition - SCADA), comes the threat of falsified data being injected by attackers. Using a technique known as 'False Data Injection,' potential hackers could modify the output of a sensor, or multiple sensors to manipulate the automated reactions of the grid's control center. In this paper we use real-time measurements in order to provide the best estimate of the current operating state and use them to eliminate the abnormal values that may be injected by attackers. While successful attacks are possible, we find that attackers are required to not only infiltrate network communication but are also required to know specific and extensive details regarding network topology and parameters; a pressing challenge that calls for high coordination and timing.

Quentin Mayo
Jacksonville Science University

Flash Cookies and Analysis of Web-base Businesses' Privacy Practices involving Local Shared Objects.
Flash Cookies are emerging as a new consumer tracking technology. Flash Cookies, also known as Local Shared Objects, are similar to HTML cookies, but they can store more information and they are more persistent. Privacy issues are intensified by Flash Cookies because they are not controlled by the browser, and because consumers are likely to be unaware of their presence. This study focuses on the presence and operation of Flash Cookies on the top 100 websites.

Lauren Thomas
Louisiana State University

Exploring Privacy Through California's "Shine the Light" Law
California's Governor Gray Davis signed SB 27, the "Shine the Light" law, on September 23, 2003. This law allows California residents to contact companies with whom they have established business relationships within the past eighteen months and request information about how their personal information has been shared with third parties. Companies respond three ways: they can allow customers to opt out of third party sharing, disclose the third parties with whom they have shared information, or simply state that they do not share information with third parties for marketing purposes. Investigating the "Shine the Light" has shown that most companies will not respond unless they verify that the letter is from an actual customer. This study also shows that most companies do not share information with third parties for their direct marketing purposes. law gives researchers the opportunity to better understand how companies comply with consumer privacy laws, how these companies share personal information, and the challenges that consumers may experience when trying to assert their privacy rights. We contacted 112 companies requesting a response about the distribution of their consumers' personal information. These companies had thirty days to respond to the requests. The results will inform consumers and policymakers about how companies comply with statutory privacy laws. With this information, consumers and policymakers will learn more about largely opaque data sharing practices among businesses. Additionally, this effort will assist companies in developing more effective responses to privacy inquiries.