Technology and Information Security

Security Assessment of a Adobe's Flex Web Application

2011-12-05T22:04:00.001-05:00

First of all, in my personal opinion Flash/Flex (or ActionScript) = HTML5 + JavaScript + CSS3. Why? Because both are rooted in ECMAScript therefore I view ActionScript as a JavaScript on steroids (with additional libraries). For example, Adobe's ActionSript has a build-in API to draw graphics (i.e. GraphicsPath object) while JavaScript relies on HTML5 canvas element (see http://www.williammalone.com/articles/flash-vs-html5-canvas-drawing/). Moreover, typical Flex application architecture resembles AJAX based web application (i.e. JQuery framework). AJAX engine is capable of making SOAP and RESTful, exactly as Adobe's Flex application, handling data as simple text, XML or in JSON format (see http://www.adobe.com/devnet/flex/articles/flex_java_architecture.html).

Naturally, it has its