tag:blogger.com,1999:blog-78602965976227164012024-03-13T08:43:10.798-04:00Technology and Information SecurityThere is no place like 127.0.0.1John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.comBlogger71125tag:blogger.com,1999:blog-7860296597622716401.post-38010329972115986042014-03-15T16:32:00.001-04:002014-03-15T16:32:11.475-04:00SAQ A v2.0 vs. SAQ A v3.0 Eligibility Criteria<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.pcisecuritystandards.org/images/logo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://www.pcisecuritystandards.org/images/logo.png" /></a></div>
Now that PCI SSC has released the updated version of Self Assessment Questionnaires, I would like to share my opinion on the SAQ A v3.0 and SAQ A-EP 3.0.<br />
<br />
The initial impression was that the SAQ A v3.0 and SAQ A-EP v3.0 will have a major impact on the Payment Card Industry as both introduce a more stringent eligibility criteria (SAQ A v3.0) and by far more applicable PCI DSS requirements (SAQ A-EP 3.0). In fact, SAQ A-EP covers almost the same requirements as SAQ C. However, after careful review of the eligibility criteria of SAQ A v2.0, SAQ A v3.0 and SAQ A-EP v3.0, and the actual impact the SAQ A-EP v3.0 will have on the merchants, the change is not that drastic.<br />
<br />
Lets take a look at the eligibility criteria for the SAQ A 3.0 and compare it to the SAQ A 2.0; Aside from implying that third party provides have to be PCI DSS validated (“compliant” is no longer acceptable), the additional criteria includes:<br />
<br />
<ul>
<li>All payment acceptance and processing are entirely outsourced to PCI DSS <b>validated</b> third-party service providers;</li>
<li>Your company has <b>no direct control</b> of the manner in which cardholder data is captured, processed, transmitted, or stored;</li>
</ul>
<br />
<i>Additionally, for e-commerce channels: </i><br />
<ul>
<li>The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-party PCI DSS <b>validated</b> service provider(s).</li>
</ul>
<br />
For merchants that are accepting payment information as mail/telephone-order only, the impact is minimal. For e-commerce channel, and that SAQ A-EP 3.0 comes into play as well, the difference can be summarized in one word: hosting – who is hosting the web site (and the payment pages). Moreover, I can see some merchants successfully argue that the “traditional” redirection to a hosted payment provider, exactly what SAQ A-EP 3.0 qualifies for, still eligible to validate compliance using SAQ A 3.0.<br />
<br />
For the sake of argument, lets consider a typical scenario whereby a merchant self-host an e-commerce web server which redirects to a third-party payment provider. Are all payment acceptance and processing are outsourced to a PCI DSS validated third-party service providers? <b>Yes.</b> Is the merchant has no direct controls of the manner in which cardholder data is captured, processed, transmitted, or stored? <b>Yes</b>, it is all taken care of by a third-party payment processor. Are all payment pages delivered to the consumers' browser originate directly from a third-party PCI DSS validated service provider(s)? Here, if we define payment pages as web pages where cardholder data is entered by a consumer, then the answer is still <b>yes</b>. <br />
<br />
We can also define “all payment pages” as the entire e-commerce data flow (i.e. the entire e-commerce web site) which, potentially, disqualifies the merchant from validating compliance using SAQ A v3.0. However, if we slightly change the scenario and the web server is hosted by a PCI DSS validated service provider (i.e. Amazon AWS). Now, both the e-commerce pages and the payment web pages are originate directly from a third-party PCI DSS validated service provider(s).<br />
<br />
So what is the intent of the choice of words and the additional requirements of the SAQ A v3.0? Is it to force merchants to use validated third-party service providers and to force merchants to migrate to a hosted (again, by validated third-party service providers) solutions? The alternative is, arguably, to comply with comprehensive SAQ A-EP v3.0.John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-83209776486626532752013-05-14T11:28:00.000-04:002013-05-14T11:44:14.808-04:00Linux/Unix Secure Password Generator<div class="separator" style="clear: both; text-align: center;">
<a href="http://www4.pcmag.com/media/images/273003-passwords.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://www4.pcmag.com/media/images/273003-passwords.jpg" width="200" /></a></div>
Linux provides a build-in functionality to generate secure passwords with a few (piped) commands:<br />
<blockquote class="tr_bq">
cat /dev/urandom | tr -dc [:print:] | head -c 8</blockquote>
A special file <span style="font-family: "Courier New",Courier,monospace;">/dev/urandom</span> provides an interface to a Linux kernel random number generator which gathers environmental noise from device drivers and other sources into an entropy pool.<br />
<br />
Notes: <br />
<ol>
<li><span style="font-family: "Courier New",Courier,monospace;">-c 8</span> parameter controls the length of the password.</li>
<li><span style="font-family: "Courier New",Courier,monospace;">[:print:]</span> (complexity) can be substituted with <span style="font-family: "Courier New",Courier,monospace;">[:alpha:][:digit:]</span> for less complex password.</li>
</ol>
John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-45903115650593428782013-04-01T09:32:00.000-04:002013-04-01T12:35:09.801-04:00SECURE Python Django Database SettingsI have started to use Python Django web framework (<i>The Web framework for perfectionists with deadlines</i>) and was shocked that still, in 2013, the official documentation (<a href="https://docs.djangoproject.com/en/dev/ref/settings/">https://docs.djangoproject.com/en/dev/ref/settings/</a>) and the <i>"experts"</i> on stack<b>overflow</b> (<a href="http://stackoverflow.com/questions/3540339/is-it-okay-that-database-credentials-are-stored-in-plain-text">http://stackoverflow.com/questions/3540339/is-it-okay-that-database-credentials-are-stored-in-plain-text</a>) recommend storing database connection credentials in clear-text. It is not like the database stored confidential information(e.g. Intellectual Property), private or sensitive information, etc.<br />
<br />
Python has a keyring library (<a href="https://pypi.python.org/pypi/keyring">https://pypi.python.org/pypi/keyring</a>) that provides an easy way to access the system keyring service
from python and can be used in an application to safely store passwords.<br />
<br />
To install it on Ubuntu, make sure you have up-to-date pip Python package:<br />
<blockquote class="tr_bq">
sudo apt-get install python-pip<br />
sudo pip install pip -U</blockquote>
<br />
Then, using pip, install the keyring library:<br />
<blockquote class="tr_bq">
sudo pip install keyring</blockquote>
Finally, update the <i>settings.py</i> with the following code to securely store authentication credentials:<br />
<br />
<blockquote class="tr_bq">
import keyring<br />
import getpass<br />
database_name = 'schema_name'<br />
username = 'administrator'<br />
password = keyring.get_password(database_name, username)<br />
<br />
while password == None :<br />
password = getpass.getpass(database_name + " Password:\n")<br />
# store the password<br />
keyring.set_password(database_name, username, password)<br />
<br />
DATABASES = {<br />
'default': {<br />
'ENGINE': 'django.db.backends.mysql', </blockquote>
<blockquote>
'NAME': database_name, # Or path to database file if using sqlite3.<br />
'USER': username, # Not used with sqlite3.<br />
'PASSWORD': password, # Not used with sqlite3.<br />
'HOST': db.inteliident.com', # Set to empty string for localhost. Not used with sqlite3.<br />
'PORT': '3306', # Set to empty string for default. Not used with sqlite3.<br />
}<br />
}</blockquote>
<br />
Simple, isn't it?John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com2tag:blogger.com,1999:blog-7860296597622716401.post-70021661422109728062013-01-28T23:41:00.002-05:002016-03-01T20:46:05.911-05:00Exception Handling for Input Validation? Not My Cup of Tea!We all know the importance of input validation, and we all have different views on implementation aspects: white-listing vs. black-listing, serialized vs. canonicalize, etc. etc. etc.<br />
<br />
Lately, I was involved in a heated discussion about using Java and .NET <i>Exception Handling</i> mechanism to perform tasks such as input validation, as opposed to <span style="font-family: "courier new" , "courier" , monospace;">if-then-else control</span> statement (that I was advocating for).<br />
<br />
In theory, both mechanisms can be used to perform validation and handling of an invalid input, but here are two arguments why <span style="font-family: "courier new" , "courier" , monospace;">if-then-else</span> control statement is a better fit:<br />
<ul>
<li>From a conceptual stand point, <i>exception</i> is defined by Oracle as "an event, which occurs during the execution of a program, that disrupts the normal flow of the program's instructions" (Oracle n.d.). Does invalid user input considered as <i>exceptional</i> event? Hardly so as it is quite likely for the end-user to make a mistake (intentional - malicious, or unintentional) therefore the software is expected to handle it. Rico Mariani (2003) writes "If you think it will be at all normal for anyone to want to catch your exception, then probably it shouldn't be an exception at all" (Rico Mariani, 2003).</li>
<li>From a performance standpoint (here, I will sound like an ageing C/C++ software developer), exception handling mechanism is (really) expensive!</li>
</ul>
To examine the last statement that Java <i>exception handling</i> mechanism is significantly more expensive than a simple such as if-then-else flow control statement, I have created the following two Java classes:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">public class ExceptionMethod {<br />
public void ThrowException() throws Exception {<br />
throw new Exception();<br />
}<br />
<br />
public Object ReturnNull() {<br />
return null;<br />
}<br />
}</span><br />
<br />
and<br />
<span style="font-family: "courier new" , "courier" , monospace;"><br />
</span> <span style="font-family: "courier new" , "courier" , monospace;">public class Main {<br />
public static void main(String[] args) {<br />
ExceptionMethod em = new ExceptionMethod();<br />
<br />
do {<br />
/**<br />
* Profile 1: generate and handle an exception<br />
*/<br />
try {<br />
em.ThrowException();<br />
} catch (Exception ex) {<br />
// do nothing<br />
}<br />
/**<br />
* Profile 2: handle null using if-then-else <br />
*/<br />
if (em.ReturnNull() == null) {<br />
// do nothing<br />
}<br />
<br />
// yeld to prevent locking the JVM<br />
Thread.yield();<br />
} while (true);<br />
}<br />
}</span><br />
<br />
In order to monitor the resource consumption, I have used NetBeans Profiler.<br />
<br />
The do-while loop was designed to for the application into an infinitive loop allowing monitoring of the resources allocation over extensive period of time (generates large statistical sample).<br />
<i>a</i><br />
Initially, the code in Profile 2 was commented out and executed. The NetBeans Profiler generated the following graph:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-PBL3FGonOSM/VtZFlyIbpcI/AAAAAAAAV2g/T_75CDJVL1o/s1600/if-then-else.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://3.bp.blogspot.com/-PBL3FGonOSM/VtZFlyIbpcI/AAAAAAAAV2g/T_75CDJVL1o/s320/if-then-else.PNG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-mYbpwKLTGkU/VtZFjg2xOQI/AAAAAAAAV2c/nlOPFZWgnBQ/s1600/try-catch-finally.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="119" src="https://2.bp.blogspot.com/-mYbpwKLTGkU/VtZFjg2xOQI/AAAAAAAAV2c/nlOPFZWgnBQ/s320/try-catch-finally.PNG" width="320" /></a></div>
<br />
Then, Profile 1 section was commented out and Profile 2 uncommented. The application was executed again with the following graph generated by NetBeans Profiler:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-PBL3FGonOSM/VtZFlyIbpcI/AAAAAAAAV2g/T_75CDJVL1o/s1600/if-then-else.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://3.bp.blogspot.com/-PBL3FGonOSM/VtZFlyIbpcI/AAAAAAAAV2g/T_75CDJVL1o/s320/if-then-else.PNG" width="320" /></a></div>
<br />
Please note the following observation:<br />
<ul>
<li>Memory consumption of the application utilizing <i>exception</i> <i>handling </i>mechanism is close to <b>512MB</b> - a maximum set for the JVM, while application utilizing <span style="font-family: "courier new" , "courier" , monospace;">if-then-else</span> <span style="font-family: inherit;">control</span> statement barely uses <b>5MB</b>. </li>
<li>Surviving Generation, a number of instances that are alive in the heap (Jiri Sedlacek, n.d) grows linearly (to a certain point when Garbage Collector unallocates heap memory, than rises again) in application relying on <i>exception</i> <i>handling</i>, while remaining flat in application relying on <span style="font-family: "courier new" , "courier" , monospace;">if-then-else</span> control statement <b>indicating no redundant object allocation and deallocation.</b></li>
</ul>
I have expected based on the conducted research that <i>exception</i> handling mechanism will require more resources than a simple control statement, but the results (times hundred in terms of memory consumption and linear vs. static number of objects in heap) emphasise the important of understanding the "under the hood" mechanisms employed by the software.<br />
<br />
Moreover, the experiment demonstrates how a security mechanism (<i>exception handling</i>) can be transformed into a security vulnerability (i.e. Denial of Service) if not used correctly.<br />
<br />
In a real application, a combination of both should be used to provide an adequate layer of security: <span style="font-family: "courier new" , "courier" , monospace;">if-then-else</span> control statement to handle expected (and to a certain degree, unexpected) data while <i>exception handling</i> mechanism to allow the software to either recover from an unexpected error or fail gracefully.<br />
<h2>
References </h2>
<ul>
<li>Oracle, n.d. <i>"What Is an Exception?"</i> [online]. Available from: http://docs.oracle.com/javase/tutorial/essential/exceptions/definition.html (accessed: January 28, 2013)</li>
<li>Rico Mariani, 2003. <i>"Exception Cost: When to throw and when not to" </i>[online]. MSDN. Available from: http://blogs.msdn.com/b/ricom/archive/2003/12/19/44697.aspx (accessed: January 28, 2013) </li>
</ul>
John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-65454906635689135622012-08-16T22:00:00.001-04:002012-08-16T22:00:33.697-04:00Client/Server DBMS
<style type="text/css">
<!--
@page { margin: 2cm }
H1 { margin-top: 0.85cm; margin-bottom: 0.21cm; direction: ltr; color: #000000; line-height: 115%; text-align: left; widows: 2; orphans: 2; text-decoration: none; page-break-before: auto; page-break-after: auto }
H1.western { font-family: "Liberation Sans", sans-serif; font-size: 18pt; font-style: normal }
H1.cjk { font-family: "Arial", sans-serif; font-size: 18pt; font-style: normal }
H1.ctl { font-family: "Arial", sans-serif; font-size: 18pt; font-style: normal }
P { margin-bottom: 0.21cm; direction: ltr; color: #000000; line-height: 115%; text-align: left; widows: 2; orphans: 2; text-decoration: none; page-break-before: auto; page-break-after: auto }
P.western { font-size: 11pt; font-style: normal; font-weight: normal }
P.cjk { font-family: "Arial", sans-serif; font-size: 11pt; font-style: normal; font-weight: normal }
P.ctl { font-family: "Arial", sans-serif; font-size: 11pt; font-style: normal; font-weight: normal }
A:link { so-language: zxx }
-->
</style>
<br />
<div class="western" lang="en-CA">
There are virtually limitless factors
needed to be taken into consideration when evaluation client/server
architecture. These factors range from hardware requirements,
deployment topology, communication protocol, middleware requirements,
integration of management interface, security aspects, scalability
(horizontal and vertical) of the solution, development application
interfaces, etc. Similarly, client/server database has a number of
characteristics which can impact the overall solution. Peter Rob et
al. (2009) notes that these include interoperability and remote query
execution.</div>
<div class="western" lang="en-CA">
On of the most important
client/server database management system characteristic is
interoperability which manifest itself in the ability to “provide
transparent data access to multiple and heterogeneous clients”
(Peter Rob, Carlos Coronel and Steven Morris, 2009. Appendix F. Page
158). Numerous clients written in Java, .NET, C/C++ or Perl have the
capacity to interact with the database management server to retrieve
or update information through usage of standard protocols such as
ODBC and JDBC.</div>
<div class="western" lang="en-CA">
In addition, client/server DBMS
architecture allow the end-user to manipulate the information stored
in the server DBMS in a number of forms. For example, one design can
utilize resources (often distributed) allocated to the DBMS server to
process the information (thin client), while another design can
distribute the information processing relying on the computing
resources of the clients (fat client). Peter Rob et al. (2009) notes
that in many cases, the client/server architecture is closely related
to distributed database management systems (DDBMS) where the
processing of a single query can take place on a number of remote
servers.</div>
<div class="western" lang="en-CA">
The client/server database
architecture can take a number of forms. Peter Rob et al. (2009)
mentions 2-tier and 3-tier architecture which adds a middleware
between the client and the server tierd. The middleware, as the name
suggests, has a number of functions to facilitate connectivity to the
database management server ranging from exposing ODBC or MQ API,
converting query formats and managing security aspect (authentication
and authorization). Mohammad Ghulam Ali (2009) suggests a 4-tier
database architecture which adds a Global Database Management System
component to decompose the query “into a set of sub queries to be
executed at various remote heterogeneous local component database
servers” (Ali, M 2009).</div>
<div class="western">
<span lang="en-CA">As with any application,
distribution of business logic and/or presentation increases the
number of attack vectors, thus requiring thoro</span><span style="color: black;"><span style="text-decoration: none;"><span style="font-size: x-small;"><span lang="en-CA"><span style="font-style: normal;"><span style="font-weight: normal;">ugh
risk assessment and implementation of appropriate compensating
controls to secure the overall solution (Cherry, D 2011). For
example, distribution of information from a single location into
multiple clients can have a security impact on information considered
as private or confident</span></span></span></span></span></span><span lang="en-CA">ial.
Don Klely (2011) notes that additional security controls should be
implemented to compensate for the remote storage (on the client side)
and transportation of the information. Although this can be solved
through a trivial implementation of SSL/TLS protocol between the
database server and clients, the solution designer has to consider
all applicable risks (both technical and operational) before deciding
on the optimal compensating control(s).</span></div>
<h1 class="western">
<a href="http://www.blogger.com/blogger.g?blogID=7860296597622716401" name="__DdeLink__157_741418863"></a><a href="http://www.blogger.com/blogger.g?blogID=7860296597622716401" name="__DdeLink__140_563263023"></a>
Bibliography</h1>
<ul>
<li><div class="western" lang="en-CA">
Ali, M 2009, 'A Multidatabase
System as 4-Tiered Client-Server Distributed Heterogeneous Database
System', arXiv, EBSCO<i>host</i>, viewed 16 August 2012.</div>
</li>
<li><div class="western" lang="en-CA">
Cherry, D 2011, <i>Securing SQL
Server [Electronic Book] : Protecting Your Database From Attackers /
Denny Cherry</i>, n.p.: Burlington, MA : Syngress, 2011., University
of Liverpool Catalogue, EBSCO<i>host</i>, viewed 16 August 2012.</div>
</li>
<li><div class="western" lang="en-CA">
Kiely, D 2011, 'Key Ways to
Secure ASP.NET Applications with a SQL Server Back End', <i>SQL
Server Magazine</i>, 13, 12, pp. 27-31, Computers & Applied
Sciences Complete, EBSCO<i>host</i>, viewed 16 August 2012.</div>
</li>
<li><div class="western" lang="en-CA">
Peter Rob, Carlos Coronel and
Steven Morris, 2009. “Database Systems: Design, Implementation and
Management”. 9th Edition. Course Technology.</div>
</li>
</ul>
John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-8132875676038725102012-04-21T17:26:00.001-04:002012-04-21T17:36:15.757-04:00(Security) Open Source vs. Non-Open Source<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-IIzHc5n4Dbw/T5MoPv_gMDI/AAAAAAAAPD8/EtYP-T3vF6I/s1600/QA.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://1.bp.blogspot.com/-IIzHc5n4Dbw/T5MoPv_gMDI/AAAAAAAAPD8/EtYP-T3vF6I/s320/QA.png" width="320" /></a></div>
When discussing two seemingly unrelated topics such as security and “open source versus non-open source” the discussion usually boils down to the quality of the product rather than the architecture or the implementation. Steve, M 2008 writes that open source projects as well as commercial software vendors use similar software development practices, methodologies and tools “bug trackers like Bugzilla, source code revision management tools like SVN and automatic build tools such as ant” (Steve, M 2008). Moreover, Gary McGraw points out that “Software security relates entirely and completely to quality. You must think about security, reliability, availability, dependability — at the beginning, in the design, architecture, test and coding phases, all through the software life cycle” (Mark Willoughby, 2005), therefore it is imperative to analyze the factors impacting the software quality both in open source and non-open source worlds.<br />
While Ross J. Anderson (2008) notes that commercial deadlines can impact the quality of the source produced even by skilled software developers, the argument is counteracted by Craig Mundie, CTO Microsoft that in the current market the software vendors are under pressure to develop a quality software as “more and more customers view security as a key decision factor” (Berni Dwan, 2004). But statistical information available on National Vulnerability Database (2012) tend to agree with Ross J. Anderson showing a steady growth of vulnerabilities discovered in Microsoft Windows. According to National Vulnerability Database (2012), Microsoft Windows had 17 vulnerabilities discovered in 2007, 34 in 2008, 47 in 2009, 166 in 2010 and 197 in 2011.<br />
Schryen, G (2011) uses two additional factors, Mean Time Between Vulnerability Disclosures (MTBVD) and (UN)Patching Behavior, to compare the security of open source versus non-open source system components. According to collected data, in most cases the vulnerabilities discovered within open source products are fixed by a degree quicker than equivalent non-open source counterparts. Moreover, the research demonstrates that, again in most cases, the open source products aim to close majority of identified vulnerabilities while non-open source adopt a more prioritized approach whereby “there is a strong bias toward patching severe vulnerabilities” (Schryen, G, 2011). As a result, 66.22% of Microsoft Internet Explorer 7 vulnerabilities remain unpatched compare to 20.36% of Mozilla Firefox 2. The same results are reflect the status of E-mail clients whereby Microsoft Outlook Express 6 has 65.22% unpatched vulnerabilities compare to 5.45% for Mozilla Thunderbird 1.<br />
Anderson J. Ross (2008) also points out the differences between the target market of open source products and non-open source products, “that the users of open products such as GNU/Linux and Apache are more motivated to report system problems effectively, and it may be easier to do so, compared with Windows users who respond to a crash by rebooting and would not know how to report a bug if they wanted to” (Anderson J. Ross, 2008). This, in turn, can further skew the published vulnerabilities statistic.<br />
While the numbers may suggest that the open source solutions are more secure, “open and closed approaches to security are pretty much equivalent, making source code publicly available helps attackers and defenders alike” (Berni Dwan, 2004) allowing each party to evaluate the most effective and sophisticated attack methods. <br />
<h4>
Bibliography</h4>
<ul>
<li>Berni Dwan 2004, 'Open source vs closed', Network Security, Volume 2004, Issue 5, May 2004, Pages 11-13, EBSCOhost, viewed 21 April 2012.</li>
<li>Mark Willoughby, 2005. “Q&A: Quality software means more secure software” [online]. Computer World. Available from: http://www.computerworld.com/s/article/91316/Q_A_Quality_software_means_more_secure_software (accessed. April 21, 2012).</li>
<li>National Vulnerability Database (NVD), 2012. “Statistics Results Page” [online]. Available from: http://goo.gl/RGRy9 (accessed: April 21, 2012)</li>
<li>Schryen, G 2011, 'Is Open Source Security a Myth?', Communications Of The ACM, 54, 5, pp. 130-140, Business Source Premier, EBSCOhost, viewed 21 April 2012.</li>
<li>Steve, M 2008, 'Open Source: Open source: does transparency lead to security?', Computer Fraud & Security, 2008, pp. 11-13, ScienceDirect, EBSCOhost, viewed 21 April 2012.</li>
<li>Ross J. Anderson, 2008. “A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley Publishing.</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-89555943507383789082012-04-14T23:40:00.000-04:002012-04-14T23:40:01.044-04:00E-MoneyE-money is defined by European Commission as “electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions” (European Commission, n.d.). As such, E-money provides the same advantages as cash: real time transaction and anonymity. Ken Griffin et al. (n.d.) note that there are a number of categories of E-money which include E-cash, digital checks, digital banks checks, smart cards and electronic coupons and tokens. There are a number of E-money issues such well known PayPal and less known such as Pecunix, Ukash and Bitcoin. Moreover, virtual world such as SecondLife has its own E-money currency (e.g. L$) which can be earned, spend and exchanged for US dollars (SecondLife, n.d.). As stated previously, the main advantages of E-money are real time transactions, low transaction fees and anonymity similar to real cash transactions. There are, however, concerns about security and fraud, as well as question on financial backup the virtual currency. For example, criminals are targeting Bitcom digital wallets or are using botnet networks to utilize the collective resources to <i>mint</i> virtual currency which can be exchanged for a real money (Peter Coogan, 2011).<br />
<br />
Credit cards, on the other hands, are backed by international organizations responsible to issue and acquire credit card transactions. Often, the transaction fees (flat fee or a percent from a transaction) are charged to the merchant. From a end-user standpoint, credit cards are existing and trusted technology whereby the security standard (e.g. Payment Card Industry Data Security Standard) is verified by independent qualified security assessors (QSA). Additional benefits such as CashBack, AirMiles and membership points increase the adoption rate by the consumers. The drawback (which is considered by some consumers as an advantage) is the fact that all purchases are done in credit, and if not paid in full are subject to comparatively high interest rates changed.<br />
<br />
It is difficult to compare the security risk between the E-money and the credit card technologies as both had high profile data thefts such as theft of 25,000 Bitcoins from 478 account (Jason Mick, 2011) and “a massive" security breach at a credit card processor has put 10 million accounts at risk” (Brandon Hill, 2012). On both fronts, there are efforts to tighten up the security as evident with Payment Card Industry Data Security Standard (PCI SSC, 2010) and MintChip Challenge by Royal Canadian Mint to create a secure alternative to E-cash backed by the Canadian Government (Emily Jackson, 2012).<br />
<br />
With variety of methods to exchange funds (i.e. payment and transfers) electronically such as PayPal, MintChip, Bitcoin, Credit and Debit Cards, it is not surprising that Sweden moving towards cashless economy (CBCNews, 2012) where different digital payment methods are used in parallel serving different purpose (i.e. micro payments) rather than compete with each-other.<br />
<h2>
Bibliography</h2>
<ul>
<li>Brandon Hill, 2012. “Global Payments Inc. Hit By Security Breach; 10M Visa, MasterCard Accounts at Risk” [online]. DailyTech. Available from: http://www.dailytech.com/Massive+Security+Breach+Hits+MasterCard+Visa+10M+Accounts+at+Risk/article24355.htm (accessed: April 14, 2012).</li>
<li>CBCNews, 2012. “Sweden moving towards cashless economy” [online]. Available from: http://www.cbsnews.com/8301-202_162-57399610/sweden-moving-towards-cashless-economy/ (accessed: April 14, 2012).</li>
<li>Emily Jackson, 2012. “Royal Canadian Mint to create digital currency” [online]. The Star. Available from: http://www.thestar.com/business/article/1159513--royal-canadian-mint-to-create-digital-currency (accessed: April 14, 2012).</li>
<li>European Commission, n.d. “e-Money” [online]. Available from: http://ec.europa.eu/internal_market/payments/emoney/index_en.htm (accessed: April 14, 2012).</li>
<li>Jason Mick, 2011. “Inside the Mega-Hack of Bitcoin: the Full Story” [online]. DailyTech. Available from: http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm (accessed: April 14, 2012).</li>
<li>Ken Griffin, Phillip Balsmeier, Bobi Doncevski, n.d. “Electronic Money as A Competitive Advantage” [online]. Available from: http://journals.cluteonline.com/index.php/RBIS/article/download/5458/5543&ei=uVKFT-2kBoXh4QSvr4izBQ&usg=AFQjCNFHe4HkbgG7hbdsQzlWnXg1LR7MNA (accessed: April 14, 2012).</li>
<li>Payment Card Industry Security Standard Council, 2010. “Payment Card Industry (PCI) Data Security Standard” [online]. Available from: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (accessed: April 12, 2012).</li>
<li>Ross J. Anderson, 2008. “A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley Publishing.</li>
<li>SecondLife, n.d. “Buy L$ ” [online]. Available from: https://secondlife.com/my/lindex/buy.php?lang=en_US (accessed: April 14, 2012).</li>
<li>Peter Coogan, 2011. “Bitcoin Botnet Mining” [online]. Symantec. Available from: http://www.symantec.com/connect/blogs/bitcoin-botnet-mining (accessed: April 14, 2012).</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-61375036129504578402012-04-07T14:34:00.000-04:002012-04-07T14:34:01.124-04:00Network Security Architecture<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">While information security could be seen as a “business enabler” by allowing the organization to deploy innovating solutions, thus gaining competitive advantage, without exposing the organization to additional risk, incorrect design and implementation could have the opposite effect by placing unnecessary burden on the Information Technology department staff and the organizational employees. Therefor, implementation of security controls to protect network boundaries should be consistent with business needs, budget and the resources these controls are designed to protect. As a result, the security design should be based on a security assessment (threat risk assessment) of the current environment to identify corporate assets and resources, and the security risks they are exposed to. George Farah (2004) suggests a five phased approach to a security network architecture with threat risk assessment as an initial step. It follows by formulation of a network security architecture design to mitigate the identified risks. In the third phase, the organization develops a security policy and procedures to govern the deployment and maintenance of the proposed architecture. The forth phase includes the deployment of the architecture while int the last, fifth phase the organization implements the security polity through management processes such as patch management, configuration management, vulnerability management, etc.</span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">Typical security components in the network infrastructure include a firewall, Virtual Private Network (VPN) concentrator and a proxy server. Additional devices could include Intrusion Detection System (IDS) or Intrusion Prevention System (IPS), Web Application Firewall, Anti-Spam & Email Security Software and Data Leakage Prevention (DLP). The logical location of these and other devices depends on the corporate assets requiring protection, business processes, existing (or proposed) network architecture. For example, Virtual Private Network is only necessary when employees are required to work from a remote location such as home or remote office. As stated early, incorrect architecture or deployment of unnecessary system components could mean additional burden on the IT staff which will impact the service provided by the organization.</span><br />
<br />
<span style="font-size: small;"><span lang="en-CA">Edge firewall is often regarded as “a </span></span><span style="font-size: small;">workhorse” in securing internal network from unauthorized access via the Internet” (</span><span style="font-size: small;"><span lang="en-CA">Patrick W. Luce, 2004). It often provides a number of security services such as access control, stateful inspection and Network Address Translation (NAT). In many cases, firewall devices have a build-in VPN and basic IPS/IDS capabilities such as Cisco PIX 500 series (Cisco, n.d.). </span></span><br />
<br /></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
</div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><span lang="en-CA">Modern firewall devices offered by security vendors such as Palo Alto, Checkpoint and Cisco, allow organizations to extend the security services provided by the device using “plug and play” architecture. For example. Check Point Software Blade Architecture allows network administrators to extend the firewall functionality “without additional hardware, firmware or driver” (Checkpoint, 2012). The additional blades include services such as IPSEC VPN, IPS, DLP, Web Security, Antivirus & Anti-Malware, Anti-Spam & Email Security and Voice over IP (VoIP). </span></span><br />
<br />
<span style="font-size: small;"><span lang="en-CA">When considering the “expendable” security devices as oppose to “best of breed” architecture, the security experts are divided into two camps. On one hand, a unified management of the security architecture allows network administrators to correlate events and incidents, and better manage the security posture of the organizations. On the other hand, having security devices from a number of software and hardware vendors (best of breed) adds an additional layer of defense an attacker need to overcome when trying to exploit an identified vulnerability.</span></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<br />
<span style="font-size: small;"><span lang="en-CA">To conclude, the organizational security solution should meet targeted business security needs rather than on a trend and security “fashion”. Unnecessary complex solutions increase the pressure on the IT which can, in fact, reduce the overall security level of the entire organization.</span></span></div>
<h1 class="western">
Bibliography</h1>
<ul>
<li><span style="font-size: small;"><span lang="en-CA">Cisco n.d. </span><span lang="en-CA"><i>“Cisco PIX 500 Series Security Appliances”</i></span><span lang="en-CA"> [online]. Available from: <a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html</a> (accessed: April 7, 2012).</span></span></li>
<li><span style="font-size: small;"><a href="http://www.blogger.com/blogger.g?blogID=7860296597622716401" name="page-title"></a><span lang="en-CA">Checkpoint, 2012. </span><span lang="en-CA"><i>“Check Point Software Blade Architecture”</i></span><span lang="en-CA"> [online]. Available from: <a href="http://www.checkpoint.com/products/softwareblades/architecture/index.html">http://www.checkpoint.com/products/softwareblades/architecture/index.html</a> (accessed: April 7, 2012).</span></span></li>
<li><span style="font-size: small;"><span lang="en-CA">George Farah, 2004. “</span>Information Systems Security Architecture - A Novel Approach to Layered Protection<span lang="en-CA">” [online]. SANS Institute. Available from: </span><a href="http://www.sans.org/reading_room/whitepapers/auditing/information-systems-security-architecture-approach-layered-protection_1527">http://www.sans.org/reading_room/whitepapers/auditing/information-systems-security-architecture-approach-layered-protection_1527</a><span lang="en-CA"> (accessed: April 7, 2012).</span></span></li>
<li><span style="font-size: small;">Patrick W. Luce, 2004. “Network Security Architecture” [online]. SANS Institute. Available from: <a href="http://www.sans.org/reading_room/whitepapers/honors/network-security-architecture_1498">http://www.sans.org/reading_room/whitepapers/honors/network-security-architecture_1498</a> (accessed: April 7, 2012)</span></li>
<li><span style="font-size: small;">Ross J. Anderson, 2008. <i>“A Guide to Building Dependable Distributed Systems”</i>. 2nd Edition. Wiley Publishing.</span></li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-32115660154550896962012-03-30T21:36:00.002-04:002012-03-30T21:36:31.280-04:00Software Tamper Resistance<style type="text/css">
<!--
@page { margin: 2cm }
H1 { margin-top: 0.85cm; margin-bottom: 0.21cm; direction: ltr; color: #000000; line-height: 115%; text-align: left; widows: 2; orphans: 2; text-decoration: none; page-break-before: auto; page-break-after: auto }
H1.western { font-family: "Liberation Sans", sans-serif; font-size: 18pt; font-style: normal }
H1.cjk { font-family: "Arial", sans-serif; font-size: 18pt; font-style: normal }
H1.ctl { font-family: "Arial", sans-serif; font-size: 18pt; font-style: normal }
P { margin-bottom: 0.21cm; direction: ltr; color: #000000; line-height: 115%; text-align: left; widows: 2; orphans: 2; text-decoration: none; page-break-before: auto; page-break-after: auto }
P.western { font-size: 11pt; font-style: normal; font-weight: normal }
P.cjk { font-family: "Arial", sans-serif; font-size: 11pt; font-style: normal; font-weight: normal }
P.ctl { font-family: "Arial", sans-serif; font-size: 11pt; font-style: normal; font-weight: normal }
A:link { so-language: zxx }
-->
</style>
<br />
<div class="western">
One of the methods to provide tamper resistance
capabilities to a software is code obfuscation. It is a process
designed to change the software in order to make the software more
difficult to reverse engineering while semantically equivalent to the
original program. The technique is used both by “white hat”
security specialist to protect Intellectual Property and to “deter
the cracking of licensing and DRM schemes” (<span lang="en-CA">Victor,
D 2008), as well as “black hat” as a protection technique to
avoid detection (signature based) by anti-virus engines. Victor D.
(2008) lists a number of techniques used to obfuscate the code
including just-in-time decryption, polymorphic encryption, timing
check, layer anti-debugging logic and binary code morphing. Moreover,
Bai Zhongying and Quin Jiancheng (2009) successfully applied
obfuscation principals in web environment creating prototypes of
JavaScript and HTML obfuscation tools. An additional advance
technique, self-modifying code, was proposed by Nokos
Mavgoriannopoilos (n.d.) whereby the software mutates its own code in
order to make it difficult to “make attacks [on the code] more
expensive” (Nikos Mavrogiannopoulos, Nessim, K, & Bart, P
n.d.).</span></div>
<div class="western" lang="en-CA">
While usage of obfuscation techniques
become widely acceptable, Preda, M, & Giacobazzi, R (2009) raise
a question of effectiveness of code obfuscation techniques - “it is
hard to compare different obfuscating transformations with respect to
their resilience to attacks and this makes it difficult to understand
which technique is better to use in a given scenario” (Preda, M, &
Giacobazzi, R. 2009) due to absence of theoretical research to
formalize the metric of code obfuscation.</div>
<div class="western">
<span lang="en-CA">ProGuard “is a free Java
class file shrinker, optimizer, obfuscator, and preverifier” (Eric
Laforune, 2011). While advantages of the tool are easy integration
into commonly used Integrated Development Environments (IDE) as well
as </span><span lang="en-CA"><i>ant</i></span><span lang="en-CA">
tasks, and additional functionality such as optimizer and code
shrieker, its obfuscation capabilities are limited to code morphing.
More advance techniques, or combination of a number of obfuscation
techniques such as flow obfuscation and string encryption could
potentially (see previous paragraph discussing the lack of metric to
measure the effectiveness of code obfuscation) exponentially increase
the effort required to reverse engineer the code.</span></div>
<h1 class="western" lang="en-CA">
Bibliography</h1>
<ul>
<li><div class="western" lang="en-CA">
Bai Zhongying; Qin Jiancheng;
2009 , "Webpage Encryption Based on Polymorphic Javascript
Algorithm," <i>Information Assurance and Security, 2009. IAS
'09. Fifth International Conference on</i> , vol.1, no., pp.327-330,
18-20 Aug. 2009<br />doi:
10.1109/IAS.2009.39<br />URL: <a href="http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5284075&isnumber=5282964">http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5284075&isnumber=5282964</a></div>
</li>
<li><div class="western">
<span lang="en-CA">Eric Lafortune, 2011.
“ProGuard” [online]. Available from:
</span><a href="http://proguard.sourceforge.net/">http://proguard.sourceforge.net/</a><span lang="en-CA">
(accessed: March 30, 2012).</span></div>
</li>
<li><div class="western" lang="en-CA">
Nikos Mavrogiannopoulos, Nessim,
K, & Bart, P n.d., 'A taxonomy of self-modifying code for
obfuscation', <i>Computers & Security</i>, ScienceDirect,
EBSCO<i>host</i>, viewed 29 March 2012.</div>
</li>
<li><div class="western" lang="en-CA">
Preda, M, & Giacobazzi, R
2009, 'Semantics-based code obfuscation by abstract interpretation',
<i>Journal Of Computer Security</i>, 17, 6, pp. 855-908, Academic
Search Complete, EBSCO<i>host</i>, viewed 29 March 2012.</div>
</li>
<li><div class="western" lang="en-CA">
Ross J. Anderson, 2008. <i>“A
Guide to Building Dependable Distributed Systems”</i>. 2nd
Edition. Wiley Publishing.</div>
</li>
<li><div class="western" lang="en-CA">
Victor, D 2008, 'Obfuscation:
Obfuscation – how to do it and how to crack it', <i>Network
Security</i>, 2008, pp. 4-7, ScienceDirect, EBSCO<i>host</i>, viewed
29 March 2012.</div>
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-23220172024097911512012-03-17T23:54:00.004-04:002012-03-19T23:05:27.868-04:00Cracking AES/3-DES<br />
<div class="western" lang="en-CA">In 2002, a distributed network (desitributed.net) was successfully recovers a DES encryption key within 2.25 days. In order to estimate if 3-DES or AES keys can be recovered using a brute-force attack, this paper calculates the number of encryption operations and the (potentially) available processing power.</div><div class="western"><span lang="en-CA">One of the largest distributed computing projects, <a href="mailto:folding@home">folding@home</a> estimates that with utilization of modern hardware such as Graphic Processing Unit (GPU), it is possible to achieve an acceleration of up to forty times (x40) over CPU due to its ability to perform “an enormous number of Floating Point OPerations (FLOPs) “ (Vijay Pande, 2010). Therefore, by using 200,000 actively processing computers, it is possible to surpass the 10 Petaflop level. As such, it is safe to assume that one average each participating machine contributes:</span></div><br />
<br />
<br />
<br />
<center>10×(10^15)÷200,000=50,000,000,000=50*(10^9)</center><br />
<br />
<div class="western" lang="en-CA">or 50 billion calculations per second.</div><div class="western" lang="en-CA">To amass the required computing power to brute force 3-DES or AES encryption, a bot network could be use to “harvest” idle CPU/GPU cycles. One of the most advance malware today, TDL-4, controls over 4.5 million infected computers in 2011 (Sergey Golovanov and Igor Soumenkov, 2011). Therefore, using previous assumption that zombie (infected computer) is capable of processing 50 billions calculations per seconds, the total computing power of a bot-net network such as TDL-4 is:</div><br />
<br />
<br />
<br />
<center>50*(10^9)*4.5*(10^6)=2.25×10^17=225×10^15</center><br />
<br />
or 225 quadrillion (short scale) operations per second.<br />
<div class="western">S. Kelly (2006) note that because in 3DES encryption scheme, the encryption keys relationship is C = E_k3(D_k2(E_k1(p))), in order to brute force a 3DES encryption a total of 2^168 cryptographic operation will be required. Assuming that a single 3DES decryption takes a microsecond (10^-6), it will take:</div><br />
<br />
<br />
<center>2^168÷225×10^15×10^6</center><br />
<br />
1.66286409 × 10^27 second, or 5.26941088 × 10^19 years. This is far longer than the universe exist (4.339×10^17 seconds). The reader should note that the figure is by far smaller than what was estimated by S. Kelly (2006) and this is due to increased computing power of moder CPU and GPU devices. Regardless, it is safe to assume that 3DES can withstand a brute force attack.<br />
<h1 class="western" lang="en-CA"> Bibliography</h1><ul><li><div class="western" lang="en-CA">Kaur, G, &amp; Kumar, D 2010, 'Performance and Analysis of AES, DES and Triple DES against Brute Force Attack to protect MPLS Network', International Journal Of Advanced Research In Computer Science, 1, 4, p. 420, EDS Foundation Index, EBSCOhost, viewed 17 March 2012.</div></li>
<li><div class="western" lang="en-CA">Ross J. Anderson 2008, <i>“Security Engineering: A Guide to Building Dependable Distributed Systems”</i>. 2nd Edition. Wiley.</div></li>
<li><div class="western" lang="en-CA">Sergey Golovanov, Igor Soumenkov 2011, “TDL4 – Top Bot” [online]. Kaspersky Lab ZAO. Available from: <a href="http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot?print_mode=1">http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot?print_mode=1</a> (accessed: March 17, 2012).</div></li>
<li><div class="western" style="margin-bottom: 0cm;"><span lang="en-CA">S. Kelly, 2006, </span><span lang="en-CA"><i>“</i></span><i>Security Implications of Using the Data Encryption Standard (DES)</i><span lang="en-CA"><i>”</i></span><span lang="en-CA"> [online]. Network Working Group. Available from: <a href="http://www.ietf.org/rfc/rfc4772.txt">http://www.ietf.org/rfc/rfc4772.txt</a> (accessed: March 17, 2012).</span></div></li>
<li><div class="western" lang="en-CA">Vijay Pande, 2010. <i>“Folding@home high performance client FAQ”</i> [online]. Available from: <a href="http://folding.stanford.edu/English/FAQ-highperformance">http://folding.stanford.edu/English/FAQ-highperformance</a> (accessed: March 17, 2012).</div></li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-47707718320355514382011-12-05T22:04:00.001-05:002011-12-05T22:13:45.157-05:00Security Assessment of a Adobe's Flex Web ApplicationFirst of all, in my personal opinion Flash/Flex (or ActionScript) = HTML5 + JavaScript + CSS3. Why? Because both are rooted in ECMAScript therefore I view ActionScript as a JavaScript on steroids (with additional libraries). For example, Adobe's ActionSript has a build-in API to draw graphics (i.e. GraphicsPath object) while JavaScript relies on HTML5 canvas element (see <a href="http://www.williammalone.com/articles/flash-vs-html5-canvas-drawing/">http://www.williammalone.com/articles/flash-vs-html5-canvas-drawing/</a>). Moreover, typical Flex application architecture resembles AJAX based web application (i.e. JQuery framework). AJAX engine is capable of making SOAP and RESTful, exactly as Adobe's Flex application, handling data as simple text, XML or in JSON format (see <a href="http://www.adobe.com/devnet/flex/articles/flex_java_architecture.html">http://www.adobe.com/devnet/flex/articles/flex_java_architecture.html</a>).<br />
<br />
Naturally, it has its advantages such as no cross browser implementation issues, and disadvantages such as the requirement to have an Adobe Flash plug-in installed to run the application. In addition, Adobe's Flex has a mature and well developed software development platform while AJAX still relies on GNU Emacs which, when considering enterprise web application, is a "biggie".<br />
<br />
But back to the security assessment of a Adobe's Flex applications...<br />
<br />
Because Adobe's Flex application is basically a packaged ActionScript which runs on a client side, a lot can be gleaned from the source code itself. A number of SWF decompilers such as SourceTec Software SWF Decompiler (<a href="http://www.sothink.com/product/flashdecompiler/">http://www.sothink.com/product/flashdecompiler/</a>) allows an assessor to break down Flash into components such as shapes, images, sounds, video, text, ActionScript, etc. and examine to identify "leaked" intellectual property (IP), copyrighted material, comments in the source code and other security related goodies.<br />
<br />
The next step (or in parallel) would be to review the interaction between the Adobe's Flex application and the back-end server(s) using tools such as network sniffers and analyzers (i.e. WireShark), and application proxy (i.e. Paros, Fiddler2 or Burp). Again, the communication could reveal sensitive information such as user ids, passwords and maybe even credit card numbers. Moreover, communication could be intercepted and tampered to attack the back-end web server and the server application. Here a few buzz words come to mind such as XSS, CSRF and SQL Injection.<br />
<br />
Finally, the back-end server deserves some attention as well - not for nothing it runs 8 dual core CPUs with 16GB RAM. Here, the rules of the game are similar to a standard web application assessment (if it is can be called "standard"). First, a quick scan to identify the what is running and how secure it is - basic misconfiguration can leave gaping holes. Then automated and manual security assessment to exploit the identified weaknesses which could range from weak authentication of the administration module to bad coding standards such as lack of input validation or exposure of database internal schema.<br />
<br />
Imagination and creativity are assessors best weapons!John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com2tag:blogger.com,1999:blog-7860296597622716401.post-68175406978845521822011-11-22T04:39:00.001-05:002011-11-22T04:41:41.716-05:00The Future of Web Services<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
-->
</style>
<br />
<div lang="en-US">
In the late 1990s and 2000s the Internet evolved from
a static content web pages into dynamically generated websites with a
database back-end. The era gave birth to technologies such as ASP and
PHP which dominate more than 52 percent of the market (BuiltWith
Trends, 2011). Today, as the grid computing, distributed computing
and cloud computing are rapidly becoming defacto choice for data
storage and access (Divakarla, U, & Kumari, G 2010), web
application need to evolve and adopt the emerging data access
technologies. In addition, many businesses rely on Business to
Business (B2B) information which is exposed through web services
technologies to provide an additional layer of security (access
authentication and authorization) as opposed to exposing a direct
connection to the back-end database.</div>
<div lang="en-US">
Information such as geographical location (MaxMind,
Inc. 2011), credit rating (Experian Information Solutions, Inc.
2011), employment and income verification (Equifax, Inc. 2011),
address lookup and readdressing information (Canada Post, 2011) is
available to merchants and service provides through standard (SOAP
and RESTful) web services. As such, instead of maintaining its own
database of geoip information or postal codes, a web application can
simply invoke an exposed web services to get access to the up-to-date
data maintained by an “expert” service provider. Moreover,
“Amazon S3 provides a simple web services interface that can be
used to store and retrieve any amount of data” (Amazon Web Services
LLC, 2011) which allows web software developers to create a database
driven application without having a traditional database back-end
relying completely on standard web services protocols such as SOAP
and REST.</div>
<div lang="en-US">
The main obstacle in adoption of a distributed
information storage such as Amazon Web Services is the security
aspect of it. While vendors state that the storage “is secure by
default” (Amazon Web Services LLC, 2011), there are certain aspects
of security such as physical security which are can not be controlled
by the data originator. As such, merchants and service providers
wishing to utilize a “cloud” storage option need to evaluate and
implement compensating control such as adoption of HTTPS protocol to
transfer the data and encrypt the data before it is stored in the
“cloud”. Ideal, on organization wishing to join the "cloud" should assess the risks by conducting a Threat Risk Assessment (TRA) and to make sure there are security controls in place to mitigate the identified risks.</div>
<div lang="en-US">
<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
</div>
<h1 class="western" lang="en-US">
Bibliography</h1>
<ul>
<li><span lang="en-US">Amazon Web Services LLC, 2011. “Amazon
Simple Storage Service” [online]. Available from:
</span><a href="http://aws.amazon.com/s3/">http://aws.amazon.com/s3/</a><span lang="en-US">
(accessed: November 19, 2011).</span><br />
</li>
<li><span lang="en-US">BuiltWith Trends, 2011. </span><span lang="en-US"><i>“Top
in Frameworks”</i></span><span lang="en-US"> [online]. Available
from: </span><a href="http://trends.builtwith.com/framework/top">http://trends.builtwith.com/framework/top</a><span lang="en-US">
(accessed: November 19, 2011).</span><br />
</li>
<li><div lang="en-US">
Canada Post, 2011. <i>“Postal Code Data
Products”</i> [online]. Available from:
<a href="http://www.canadapost.ca/cpo/mc/business/productsservices/mailing/pcdp.jsf">http://www.canadapost.ca/cpo/mc/business/productsservices/mailing/pcdp.jsf</a>
(accessed: November 19, 2011).</div>
</li>
<li><div lang="en-US">
Divakarla, U, & Kumari, G 2010, 'AN OVERVIEW
OF CLOUD COMPUTING IN DISTRIBUTED SYSTEMS', <i>AIP Conference
Proceedings</i>, 1324, 1, pp. 184-186, Academic Search Complete,
EBSCO<i>host</i>, viewed 19 November 2011.</div>
</li>
<li><span lang="en-US">Equifax, Inc. 2011. </span><span lang="en-US"><i>“The
Decision 360”</i></span><span lang="en-US"> [online]. Available
from: </span><a href="http://www.equifax.com/consumer/risk/en_us">http://www.equifax.com/consumer/risk/en_us</a><span lang="en-US">
(accessed: November 19, 2011).</span><br />
</li>
</ul>
<br />
<br />John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-63870237264004634022011-11-08T00:01:00.002-05:002011-11-08T00:01:59.499-05:00Internal vs. External Risk<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Sans", sans-serif; font-size: 16pt }
H1.cjk { font-family: "WenQuanYi Micro Hei"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<div lang="en-US">
Recently, I had a very interesting conversation with
a CISO about the need (or the lack) of a security assessment for an
application which was “up and running for quit some time” on the
Intranet. The business driver behind the initiative was to expose the
same application, which (of course) relies on authentication, to
business partners and clients to access marketing (statistics,
geographical and demographical distribution of users, etc.) over the
Internet.</div>
<div lang="en-US">
It is quite obvious that external exposure has
inherently higher risk than the same resource (document, application,
database, etc.) exposed to the internal environment. But have you
tried to quantify the risk?</div>
<div lang="en-US">
According to U.S. Census Bureau (2007), there are
120,604,265 employees in 29,413,039 establishments in US which means
that the average company size in Us is 4.1 employees (internal
exposure). Whereas the total world population (external exposure) is
estimated as 6,973,530,974 total population (U.S. Census Bureau,
2011). Using simple formula</div>
<div lang="en-US">
6973530974 ÷ (120604265 ÷ 29413039)</div>
<div lang="en-US">
we can calculate that the external exposure is
1,700,708,830 higher.</div>
<div lang="en-US">
Naturally, it does not translate directly into risk
as the average US company with 4.1 employees does not have
Intellectual Property and not every human on earth have the means
(technical equipment, skills, time, motivation, etc.) to identify and
exploit security vulnerability. Regardless, even if the number is
reduced by million (1,000,000), we are still talking about 1,700 more
<b>exposure<span style="font-family: Liberation Serif,serif;"> ≈ </span>risk</b>.</div>
<div lang="en-US">
This numbers are quit impressive...</div>
<h1 class="western">
References</h1>
<ul>
<li><div lang="en-US">
U.S. Census Bureau, 2007. "Statistics about
Business Size (including Small Business)" [online]. Available
from: <a href="http://www.census.gov/econ/smallbus.html">http://www.census.gov/econ/smallbus.html</a>
(accessed: November 7, 2011)</div>
</li>
<li><div lang="en-US">
U.S. Census Bureau, 2011. "International
Data Base World Population Summary" [online]. Available from:
<a href="http://www.census.gov/population/international/data/idb/worldpopinfo.php">http://www.census.gov/population/international/data/idb/worldpopinfo.php</a>
(accessed. November 7, 2011).</div>
</li>
</ul>
<div lang="en-US">
<br /><br />
</div>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com1tag:blogger.com,1999:blog-7860296597622716401.post-42078375253983903192011-11-05T22:59:00.000-04:002011-11-05T22:59:48.615-04:00Data Warehousing<div lang="en-US">
The concept of data warehousing was introduced in
80s as a non volatile repository of historical data mainly used for
organizational decision making. (Reddy, G, Srinivasu, R, Rao, M, &
Rikkula, S 2010). While the data warehouse consist of information
gathered from diverse sources, it maintains its own database,
separated from operational databases, as it is structured for
analytical processes rather than transactional processes (Chang-Tseh,
H, & Binshan, L 2002).</div>
<div lang="en-US">
Traditionally, data warehouses were used by medium
and large organizations to “perform analysis on their data in order
to more effectively understand their businesses” (Minsoo, L,
Yoon-kyung, L, Hyejung, Y, Soo-kyung, S, & Sujeong, C 2007) which
was designed as a centralized database used to store, retrieve and
analyze information. Those systems were expensive, difficult to build
and maintain, and in many cases made internal business processes more
complicated.
</div>
<div lang="en-US">
With the wide adoption of Web (the Internet) as a
successful distributed environment, data warehouses architecture
evolved to a distributed collection of data marts and a metadata
servers which describe the data stored in each individual repository
(Chang-Tseh, H, & Binshan, L 2002). Moreover, the usage of web
browsers made deployment and access the data warehouses less
complicated and more affordable for businesses.</div>
<div lang="en-US">
As a further matter, according to Pérez, J at. al.
(2008) the Web is “the largest body of information accessible to
any individual in the history of humanity where most data is
unstructured, consisting of text (essentially HTML) and images”
(Pérez, J, Berlanga, R, Aramburu, M, & Pedersen, T 2008). With
the standardization of XML as a flexible semistructured data format
to exchange data on the Internet (i.e. XHTML, SVG, etc), it became
possible to “extract from source systems, clean (e.g. to detect and
correct errors), transform (e.g. put into subject groups or
summarized) and store” (Reddy, G, Srinivasu, R, Rao, M, &
Rikkula, S 2010) the data in the data warehouse.
</div>
<div lang="en-US">
On the other hand, it is important to consider the
“deep web” which accounts for close to 80% of the web
(Chang-Tseh, H, & Binshan, L 2002), the data access, retrieval,
cleaning and transformation could present further obstacles to
overcome. In addition, as the information stored in the data
warehouses becomes more accessible through Internet browsers (as
compare to corporate fat-clients), so does the risk of data theft
(through malicious attacks) and leakage. Chang-Tseh at. al. (2002)
further notes that the security of the warehouse is dependent primary
on the quality and the enforcement of the organizational security
policy.</div>
<h1 class="western" lang="en-US">Bibliography</h1>
<ul>
<li><div lang="en-US">
Chang-Tseh, H, & Binshan, L 2002, 'WEB-BASED
DATA WAREHOUSING: CURRENT STATUS AND PERSPECTIVE', <i>Journal Of
Computer Information Systems</i>, 43, 2, p. 1, Business Source
Premier, EBSCO<i>host</i>, viewed 5 November 2011.</div>
</li>
<li><div lang="en-US">
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004.
<i>“Internet & World Wide Web How to Program”</i>. 3<sup>Rd</sup>
Edition. Pearson Education Inc. Upper Saddle River, New Jersey.</div>
</li>
<li><div lang="en-US">
Minsoo, L, Yoon-kyung, L, Hyejung, Y, Soo-kyung,
S, & Sujeong, C 2007, 'Issues and Architecture for Supporting
Data Warehouse Queries in Web Portals', <i>International Journal Of
Computer Science & Engineering</i>, 1, 2, pp. 133-138, Computers
& Applied Sciences Complete, EBSCO<i>host</i>, viewed 5 November
2011.</div>
</li>
<li><div lang="en-US">
Pérez, J, Berlanga, R, Aramburu, M, &
Pedersen, T 2008, 'Integrating Data Warehouses with Web Data: A
Survey', <i>IEEE Transactions On Knowledge & Data Engineering</i>,
20, 7, pp. 940-955, Business Source Premier, EBSCO<i>host</i>,
viewed 5 November 2011.</div>
</li>
<li><div lang="en-US">
Reddy, G, Srinivasu, R, Rao, M, & Rikkula, S
2010, 'DATA WAREHOUSING, DATA MINING, OLAP AND OLTP TECHNOLOGIES ARE
ESSENTIAL ELEMENTS TO SUPPORT DECISION-MAKING PROCESS IN
INDUSTRIES', <i>International Journal On Computer Science &
Engineering</i>, 2, 9, pp. 2865-2873, Academic Search Complete,
EBSCO<i>host</i>, viewed 5 November 2011.</div>
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-76007308269933748982011-11-04T22:51:00.000-04:002011-11-05T22:53:06.460-04:00PHP in Secure Environments<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<h1 class="western" lang="en-US" style="page-break-before: always;">
</h1>
<div lang="en-US">
While PHP is by far the most popular framework for
web development, according to BuildWith Trends (2011) its popularity
is actually on a decline – the graph posted on the PHP.net website
is from 2007. Newer technologies such as ASP.NET Ajax, Ruby on Rails,
Adobe Flex and Microsoft Silverlight are gaining larger market share
(BuildWith Trends, 2011). On the other hand, the PHP framework is
being actively developed and supported therefore its popularity does
not play a major role when discussing security of the environment.</div>
<div lang="en-US">
When discussion secure e-commerce environment, in
many cases the choice of the development language itself is not the
major influencing factor in the overall security stance. In many
cases, the hackers are targeting misconfigured or outdated services
rather than trying to exploit vulnerability such as buffer overflow
in the language interpreter (Verizon RISK Team, 2011). Moreover, Open
Web Application Security Project (OWASP) Top 10 web application
security risks highlight the fact that majority of exploitable
vulnerabilities are related to the web server such as
misconfiguration and insufficient transport layer protection, and the
security awareness of the software developers such as injection,
cross site scripting and insecure direct object reference (OWASP,
2010).
</div>
<div lang="en-US">
Security awareness of software developers is
considered by many security experts as the main factor impacting the
risk exposure of a web application (Dafydd Stuttard and Marcus Pinto,
2011). Lets consider SQL injection as an example; while the SQL
injection vulnerability was first documented in 1998
(rain.forest.puppy, 1998) and ranked as a number one security risk by
the Open Web Application Security Project (OWASP, 2010), the code
such as (potentially vulnerable to SQL injection):</div>
<div align="CENTER" lang="en-US">
<span style="font-family: Liberation Mono,monospace;"><span style="font-size: x-small;">Select
* from products where productCode=' " . $prodcode . " ' "</span></span></div>
<div lang="en-US">
still appears in the university lecture notes
(Laureate Online Education, 2007).</div>
<div lang="en-US">
Organizations such as PHP Groups and PHP Security
Consortium provide guides on security of PHP deployment and secure
code development using PHP. In addtion, the guide (PHP Security
Consortium, 2005) covers topics such as input validation, database
and SQL injections, session management and issues related to shared
hosts.</div>
<h1 class="western" lang="en-US">
<a href="" name="__DdeLink__93_1611344903"></a><a href="" name="__DdeLink__2736_637527827"></a><a href="" name="__DdeLink__275_691692397"></a>
Bibliography</h1>
<ul>
<li><div lang="en-US">
BuildWith Trends, 2011. <i>“Frameworks
Distribution”</i> [online]. Available from:
<a href="http://trends.builtwith.com/framework">http://trends.builtwith.com/framework</a>
(accessed: November 4, 2011).</div>
</li>
<li><div lang="en-US">
Dafydd Stuttard and Marcus Pinto, 2011. "The
Web Application Hacker's Handbook: Discovering and Exploiting
Security Flaws". 2<sup>Nd</sup> Edition. Wiley.</div>
</li>
<li><div lang="en-US">
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004.
<i>“Internet & World Wide Web How to Program”</i>. 3<sup>Rd</sup>
Edition. Pearson Education Inc. Upper Saddle River, New Jersey.</div>
</li>
<li><div lang="en-US">
Laureate Online Education, 2007. <i>“MSC IN:
Programming the Internet Seminar Five – PHP / Database
Connectivity”. Laureate Online Education B.V.</i></div>
</li>
<li><div lang="en-US">
OWASP, 2010. <i>“OWASP Top 10 for 2010”</i>
[online]. Available from:
<a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project</a>
(accessed: November 4, 2011).</div>
</li>
<li><div lang="en-US">
PHP Security Consortium, 2005. <i>"PHP
Security Guide"</i> [online]. Available from:
<a href="http://phpsec.org/projects/guide/">http://phpsec.org/projects/guide/</a>
(accessed: November 4, 2011).</div>
</li>
<li><div lang="en-US">
rain.forest.puppy, 1998. <i>"NT Web
Technology Vulnerabilities"</i> [online]. Phrack Magazine
Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12. Available from:
<a href="http://www.phrack.org/issues.html?issue=54&id=8#article">http://www.phrack.org/issues.html?issue=54&id=8#article</a>
(accessed: November 4, 2011).</div>
</li>
<li><span lang="en-US">Verizon RISK Team, 2011. </span><span lang="en-US"><i>“2011
Data Breach Investigations Report”</i></span><span lang="en-US">
[online]. Verizon Business. Available from:
</span><a href="http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf">http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf</a><span lang="en-US">
(accessed: November 4, 2011).</span><br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-13567601579864118622011-10-29T09:52:00.002-04:002011-10-30T10:08:05.585-04:00Protecting Code<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<div lang="en-US">
As the world is shifting from compiled languages such
as C, C++ and Pascal to scripting languages such Python, Perl, PHP
and Javascript, so does the growth in exposure of intellectual
property (the source code). While previously “fat clients”
usually written in C and C++ were a compiled machine code
executables, more modern applications written in .NET and Java
consist of bytecode which is a “is the intermediate representation
of Java programs” (Petter Haggar, 2001). The same is applicable to
.NET applications which could be disassembled using tools shipped
with the .NET Framework SDK (such as ILDASM) and decompiled back into
source code (Gabriel Torok and Bill Leach, 2003). With web
technologies such as HTML, Javascript and Cascading Style Sheets
(CSS) where the source has to be downloaded to the client side in
order to be executed by the web browser, the end user has
unrestricted access to the entire source code.</div>
<div lang="en-US">
Ability to access source code can be used both for
legitimate and malicious intent. For example, security tools are
using the ability to decompile Java applets and Flash to “performs
static analysis to understand their behaviours” (Telecomworldwire,
2009). Moreover, the ability to disassemble the source code can be
used by the software developers for debugging. On the other hand, it
can also be used to reverse engineer the source code which directly
impact the ability to protect the intellectual property.</div>
<div lang="en-US">
One obvious way to try to protect the source code,
thus the intellectual property it carries, is to use obfuscation
(Gabriel Torok and Bill Leach, 2003)(Peter Haggar, 2001)(Tony Patton,
2008). Regardless of the language used to the develop the
application, obfuscation usually means:</div>
<ul>
<li><div lang="en-US">
replacement of variable names to non-meaningful
character streams</div>
</li>
<li><div lang="en-US">
replacement of constants with expressions</div>
</li>
<li><div lang="en-US">
replacement of decimal values with hexadecimal,
octal and binary representation</div>
</li>
<li><div lang="en-US">
addition of dummy functions and loops</div>
</li>
<li><div lang="en-US">
removal of comments</div>
</li>
<li><div lang="en-US">
concatenating all lines in the source code</div>
</li>
</ul>
<div lang="en-US">
In a way, the process of obfuscation changes the
source code to make it difficult for the “reader” to understand
the logic behind it. It (obfuscation) could be seen as “your kid
sister encryption” - “cryptography that will stop your kid sister
from reading your files” (Bruce Shneier, 1996). Of course,
persistent “reader” can invest enough time and resources to
reproduce the source code (deobfuscate) by applying obfuscation
principals in reverse.
</div>
<h1 class="western" lang="en-US">
<a href="http://www.blogger.com/post-edit.g?blogID=7860296597622716401&postID=1356760157986411862&from=pencil" name="__DdeLink__275_691692397"></a><a href="http://www.blogger.com/post-edit.g?blogID=7860296597622716401&postID=1356760157986411862&from=pencil" name="__DdeLink__2736_637527827"></a><a href="http://www.blogger.com/post-edit.g?blogID=7860296597622716401&postID=1356760157986411862&from=pencil" name="__DdeLink__93_1611344903"></a>
Bibliography</h1>
<ul>
<li><div lang="en-US">
Telecomworldwire, 2009. 'HP unveils HP SWFScan
free web security tool' 2009, <i>Telecomworldwire (M2)</i>, Regional
Business News, EBSCO<i>host</i>, viewed 28 October 2011.</div>
</li>
<li><div lang="en-US">
Bruce Schneier, 1996. “Applied Cryptography”.
Wiley; 2nd Edition. Preface.</div>
</li>
<li><div lang="en-US">
Gabriel Torok and Bill Leach, 2003. <i>“Thwart
Reverse Engineering of Your Visual Basic .NET or C# Code”</i>
[online]. Microsoft. Available from:
<a href="http://msdn.microsoft.com/en-us/magazine/cc164058.aspx">http://msdn.microsoft.com/en-</a><a href="http://msdn.microsoft.com/en-us/magazine/cc164058.aspx">us/magazine/cc164058.aspx</a>
(accessed: October 28, 2011).</div>
</li>
<li><div lang="en-US">
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004.
<i>“Internet & World Wide Web How to Program”</i>. 3<sup>Rd</sup>
Edition. Pearson Education Inc. Upper Saddle River, New Jersey.</div>
</li>
<li><div lang="en-US">
Peter Haggar, 2001. <i>“Java bytecode:
Understanding bytecode makes you a better programmer”</i>
[online]. IBM. Available from:
<a href="http://www.ibm.com/developerworks/ibm/library/it-haggar_bytecode/">http://www.ibm.com/developerworks/ibm/library/it-haggar_bytecode/</a>
(accessed: October 28, 2011).</div>
</li>
<li><span lang="en-US">Tony Patton, 2008. </span><span lang="en-US"><i>“Protect
your JavaScript with obfuscation”</i></span><span lang="en-US">
[online]. TechRepublic. Available from:
</span><a href="http://www.techrepublic.com/blog/programming-and-development/protect-your-javascript-with-obfuscation/762">http://www.techrepublic.com/blog/programming-and-development/protect-your-javascript-with-obfuscation/762</a><span lang="en-US">
(accessed: October 28, 2011). </span>
<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-85045881553224766152011-10-22T23:00:00.000-04:002011-10-22T23:00:14.284-04:00Adaptave Web Site Design<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<div lang="en-US">
Paul De Bra (1999), identifies a number of issues
related to adoptive web site design including “the separation of a
conceptual representation of an application domain from the content
of the actual Web-site, the separation of content from adaptation
issues, the structure and granularity of user models, the role of a
user and application context” Paul De Bra (1999). This essay will
discuss separation of conceptual representation and the role of the
user in the application context more than ten years after publication
of the original article.</div>
<div lang="en-US">
Modern web application development frameworks such as
.NET, Spring Framework, JavaServer Faces, Apache Orchestra, Grails
and Struts offer clear separation between application representation
and the content. The separation is achieved by implementation of
Model-View-Controller (MVC) architecture where “Model” layer is
responsible for storing and managing access to relevant pieces of
data, “View” layer is responsible for rendering and layout of the
data, and “Controller” layer is responsible for interaction with
the end user (i.e. Internet browser). No more the entire content has
to be “stored” statically in the HTML page, but generated
dynamically based on input received from the user. Moreover, HTML5
Web Storage API greatly increase the storage capacity (compared to
HTML session cookies) which allows web application to store
structured data on a client side (WHATWG, 2011). This could further
facilitate user centric web site design such as storage of user
preferences, data catch, etc.</div>
<span lang="en-US">On the other hand, when discussion “the role
of a user and application context” Paul De Bra (1999), the
methodology and the technology is not as mature. Qiuyuan Jimmy Li
ties the issue to the organization of the web application structure
and notes that majority of web sites do not adapt the content to the
individual user. Instead, the web server “provides the same content
that has been created beforehand to everyone who visits the site”
(Qiuyuan Jimmy Li, 2007). Instead, he suggest a framework which
accounts for users' cognitive style and adopts information content
for each individual user. Justin Brickell at. al. (2006) takes a
slightly different approach and instead suggest mining site access
longs to identify access patterns and user behavior such as
scrolling, time spent on each page, etc. The collected information
could be used for shortcutting - “</span>process of providing links
to users’ eventual goals while skipping over the in-between pages”<span lang="en-US">
(Brickell at. al., 2006). </span>
<br />
<span lang="en-US">In addition, it is important to highlight the
security and privacy issues when discussing adaptive web-site design.
In order for a web application to provide customized content, it (web
application) requires to acquire or collect personal data about
individual user and users' behavior patterns. For example, Google
Gmail uses automated scanning and filtering technology to “show
relevant ads” (Google, 2011). This could be considered by some
individuals as intrusion into privacy, especially if the processed
message contains sensitive information such as health records or
financial information.</span><br />
<h1 class="western" lang="en-US">
<a href="" name="__DdeLink__93_1611344903"></a><a href="" name="__DdeLink__2736_637527827"></a><a href="" name="__DdeLink__275_691692397"></a>
Bibliography</h1>
<ul>
<li><div lang="en-US">
<span style="font-weight: normal;">Google, 2011.
</span><i><span style="font-weight: normal;">“FAQ about Gmail,
Security & Privacy”</span></i><span style="font-weight: normal;">
[online]. Available from:
<a href="http://mail.google.com/support/bin/answer.py?hl=en&answer=1304609">http://mail.google.com/support/bin/answer.py?hl=en&answer=1304609</a>
(accessed: October 22, 2011).</span></div>
</li>
<li><div lang="en-US">
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004.
<i>“Internet & World Wide Web How to Program”</i>. 3<sup>Rd</sup>
Edition. Pearson Education Inc. Upper Saddle River, New Jersey.</div>
</li>
<li><span lang="en-US">Justin Brickell, Inderjit S. Dhillon and
Dharmendra S. Modha, 2006.</span><span lang="en-US"><i>“Adaptive
Website Design using Caching Algorithms”</i></span><span lang="en-US">
[online]. Available from:
<a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.155.5537&rep=rep1&type=pdf">http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.155.5537&rep=rep1&type=pdf</a>
(accessed: October 22, 2011).</span><br />
</li>
<li><div lang="en-US">
Paul De Bra, 1999. <i>“Design Issues in
Adaptive Web-Site Development”</i> [online]. Available from:
<a href="http://wwwis.win.tue.nl/%7Edebra//asum99/debra/debra.html">http://wwwis.win.tue.nl/~debra//asum99/debra/debra.html</a>
(accessed: October 22, 2011).</div>
</li>
<li><div lang="en-US">
Qiuyuan Jimmy Li, 2007. <i>“Design and
Implementation of a User-Adaptive Website with Information Pallets”</i>
[online]. Available from:
<a href="http://dspace.mit.edu/bitstream/handle/1721.1/45636/367589980.pdf?sequence=1">http://dspace.mit.edu/bitstream/handle/1721.1/45636/367589980.pdf?sequence=1</a>
(accessed: October 22, 2011).</div>
</li>
<li><div lang="en-US">
WHATWG, 2011. “HTML – Web Storage”
[online]. Available from:
<a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webstorage.html#webstorage">http://www.whatwg.org/specs/web-apps/current-work/multipage/webstorage.html#webstorage</a>
(accessed: October 22, 2011).</div>
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-33803190017056749992011-07-29T05:10:00.006-04:002011-07-29T06:22:26.216-04:00Forensic Software AnalysisLinux/GNU provides a wealth of tools which can be used to analyze
binaries such as file, strings, md5sum, hexdump, ldd, strace and gdb.
Moreover, profiling tools such as AppArmor could be useful when
analyzing behaviour of an unknown binary.
For the purpose of demonstrating forensic software analysis
process and recoverable artifacts, a number of Linux/GNU tools will
be used to investigate Skype application. Conclusions of the
investigation will be presented at the end of the document.<br />
<h1>file</h1>
<i><b>file</b></i> command helps identifying file type and displays general information about the suspected binary.<br /><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-F9Hylxj6aZY/TjJuwGcoXQI/AAAAAAAAO_Y/3Q7EJ60xNBk/s1600/fileCommand.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://3.bp.blogspot.com/-F9Hylxj6aZY/TjJuwGcoXQI/AAAAAAAAO_Y/3Q7EJ60xNBk/s400/fileCommand.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">file command</td></tr>
</tbody></table>
<br />
<h1>ldd</h1>
<i><b>ldd</b></i> command can be used to identify all shared
libraries used by the suspicious software.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-pB9aLVjysx8/TjJvLmCoXNI/AAAAAAAAO_c/qjn8-lf1k8A/s1600/lddCommand.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://2.bp.blogspot.com/-pB9aLVjysx8/TjJvLmCoXNI/AAAAAAAAO_c/qjn8-lf1k8A/s400/lddCommand.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">ldd command</td></tr>
</tbody></table>
<br />
<h1>gdb</h1>
<i><b>gdb</b></i> is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment it
crashed” (Free Software Foundation, Inc. 2002). <i><b>gdb</b></i> allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using <i>bt</i> command.<br /><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-mt3_u9eS-D0/TjJvW0AYUwI/AAAAAAAAO_g/SNoQyiYTOn0/s1600/gdbCommand.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://4.bp.blogspot.com/-mt3_u9eS-D0/TjJvW0AYUwI/AAAAAAAAO_g/SNoQyiYTOn0/s400/gdbCommand.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">gdb command</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-VLeyvT-yYyc/TjJvYUh-J6I/AAAAAAAAO_k/MvzLAHih1r0/s1600/gdbStacktrace.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://2.bp.blogspot.com/-VLeyvT-yYyc/TjJvYUh-J6I/AAAAAAAAO_k/MvzLAHih1r0/s400/gdbStacktrace.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">gdb stacktrace</td></tr>
</tbody></table><br/>
<h1>strace</h1>
<i><b>strace</b></i> can be used to display system calls and signals, including access to local and remote resources such as <i>/etc/passwd</i>. <i><b>strace</b></i> command could be used with
-o parameter to output the content to a specified file. <br />
The information includes:<br />
<ul><li>a name of a system call</li>
<li>arguments; and</li>
<li>return values</li>
</ul><br/>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-_pwQj35S8CM/TjJv0C799cI/AAAAAAAAO_o/g1viVM1nOqo/s1600/straceCommand.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://4.bp.blogspot.com/-_pwQj35S8CM/TjJv0C799cI/AAAAAAAAO_o/g1viVM1nOqo/s400/straceCommand.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">strace command</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-qiMltkl8i1Y/TjJv2RgMeBI/AAAAAAAAO_w/eXrpt--YxVw/s1600/straceOutputFile.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://2.bp.blogspot.com/-qiMltkl8i1Y/TjJv2RgMeBI/AAAAAAAAO_w/eXrpt--YxVw/s400/straceOutputFile.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">strace output</td></tr>
</tbody></table>
<br />
The output file could be parsed with <i><b>grep</b></i> with appropriate regular expression to identify accessed and/or modified system resources.<br /><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-aDwizvU5Oe8/TjJv1Dct9CI/AAAAAAAAO_s/fJT3D8hG3Ws/s1600/straceGrepOutput.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://3.bp.blogspot.com/-aDwizvU5Oe8/TjJv1Dct9CI/AAAAAAAAO_s/fJT3D8hG3Ws/s400/straceGrepOutput.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">grep strace output</td></tr>
</tbody></table>
<br />
<h1>strings</h1>
<i><b>strings</b></i> prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspected
software.<br /><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-dwlFEhFcYBw/TjJ0ojKg8zI/AAAAAAAAPAU/4hSS_0RNjrY/s1600/stringsCommand.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://1.bp.blogspot.com/-dwlFEhFcYBw/TjJ0ojKg8zI/AAAAAAAAPAU/4hSS_0RNjrY/s400/stringsCommand.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">strings command</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-xFMkRFroAK4/TjJ0p8LYbNI/AAAAAAAAPAY/cENyakLZWc8/s1600/stringsOutput.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://1.bp.blogspot.com/-xFMkRFroAK4/TjJ0p8LYbNI/AAAAAAAAPAY/cENyakLZWc8/s400/stringsOutput.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">strings output</td></tr>
</tbody></table> <br />
<h1>AppArmor</h1>
AppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good”
behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.<br /><br />
AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation <i><b>aa-genprof</b></i> command can be used to record all software activities which could be analyzed at the later stage.<br /><br />
When using <i><b>aa-genprof</b></i> to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.<br /><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-yJjX3Y-CP1c/TjJ1vVTxqQI/AAAAAAAAPAc/6wDK5bzEqB4/s1600/aa-genproff.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="http://1.bp.blogspot.com/-yJjX3Y-CP1c/TjJ1vVTxqQI/AAAAAAAAPAc/6wDK5bzEqB4/s400/aa-genproff.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">aa-genprof command</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-kbVfK1jisIU/TjJ15YlZxNI/AAAAAAAAPAg/KhIvYqyYSw0/s1600/skypeCommand.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="http://3.bp.blogspot.com/-kbVfK1jisIU/TjJ15YlZxNI/AAAAAAAAPAg/KhIvYqyYSw0/s400/skypeCommand.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">skype command</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-FMZQkyyV25k/TjJ2C_yrgGI/AAAAAAAAPAk/IXlKEdaN3f4/s1600/skypeMainWindow.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="http://4.bp.blogspot.com/-FMZQkyyV25k/TjJ2C_yrgGI/AAAAAAAAPAk/IXlKEdaN3f4/s400/skypeMainWindow.png" width="201" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Skype main window</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-sshLOGSMB0g/TjJ2D56-5HI/AAAAAAAAPAo/sb59jTlxdV4/s1600/SkypeCallingEcho123.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://1.bp.blogspot.com/-sshLOGSMB0g/TjJ2D56-5HI/AAAAAAAAPAo/sb59jTlxdV4/s1600/SkypeCallingEcho123.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Skype calling echo123</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-4X7mT8ATY9s/TjJ2GmtH3FI/AAAAAAAAPAs/9c0y8RuoytI/s1600/SkypeMessangingEcho123.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="298" src="http://2.bp.blogspot.com/-4X7mT8ATY9s/TjJ2GmtH3FI/AAAAAAAAPAs/9c0y8RuoytI/s320/SkypeMessangingEcho123.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Skype messaging echo123</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-PUdyLbX0h2k/TjJ2pPEIkHI/AAAAAAAAPAw/K1iG0tsfH8Q/s1600/aa-genprof+analyzing+Skype+access+to+Pulse+resources.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="http://4.bp.blogspot.com/-PUdyLbX0h2k/TjJ2pPEIkHI/AAAAAAAAPAw/K1iG0tsfH8Q/s400/aa-genprof+analyzing+Skype+access+to+Pulse+resources.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">aa-genprof analyzing Skype access to Pulse resources</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-vkpfH-S8lOE/TjJ3B7KYDEI/AAAAAAAAPA0/8h3c1oTTNyE/s1600/aa-genprof+analyzing+Skype+access+to+system+fonts+configuration.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="http://2.bp.blogspot.com/-vkpfH-S8lOE/TjJ3B7KYDEI/AAAAAAAAPA0/8h3c1oTTNyE/s400/aa-genprof+analyzing+Skype+access+to+system+fonts+configuration.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">aa-genprof analyzing Skype access to system fonts configuration</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-cnwv63mwTzI/TjJ3KdC5oXI/AAAAAAAAPA4/uoABU5XsVr4/s1600/aa-genprof+analyzing+Skype+access+to+local+chat.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="http://3.bp.blogspot.com/-cnwv63mwTzI/TjJ3KdC5oXI/AAAAAAAAPA4/uoABU5XsVr4/s400/aa-genprof+analyzing+Skype+access+to+local+chat.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">aa-genprof analyzing Skype access to local chat</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-2yKQYSv2UEU/TjJ3MsB84VI/AAAAAAAAPA8/xXzjRODl5lY/s1600/aa-genprof+analyzing+Skype+access+to+Firefox+bookmarks.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="http://3.bp.blogspot.com/-2yKQYSv2UEU/TjJ3MsB84VI/AAAAAAAAPA8/xXzjRODl5lY/s400/aa-genprof+analyzing+Skype+access+to+Firefox+bookmarks.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">aa-genprof analyzing Skype access to Firefox bookmarks</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-egXfbXFasjw/TjJ3Nzv48aI/AAAAAAAAPBA/bpU0mqkF8kU/s1600/aa-genprof+analyze+Skype+access+to+Firefox+extensions.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="256" src="http://3.bp.blogspot.com/-egXfbXFasjw/TjJ3Nzv48aI/AAAAAAAAPBA/bpU0mqkF8kU/s400/aa-genprof+analyze+Skype+access+to+Firefox+extensions.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">aa-genprof analyze Skype access to Firefox extensions</td></tr>
</tbody></table>
<br />
<h1>Conclusions</h1>
Skype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.<br />
<br />
On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as <i>/etc/passwd</i> raise suspicious as it resembles typical malware behaviour.<br /><br />
<h1>Bibliography</h1>
<ul>
<li>Free Software Foundation, Inc. (2002), <i>“GNU Tools
Manual”</i>.
<br />
</li>
<li><div style="margin-bottom: 0cm;">
AppArmor Security Project (2011),
“Wiki Main Page” [online]. Available from:
<a href="http://wiki.apparmor.net/index.php/Main_Page">http://wiki.apparmor.net/index.php/Main_Page</a>
(accessed: July 27, 2011).</div>
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-44684909878440388782011-07-19T11:52:00.000-04:002011-07-19T11:52:22.911-04:00Criminal Activity On Peer-To-Peer (P2P) Networks<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<em><span lang="en-CA"><span style="font-style: normal;">Criminal
activity on peer-to-peer (P2P) networks are usually associated with
sharing of illegal such as copyrighted or offensive material (music,
movies, snuff films or pornography). There are a number of cases when
a law enforcement agencies successfully taken down the sites such as
the case with Elite Torrents group (Charles Montaldo, 2005). But
recently different peer-to-peer protocols such BitTorrent and Kad are
being used to command and control an army of digital zombies
(botnet). Botnet, controlled by a botmaster, can be used to attacks
such as spam and denial of service. </span></span></em>
<br />
<em><span lang="en-CA"><span style="font-style: normal;">As bots
are getting more and more sophisticated allowing the controller to
capture keystrokes, take screen shots, send spam and participate in
denial of service attacks, and much harder to detect due to inclusion
of rootkit capabilities, “the most significant feature, however, is
the inclusion of peer-to-peer technology in the latest version of the
botnet's code” (Peter Bright, 2011). Moreover, some bots allow
controllers to “sublet”, for a price, an IP address to be used as
anonymous proxy.</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Peer-to-peer
technology allows hacker to eliminate a “single point of failure”
- a single (sometimes multiple) Internet Relay Chat (IRC) server or a
Really Simple Syndication (RSS) feed to command the botnet. Over the
years, there were a number of attempts by a botnet developers to
develop the next generation utilizing peer-to-peer control mechanism
such as “Slapper, Sinit, Phatbot and Nugache have implemented
different kinds of P2P control architectures” (Ping Wang, Sherri
Sparks, Cliff C. Zou, 2007), each with its weaknesses. For example,
Sinit bot used random probing techniques to discover other Sinit
infected machines which resulted in easily detected network traffic.
Insecure implementation of authentication mechanism made Slapper easy
to hijack. Whereas Nugache contained a list of static IP addresses
used as initial seed (David Dittrich, Steven Dietrich 2008) (David
Dittrich, Steven Dietrich 2009).</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Modern
implementation of the bots utilizing peer-to-peer protocol with
combination of encryption (based on TLS/SSL) of the network traffic,
public-key based authentication mechanism, randomly used ports with
protocol mimicking to avoid anomalies detection on the network level
and prevent hijacking of the botnet network by competing botmasters
and law enforcement agencies. The TDL4 (or Alureon) dubbed as “the
‘indestructible’ botnet” and it is running on over 4.5 million
infected computers at the time of writing (Sergey Golovanov, Igor
Soumenkov 2011).</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">To make
botnet more resilient, a hierarchical structure is used with each
servant (a hybrid of bot and server) communicates with a small subset
of bots, and each not contains a small list of other peers (in case
servant is not available). The servants themselves are rotated
(dynamic) and updated periodically to prevent capturing and
disturbing the botnet network. Locally, the malware uses rootkit
functionality to avoid detection by anti-viruses. For example,
Alureon botnet “infects the system's master boot record (MBR), part
of a hard disk that contains critical code used to boot the operating
system” (Peter Bright 2011), meaning that rootkit is loaded before
operating system and an antivirus software.</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Forensic
investigation of crime involved advanced peer-to-peer botnet involves
a combination of reverse engineering, operating system and network
forensic. For example, TDL4 infects victims MBR which, up on
investigation, immediately identify the presence of the rootkit.
Moreover, a presence of certain files (recoverable from offline
forensic image) such as cfg.ini and ktzerules in certain locations
could indicate infection. On a network level, upon infection the
malware downloads and “installs nearly 30 additional malicious
programs, including fake antivirus programs, adware, and the Pushdo
spambot” (Sergey Golovanov, Igor Soumenkov 2011) making it possible
to monitor and detect the botnet activity.</span></span></em><br />
<h1 class="western">
References</h1>
<ul>
<li>Charles Montaldo (2005), <i>“FBI Cracks Down on BitTorrent
Peer-To-Peer Network”</i> [online]. Available from:
<a href="http://crime.about.com/b/2005/05/31/fbi-cracks-down-on-bittorrent-peer-to-peer-network.htm">http://crime.about.com/b/2005/05/31/fbi-cracks-down-on-bittorrent-peer-to-peer-network.htm</a>
(accessed: July 18, 2011).<br />
</li>
<li>David Dittrich, Sven Dietrich (2008), "P2P as botnet
command and control: a deeper insight" [online]. Available
from:
<a href="http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf">http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf</a>
(accessed: July 18, 2011).
<br />
</li>
<li>David Dittrich, Sven Dietrich (2009), "Discovery
techniques for P2P botnets" [online]. Available from:
<a href="http://www.cs.stevens.edu/%7Espock/pubs/dd2008tr4.pdf">http://www.cs.stevens.edu/~spock/pubs/dd2008tr4.pdf</a>
(accessed: July 18, 2011).
<br />
</li>
<li>Laureate Online Education B.V. 2009, <i>“Computer Forensics
Seminar for Week 7: Network Forensics II”</i>, Laureate Online
Education B.V<br />
</li>
<li>Peter Bright (2011), "4 million strong Alureon P2P
botnet "practically indestructible" [online]. Available
from:
<a href="http://arstechnica.com/security/news/2011/07/4-million-strong-alureon-botnet-practically-indestructable.ars">http://arstechnica.com/security/news/2011/07/4-million-strong-alureon-botnet-practically-indestructable.ars</a>
(accessed: July 18, 2011).
<br />
</li>
<li>Ping Wang, Sherri Sparks, Cliff C. Zou (2007), "An
Advanced Hybrid Peer-to-Peer Botnet" [online]. School of
Electrical Engineering and Computer Science, University of Central
Florida. Availble from:
<a href="http://www.usenix.org/event/hotbots07/tech/full_papers/wang/wang.pdf">http://www.usenix.org/event/hotbots07/tech/full_papers/wang/wang.pdf</a>
(accessed: July 18, 2011).
<br />
</li>
<li>Sergey Golovanov, Igor Soumenkov 2011, “TDL4 – Top Bot”
[online]. Kaspersky Lab ZAO. Available from:
<a href="http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot?print_mode=1">http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot?print_mode=1</a>
(accessed: July 18, 2011).<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-47507229568974172112011-07-08T18:30:00.003-04:002011-07-15T08:17:20.867-04:00Legal Aspect of Remote Monitoring<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<i><span lang="en-CA"><span style="font-style: normal;">Regardless
of the device owners awareness, remote monitoring of a computer or
mobile device can be done by an agent deployed on the device, or by
analyzing the traffic generated by the device. Each of these
approaches have its own pros and cons that will be discussed below.</span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">Remote
monitoring of a computer utilizing locally deployed agent (such as
event log monitor or key logger) can provide a wealth of information
such as currently running processes, existing and active users,
access to installed applications, etc. Legitimate deployment of such
agents usually done by installing the software on a workstation or
laptop by a system administrator either with or without users
knowledge, while tools such as key loggers used by malicious users or
criminal are usually deployed using existing vulnerabilities in the
operating system, web browser or other installed applications. It is
interesting to note that many legitimate monitoring software packages
are using technology and methods previously used my malware. For
example, many of employee monitoring software have capabilities such
as keystroke monitoring, send and received Email messages logging,
website activity, accessed documents, etc (TopTenReviews, 2011).</span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">On the
other hand, monitoring computer activities by analyzing the generated
network traffic does not require the installation of a user agent
(malware), means it leaves no traces on the computer itself which can
be uncovered by a digital forensic investigator. The disadvantage, of
course, is that the information can be deducted only from services
and applications generating network traffic. For example, laptops
connected to a domain will try to communicate to a domain controller,
Java JRE and Adobe Reader periodically checks for available updates
therefore providing the intruder with a list of potential targer
(services and applications). In some cases, when devices communicates
using insecure protocols, it is possible to gather information such
as user names and passwords. Moreover, there are some attack vectors
which can subvert the traffic such as DNS poisoning, ARP poisoning
and Man In The Middle (MiTM) Proxy to servers/devices controlled by
the intruder.</span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">From a
legal point of view, the technical aspect of data acquisition could
fall into a different category. For example, in the US data collected
while in transit, such as Email message, falls under the Wiretap Act
therefore requires special permission. On the other hand, “dropping”
a key-logger and collecting data as it is being drafted does not
violate the Wiretap Act. Similarly, “at the recipient’s end, the
U.S. District Court of New Hampshire in Basil W. Thompson v. Anne M.
Thompson, et al., ruled that accessing email stored on a hard drive
was not an "interception" under the Wiretap Act” (Ryan,
DJ. & Shpantzer, G. 2005). Moreover, the age of the acquired
data impacts the applicable legal requirements; Recent data, less
than 180 days, which would include network log files, even logs, etc.
“requires a warrant issued under the Federal Rules of Criminal
Procedure or equivalent State warrant, while older communications can
be accessed without notice to the subscriber or customer” (Ryan,
DJ. & Shpantzer, G. 2005).</span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">Finally,
network environment introduces unique challenges to the digital
forensic process, such as inability to take a snapshot, distributed
geographic locations with different legal requirements and the amount
of available data, requires some adaptation of the AAA principals
(Laureate Online Education B.V., 2009). In order to be admissible in
the court of law, the handling of network traffic as a digital
forensic evidence, has to be in accordance with Daubert guidelines
which “assess the forensic process in four categories: error rate,
publication, acceptance and testing” (John Markh 2011). Moreover,
due to the high volatility of the artifacts, the investigators are
required to pay additional attention to the chain of custody.</span></span></i><br />
<h1 class="western">
Bibliography</h1>
<ul>
<li>Laureate Online Education B.V. 2009, “Computer Forensics
Seminar for Week 6: Network Forensics I”, Laureate Online
Education B.V.<br />
</li>
<li>Markh J. 2011, “Week 5 Discussion Question - UNIX Forensic
Tools”. Laureate Online Education B.V.<br />
</li>
<li>Ryan, DJ. & Shpantzer, G. 2005. “Legal Aspects of
Digital Forensics” [online]. Available from:
<a href="http://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf">http://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf</a>
(accessed: July 07, 2011).<br />
</li>
<li>TopTenReviews 2011, “2011 Monitoring Software Review
Product Comparisons” [online], TechMediaNetwork.com, Available
from: <a href="http://monitoring-software-review.toptenreviews.com/">http://monitoring-software-review.toptenreviews.com/</a>
(accessed: July 7, 2011).<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-30076093108199719552011-07-07T06:28:00.001-04:002011-07-14T06:29:55.914-04:00Criminal Profiling in Digital Forensic<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H1 { margin-bottom: 0.21cm }
H1.western { font-family: "Liberation Serif"; font-size: 16pt }
H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt }
H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt }
A:link { so-language: zxx }
-->
</style>
<br />
<em><span lang="en-CA"><span style="font-style: normal;">Criminal
profiling has been used by crime investigators for centuries. It
gained world wide attention after being used in England in Jack the
Ripper case. Diamon A. Muller (2000) describes criminal profiling as
a process “designed to generate information on a perpetrator of a
crime, usually a serial offender, through an analysis of the crime
scene left by the perpetrator” allowing law enforcement agencies to
better utilize limited resources. Criminal profiling has two distinct
approaches: inductive and deductive analysis (Rogers M. 2003). The
inductive approach relies on the statistical analysis of behaviour
patterns from previously convicted offenders while deductive focuses
on the case specific evidence. One of the examples of criminal
profiling methodologies is “diagnostic evaluation (DE), crime scene
analysis (CSA), and investigative psychology (IP)” (Diamon A.
Muller, 2000).</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">There are
two contradicting points of view on criminal profiling; some claim it
is an art while others claim it is a science similar to criminology
and psychology. Moreover, as oppose to criminology or physiology,
human lives may be depended on accuracy of criminal profiling: “if
a profile of an offender is wrong or even </span></span></em><span style="font-style: normal;">slightly
inadequate police maybe misled </span><em><span lang="en-CA"><span style="font-style: normal;">allowing
the offender to </span></span></em><span style="font-style: normal;">escape
detection for a little while longer—and innocent people may be dead
as a result.</span><em><span lang="en-CA"><span style="font-style: normal;">”
(Diamon A. Muller, 2000). As a result, many law enforcement agencies
are still evaluating the adoption of criminal profiling.</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Since
digital forensic investigation is in essence crime investigation,
that has similar investigation phases (acquisition of evidence,
authentication, analysis and reporting/presentation), criminal
profiling can be used as well to predict offenders behaviour. Just
like in the traditional crime investigation, “digital” offenders
have motives, different skill levels and tools. Regardless on the
profiling methodology (inductive or deductive), the results of
criminal profiling can greatly aid digital forensic investigation.</span></span></em><br />
<em>“<span lang="en-CA"><span style="font-style: normal;">The
network evidence acquisition process often results in a large amount
of data” (Laureate Online Education B.V. 2009) and the results of
criminal profiling can help the investigator conduct a more specific
keyword search, focus of specific area (i.e. allocated and
unallocated space) and geographical location (IP addresses).
Moreover, the profiling information can pinpoint supporting or
corroborating evidence such as IRC chat channels, FTP sites,
underground forums and newsgroups (Rogers, M 2003).</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Just like
traditional criminals, “digital” offenders have weaknesses that
could be used when interviewing/interrelating suspects or witnesses.
Although the interview process itself could be completely different
from what we traditionally understand as “interview” (i.e. IRC
chat rooms, forums, mailing lists, etc.), Rogers M. notes that
“individuals who engage in deviant computer behaviour share some
common personality traits, and given the proper encouragement, show a
willingness to discuss and brag about their exploits” (Rogers, M
2003).</span></span></em><br />
<h1 class="western">
Bibliography</h1>
<ul>
<li>DAMON A. MULLER 2000, <i>“Criminal Profiling: Real Science
or Just Wishful Thinking?”</i> [online], HOMICIDE STUDIES, Vol. 4
No. 3, August 2000 234-264. Sage Publications, Inc. Available from:
<a href="http://www.uwinnipeg.ca/academic/ddl/viol_cr/files/readings/reading22.pdf">http://www.uwinnipeg.ca/academic/ddl/viol_cr/files/readings/reading22.pdf</a>
(accessed: July 7, 2011).<br />
</li>
<li>Laureate Online Education B.V. 2009, “Computer Forensics
Seminar for Week 6: Network Forensics I”, Laureate Online
Education B.V.<br />
</li>
<li>Rogers, M 2003, 'The role of criminal profiling in the
computer forensics process', <i>Computers & Security</i>, May,
Business Source Premier, EBSCO<i>host</i>, viewed 7 July 2011.<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com1tag:blogger.com,1999:blog-7860296597622716401.post-7587683226351147252011-07-02T05:21:00.000-04:002011-07-02T05:21:41.348-04:00Forensic Investigation of Celullar and Mobile Phones<em>“<span lang="en-CA"><span style="font-style: normal;">In
general, the same forensic principles that apply to any computing
device also apply to mobile devices in order to enable others to
authenticate acquired digital evidence.” (Casey E. at. al. 2011)
therefore a forensic investigator should follow the same forensic
process as with any computing device. When an acquired digital
evidence involves a recovered phone call, the investigation process
usually include accessing data collected by the cellular network
provider. A number of countries have erected laws to expedite the
access of the law enforcement agencies to the client information,
such as The Regulation of Investigatory Power Act of 2000 (RIPA) in
UK, USA Patriot Act, The Surveillance Devices Bill 2004 in Australia
and The Search and Surveillance Powers Bill 2008 in New Zealand.
These laws require (telephone and internet) service providers to
maintain a log of all communication such as calls, Email messages,
SMS (text messages), MMS (multimedia messages), established Internet
connection, etc.</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">With
appropriate legal documents (as required), the investigator can
obtain information such as customer name, billing name, geographic
locations (based on the Base Station Transceiver), list of calls,
etc. which could be helpful for the investigation process. More over,
while it is generally believed that prepaid cellular phones are cheap
enough and difficult to trace (Casey E. at. al. 2011), the device
can still contain useful information. In addition, service provider
could maintain information such as “credit card numbers used for
purchases of additional time or an email address registered online
for receipt of notifications” (Jansen W. and Ayers R. 2007).</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Due to the
diversity in the functionality and capabilities of the mobile devices
(cellular phones, smart phones, etc) there is no one single
investigation methodology of the cellar phone. In general, the
process involves manual review of the information available through
the menu such as address book, last call, text messages, etc.
Specialized tools are used only when extraction of deleted
information or access to “hidden” data (such as Apple iPhone cell
towers and Wi-Fi hotspots database) is required (L</span></span></em><em><span lang="en-CA"><span style="font-style: normal;"><span style="font-weight: normal;">aureate
Online Education B.V. 2009</span></span></span></em><em><span lang="en-CA"><span style="font-style: normal;">).
The potential evidences related to the mobile device include:</span></span></em><br />
<ul>
<li><em><span lang="en-CA"><span style="font-style: normal;">handset
identifier - International Mobile Equipment Identity (IMEI)</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">Subscriber
Identifier (SIM)</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">call
register</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">address
book</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">calendar</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">photographs</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">videos</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">voice
mail</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">passwords
such as Internet Mail accounts, desktop (for synchronization), etc.</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">installed
applications</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">attached
peripheral devices and special modification</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">accessed
Wifi hotspots</span></span></em><br />
</li>
<li><em><span lang="en-CA"><span style="font-style: normal;">cell
towers</span></span></em><br />
</li>
</ul>
<h1 class="western">
Bibliography</h1>
<ul>
<li>Apple 2011, <i>“Apple Q&A on Location Data”</i>
[online]. Available from:
<a href="http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html">http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html</a>
(accessed: June 2, 2011)<br />
</li>
<li> Ayers R., Jansen W., Cilleros N., Daniellou R. 2005, <i>“Cell
Phone Forensic Tools: An Overview and Analysis”</i> [online].
National Institute of Standards and Technology. Available from:
<a href="http://csrc.nist.gov/publications/nistir/nistir-7250.pdf">http://csrc.nist.gov/publications/nistir/nistir-7250.pdf</a>
(accessed: July 1, 2011)<br />
</li>
<li>Casey E., Turnbull B. 2011, <i>“Digital Evidence and
Computer Crime 3</i><sup><i>rd</i></sup><i> Edition”</i> [online].
Elsevier Inc. Available from:
<a href="http://www.elsevierdirect.com/companions/9780123742681/Chapter_20_Final.pdf">http://www.elsevierdirect.com/companions/9780123742681/Chapter_20_Final.pdf</a>
(accessed: July 1, 2011)<br />
</li>
<li>CBC News 2009, <i>“Internet surveillance laws in Canada and
around the world”</i> [online]. Available from:
<a href="http://www.cbc.ca/news/canada/story/2009/06/19/f-internet-cellphone-wiretap-surveillance-law.html">http://www.cbc.ca/news/canada/story/2009/06/19/f-internet-cellphone-wiretap-surveillance-law.html</a>
(accessed: July 2, 2011)<br />
</li>
<li>Jansen W., Ayers R. 2007, <i>“Special Publication 800-101:
Guidelines on Cell Phone Forensics”</i> [online]. National
Institute of Standards and Technology. Available from:
<a href="http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf">http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf</a>
(accessed: July 1, 2011)<br />
</li>
<li>Laureate Online Education B.V. 2009. “Seminar 5:
Investigating UNIX, Macintosh, and Handheld Devices”.
<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-6980464012589222072011-06-24T10:26:00.000-04:002011-06-24T10:26:26.557-04:00Vishing and VoIP Forensics<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H2 { margin-bottom: 0.21cm }
H2.western { font-family: "Liberation Serif"; font-size: 14pt; font-style: italic }
H2.cjk { font-size: 14pt; font-style: italic }
H2.ctl { font-family: "Lohit Hindi"; font-size: 14pt; font-style: italic }
A:link { so-language: zxx }
-->
</style>
<br />
<em><span lang="en-CA"><span style="font-style: normal;">Royal
Canadian Mounted Police (2006) defines Vishing (or Voice Phising) as
“the act of leveraging a new technology called Voice over Internet
Protocol (VoIP) in using the telephone system to falsely claim to be
a legitimate enterprise in an attempt to scam users into disclosing
personal information”. Vishing could be viewed as natural evolution
of Phishing which uses Email messages by the con artists to glean
private information such as credit cards, social insurance numbers
and PIN numbers. While the general public is getting more and more
familiar with this type of con as well as Email software vendors
include functionality to prevent Phishing attacks, the fraudsters are
moving on to the technology still trusted by the users – telephony.</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Traditionally,
in the world of public switched telephone network (PSTN), although
possible (Art of Hacking, 2000) it was much harder to spoof Caller ID
(CID) as “each circuit on either end of the call is assigned a
phone number by the phone company.” (Reardon M. 2009). Today, with
the the move to SIP trunks and VoIP technology, spoofing caller ID is
fairly trivial. Moreover, there are legitimate ways to acquire a
telephone number in a any region in the world such as Skype Online
Number. According to Adam Boone (2011), “telecom security
researchers over the past two years have reported a very sharp rise
in attacks against unsecured VoIP systems”. As a result, phishers
have access to infrastructure which could be used to launch vishing
attacks as demonstrated in scam targeting Motorola Employees Credit
Union, Qwest customers and Bank of the Cascades (Krebs B. 2008).</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">In most
cases, vishing attack involves calling someone using either a war
dialler or legitimate voice messaging company. When call is answered,
an automated message informs the caller that either the credit card
or their bank account has an suspicious activity, and asks to call a
predefined number to verify their account by entering their credit
card number.</span></span></em><br />
<em><span lang="en-CA"><span style="font-style: normal;">Digital
forensic investigation of a vishing suspect is not a trivial matter.
Since the attack is usually initiated by calling or texting (SMS) a
large number of phone numbers, an investigator could look for unusual
behaviour pattern. A number of forensic software can parse Skype
artifacts, either in memory (RAM) or on an acquired image, such as
Skypeex, Nir Sofer Skype Log Viewer and Belkasoft Skype Analyzer. For
other software such as Astrix, a manual review of the log file will
be required. Moreover, a forensic investigator utilize </span></span></em><em><span lang="en-CA"><i>foremost</i></span></em><em><span lang="en-CA"><span style="font-style: normal;">
command to look for .wav or .mp3 files which could be used as a
recorded message. Finally, the SIP trunk service provide which was
used by the frtaudsters could provide information such as user-id.
This information could be used in the string search (</span></span></em><em><span lang="en-CA"><i>srch_strings</i></span></em><em><span lang="en-CA"><span style="font-style: normal;">
command) in acquired memory or non volatile storage images to
identify suspected hardware.</span></span></em><br />
<h2 class="western">
Bibliography</h2>
<ul>
<li>'Beware of phishing--and vishing' 2006, <i>Nursing</i>, 36,
12, p. 66, Academic Search Complete, EBSCO<i>host</i>, viewed 24
June 2011.<br />
</li>
<li>Art of Hacking (2000), <i>“Beating Caller ID”</i><span style="font-style: normal;">
[online]. Available from: </span><a href="http://artofhacking.com/files/beatcid.htm">http://artofhacking.com/files/beatcid.htm</a>
(accessed: June 24, 2011).<br />
</li>
<li>Boone, A 2011, 'Return of the Phone Phreakers: Business
Communications Security in the Age of IP', <i>Security: Solutions
for Enterprise Security Leaders</i>, 48, 4, pp. 50-52, Business
Source Premier, EBSCO<i>host</i>, viewed 24 June 2011.<br />
</li>
<li>Chow, S, Gustave, C, & Vinokurov, D 2009, 'Authenticating
displayed names in telephony', <i>Bell Labs Technical Journal</i>,
14, 1, pp. 267-282, Business Source Premier, EBSCO<i>host</i>,
viewed 24 June 2011.<br />
</li>
<li>Krebs B. 2008, “The Anatomy of a Vishing Scam” [online].
Available from:
<a href="http://blog.washingtonpost.com/securityfix/2008/03/the_anatomy_of_a_vishing_scam_1.html">http://blog.washingtonpost.com/securityfix/2008/03/the_anatomy_of_a_vishing_scam_1.html</a>
(accessed: June 24, 2011).<br />
</li>
<li>Swarm, J 2007, 'A Closer Look at Phishing and Vishing',
<i>Community Banker</i>, 16, 7, p. 56, Business Source Premier,
EBSCO<i>host</i>, viewed 24 June 2011.<br />
</li>
<li>Reardon M. 2009. <i>“Protect yourself from vishing attacks”</i>
[online]. CNET News. Available from:
<a href="http://www.zdnet.com/news/protect-yourself-from-vishing-attacks/303175">http://www.zdnet.com/news/protect-yourself-from-vishing-attacks/303175</a>
(accessed: June 24, 2011).<br />
</li>
<li>Royal Canadian Mounted Police (2006), <i>“Vishing or Voice
Phishing”</i> [online]. Available from:
<a href="http://www.rcmp-grc.gc.ca/scams-fraudes/vish-hame-eng.htm">http://www.rcmp-grc.gc.ca/scams-fraudes/vish-hame-eng.htm</a>
(accessed: June 24, 2011).<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-37584179580174275432011-06-23T15:26:00.002-04:002011-06-23T15:30:20.176-04:00Firefox 3 Forensic Analysis<i><span lang="en-CA"><span style="font-style: normal;">Accessing
information on the Internet leave variety of footprints such as
visited websites, viewed content, downloaded documents, etc. The
forensic information could be found in single files, directories,
local databases and Windows registry. Moreover, Windows operating
system maintains in registry a log of all local and wireless network
connections (including the MAC address of the switch/router) which
can further help forensic investigation to identify the physical
location of the suspect (Laureate Online Education B.V., 2009)
(Jonathan Risto, 2010).</span></span></i><br />
<br />
<i><span lang="en-CA"><span style="font-style: normal;">According
to W3School (2011), the five most used web browsers are Firefox (42%)
followed by Chrome (25%) and Internet Explorer (25%), then Safari
(4%) and Opera (2.4%). As such, digital forensic investigator should
be knowledgeable in all four and geared up to perform extraction and
analysis of the data collected by these Internet Browsers. In most
cases, Internet browsers use local cache to store information to
increase access time, history of visited web sites, favourites, etc.
In some cases (Firefox), the stored information indicates if the
suspect typed the Uniform Resource Locator (URL) showing intent of
criminal or illegal activity. Furthermore, autocomplete history and
cookies can provide the forensic investigator on information typed
entered to the websites, or stored locally. In addition to that, the
increasing use of web chats such as Yahoo! Chat and Gmail Chat allow
provides potential access to additional information.</span></span></i><br />
<br />
<i><span lang="en-CA"><span style="font-style: normal;">While
Internet Explorer and Firefox traditionally stored the information in
a file, from Firefox version 3 the information stored in the SQLite
databases. For example, bookmarks and browsing history are stored in
places.sqlite, passwords are stored in the key3.db and
signons.sqlite, autocomplete history in formhistory.sqlite and
cookies in cookies.sqlite (Mozilla.org, n.d.) Numerous tools are
available to perform forensic analysis of the information captured by
the Firefox, including f3e and a simpel SQLite command line utility.</span></span></i><br />
<br />
<i><span lang="en-CA"><span style="font-style: normal;">To locate
SQLite 3 database, an investigator can utilize signature based search
(i.e. </span></span></i><i><span lang="en-CA"><i>foremost</i></span></i><i><span lang="en-CA"><span style="font-style: normal;">
command) and look for the following hex value: 53 51 4C 69 74 65 20
66 6F 72 6D 61 74 20 33. To make
sure that the identified SQLite database file is indeed a file used
by Firefox, the following signature could be used to validate the
file: 43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B
6D 61 72 6B 73.</span></span></i><br />
<br />
<i></i><br />
<div style="page-break-before: always;">
<i><span lang="en-CA"><span style="font-style: normal;">After
curving the SQLite 3 database file (using </span></span></i><i><span lang="en-CA"><i>dd</i></span></i><i><span lang="en-CA"><span style="font-style: normal;">
or </span></span></i><i><span lang="en-CA"><i>foremost</i></span></i><i><span lang="en-CA"><span style="font-style: normal;">
commands), it could be accessed simply by using </span></span></i><i><span lang="en-CA"><i>sqlite</i></span></i><i><span lang="en-CA"><span style="font-style: normal;">
command. All
Firefox SQLite 3 files, are in essense a database with multiple
tables. For example, places.sqlite contains the following tables:
moz_anno_attributes, moz_favicons, moz_keywords, moz_annos,
moz_historyvisits, moz_places, moz_bookmarks, moz_inputhistory,
moz_bookmarks_roots and moz_items_annos.</span></span></i><br />
</div>
<i></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">Since
SQLlite does not require authentication to work with the database,
SQL statements could be used to retrieve relevant information (case
specific). For
example, the following query will retrieve 20 most visited websites:</span></span></i><br />
<div align="LEFT" style="margin-left: 1.25cm;">
<i><span style="font-family: Liberation Mono,monospace;"><span style="font-size: x-small;"><span lang="en-CA"><span style="font-style: normal;">sqlite>
SELECT rev_host FROM moz_places ORDER BY visit_count DESC LIMIT 20;</span></span></span></span></i></div>
<div align="LEFT">
<i><span lang="en-CA"><span style="font-style: normal;">to
retrieve all places associated with the word “drugs”:</span></span></i></div>
<div align="LEFT" style="margin-left: 1.25cm;">
<i><span style="font-family: Liberation Mono,monospace;"><span style="font-size: x-small;"><span lang="en-CA"><span style="font-style: normal;">sqlite>
SELECT * FROM moz_places WHERE url like "%drugs%";</span></span></span></span></i></div>
<i><span lang="en-CA"><span style="font-style: normal;">or, to
display all completed downloads (firefoxforensics.com, 2008):</span></span></i><br />
<div style="margin-left: 1.25cm;">
<i><span style="font-family: Liberation Mono,monospace;"><span style="font-size: x-small;"><span lang="en-CA"><span style="font-style: normal;">SELECT
url, visit_date<br />FROM moz_places, moz_historyvisits<br />WHERE
moz_places.id = moz_historyvisits.place_id AND visit_type = "7"<br />ORDER
by visit_date</span></span></span></span></i></div>
<h1 class="western">
Firefox Anti-forensic Features</h1>
<i><span lang="en-CA"><span style="font-style: normal;">Firefox
includes a number of anti forensic features which could be either
invoked by the suspect, or automatically by the Firefox itself such
as removal of old history records after a period of 90 days.
Moreover, a suspect could use “Private Browsing” functionality or
manually invoke “Clear Recent History”. In these cases, Firefox
fills the space of each record with zeros, effectively wiping the
data.</span></span></i><br />
<br />
<i><span lang="en-CA"><span style="font-style: normal;"> </span></span></i>
<br />
<i><span lang="en-CA"><span style="font-style: normal;">Regardless,
although the content of the records is wiped, Pereira, M (n.d.) has
demonstrated that “when searching all disk, record vestiges was
found in unallocated space” either due to reallocated data by the
underlying OS or due to the “rollback” journal used by the SQLite
engine.</span></span></i><br />
<h1 class="western">
Bibliography</h1>
<ul>
<li>Jonathan Risto (2010), <i>“Wireless Networks and the
Windows Registry - Just where has your computer been?” [online]</i>.
SANS Institute. Available from:
<a href="http://www.sans.org/reading_room/whitepapers/auditing/wireless-networks-windows-registry-computer-been_33659">http://www.sans.org/reading_room/whitepapers/auditing/wireless-networks-windows-registry-computer-been_33659</a>
(accessed: June 23, 2011).<br />
</li>
<li>Firefoxforensics.com (2008), <i>“Firefox Research”</i>
[online]. Available from:
<a href="http://www.firefoxforensics.com/research/index.shtml">http://www.firefoxforensics.com/research/index.shtml</a>
(accessed: June 23, 2011).<br />
</li>
<li>Laureate Online Education B.V. (2009). <i>“Seminar for Week
4: Investigating Windows Systems”</i>.<br />
</li>
<li>Mozilla.org (n.d.), <i>“Profiles”</i> [online]. Available
from: <a href="http://support.mozilla.com/en-US/kb/Profiles">http://support.mozilla.com/en-US/kb/Profiles</a>
(accessed: June 23, 2011).<br />
</li>
<li>Pereira, M (n.d.), '<i>Forensic analysis of the Firefox 3
Internet history and recovery of deleted SQLite records'</i>,
<span style="font-style: normal;">DIGITAL INVESTIGATION</span>, 5,
3-4, pp. 93-103, EBSCO<i>host (</i><span style="font-style: normal;">accessed</span><i>:
</i>23 June 2011).<br />
</li>
<li>W3School.com (2011), <i>“Browser Statistics”</i>
[online]. Available from:
<a href="http://www.w3schools.com/browsers/browsers_stats.asp">http://www.w3schools.com/browsers/browsers_stats.asp</a>
(accessed: June 23, 2011).<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0tag:blogger.com,1999:blog-7860296597622716401.post-76569634251038864772011-06-17T06:31:00.000-04:002011-06-17T06:31:12.518-04:00Destruction of Sensitive Information<style type="text/css">
<!--
@page { margin: 2cm }
P { margin-bottom: 0.21cm }
H2 { margin-bottom: 0.21cm }
H2.western { font-family: "Liberation Serif"; font-size: 14pt; font-style: italic }
H2.cjk { font-size: 14pt; font-style: italic }
H2.ctl { font-family: "Lohit Hindi"; font-size: 14pt; font-style: italic }
A:link { so-language: zxx }
-->
</style>
<br />
<i><span lang="en-CA"><span style="font-style: normal;">Destruction
of sensitive information has being on the agenda of many
organizations and governments. As a result, numerous standard were
developed such as U.S. Department of Defence (DoD) 5220.22-M,
National Institute of Standards and Technology (NIST) 800-88 and
Canada Communications Security Establishment (CSE) ITSG-06, to
provide guidance to the IT administrators and owners to protect
against information retrieval when recycling or disposing of storage
media.</span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">NIST lists
four types of sensitization types: disposal, cleaning, purging and
destroying. In most cases, disposal of the storage media is not
considered as secure method of discarding media containing sensitive
information. The rest of this paper will review the defined standard
for the data cleaning standards.</span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;">Cleaning
refers to a method of removing sensitive infromation that would
protect the data “against a robust keyboard attack” (Richard
Kissel at. al., 2006). Simple deletion of files is not sufficient for
clearing as operating systems simply mark the appropriate entries in
the FAT </span></span></i><i><span lang="en-CA"><i>File Allocation
Table</i></span></i><i><span lang="en-CA"><span style="font-style: normal;">,
or equivalent in other file systems, as deleted leaving in the </span></span></i><i><span lang="en-CA"><i>Data
Region</i></span></i><i><span lang="en-CA"><span style="font-style: normal;">
unchanged. As a result, the data could be potentially recovered using
forensic tools. Up until 2001, the standard method of securely
clearing sensitive information was overwriting the data with zero,
one, random or predefined patterns such as “Gutmann Method”
(</span></span></i><i><span lang="en-CA"><span style="font-style: normal;"><span style="font-weight: normal;">Peter
Gutmann, 1996). For example, Communications Security Establishment
(2006) defines overwrite process as “process itself must include a
minimum of three passes including 1s, 0s, and a pseudo-random pattern
over the entire accessible area of the magnetic tape or disk,
followed by verification of results by the human operator.”</span></span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;"><span style="font-weight: normal;">The
intent of the overwriting process is to overcome the the track-edge
phenomenon allowing recovery of the magnetic pattern residue from
track boundaries using magnetic force microscope. Using the
microscope, the researches examine the relative peaks of magnetic
transitions, to recover the binary data. Although the attack on the
track-edges were documented in the laboratory environment, “it
requires a very well equipped research laboratory with costly
microscopy equipment and highly trained researchers with a great deal
of time and patience” Communications Security Establishment
(2006). Moreover, as the data written to the magnetic media become
and more dense. According to Seagate press release (2011), it has
reached “areal density of 625 Gigabits per square inch”, which is
310 million times over the density of the first hard drive. As a
result, the effort required to recover the data makes it virtually
impossible. Richard Kissel et. al. (2006) writes that “studies have
shown that most of today’s media can be effectively cleared by one
overwrite.”</span></span></span></i><br />
<i><span lang="en-CA"><span style="font-style: normal;"><span style="font-weight: normal;">Furthermore,
since about 2001, all ATA IDE, SATA and SCSI hard drive manufacturer
include support for the "Secure Erase" or “Secure
Initiate” commands which writes binary zeros using internal fault
detection hardware. Although the method not does precisely follows
the DoD 5220.22 “three writes plus verification” specification,
the university of California Magnetic Recording Research (2008)
“showed that the erasure security is at the level of DoD 5220,
because drives having the command also randomize user bits before
storing on magnetic media”. Moreover, NIST Special Publication
800-88 classifies “Secure Erase” command as acceptable method of
purging, equivalent to media degaussing.</span></span></span></i><br />
<h1 class="western">
Bibliography</h1>
<ul>
<li>Communications Security Establishment (2006), <i>“Clearing
and Declassifying Electronic Data Storage Devices”</i> [online],
Available from:
<a href="http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/itsg06-eng.html">http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/itsg06-eng.html</a>
(accessed: June 17, 2011).<br />
</li>
<li><span style="font-weight: normal;">Gutmann P. (1996), </span><i><span style="font-weight: normal;">“Secure
Deletion of Data from Magnetic and Solid-State Memory”</span></i><span style="font-weight: normal;">
[online]. Department of Computer Science, University of Auckland.
Available from:
<a href="http://www.cs.auckland.ac.nz/%7Epgut001/pubs/secure_del.html">http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html</a>
(accessed: June 17, 2011).</span><br />
</li>
<li>Gordon F. Hughes (2008) <i>“CMRR Protocols for Disk Drive
Secure Erase”</i> [online]. University of California San Diego,
Center for Magnetic Recording Research. Available from:
<a href="http://cmrr.ucsd.edu/people/Hughes/CmrrSecureEraseProtocols.pdf">http://cmrr.ucsd.edu/people/Hughes/CmrrSecureEraseProtocols.pdf</a>
(accessed: June 17, 2011).<br />
</li>
<li>Hughes, G.F. Coughlin, T. Commins, D.M. 2009, <i>“Disposal
of Disk and Tape Data by Secure Sanitization”</i>, Security &
Privacy, IEEE volume 9 issue 3, p29-34.<br />
</li>
<li>Richard Kissel, Matthew Scholl, Steven Skolochenko, Xing Li
(2006), <i>“NIST Special Publication 800-88: Guidelines for Media
Sanitization”</i> [online]. National Institute of Standards and
Technology. Available from:
<a href="http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf">http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf</a>
(accessed: June 17, 2011).
<br />
</li>
<li>Seagate Technology LLC (2011a), “Media Sanitization
Practices During Product Return Process Best Practices Statement”
[online]. Available from:
<a href="http://www.seagate.com/staticfiles/support/docs/warranty/SeagateMediaSanitizationPractices19-Mar-2011.pdf">http://www.seagate.com/staticfiles/support/docs/warranty/SeagateMediaSanitizationPractices19-Mar-2011.pdf</a>
(accessed: June 17, 2011).<br />
</li>
<li>Seagate Technology LLC (2011b), “<i>Seagate Breaks Areal
Density Barrier: Unveils The World's First Hard Drive Featuring 1
Terabyte Per Platter”</i> [online]. Available from:
<a href="http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=unveils-1-terabyte-platter-seagate-pr&vgnextoid=6fbdb5ebf32bf210VgnVCM1000001a48090aRCRD">http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=unveils-1-terabyte-platter-seagate-pr&vgnextoid=6fbdb5ebf32bf210VgnVCM1000001a48090aRCRD</a>
(accessed: June 17, 2011).<br />
</li>
</ul>John Markhhttp://www.blogger.com/profile/09264391698343386855noreply@blogger.com0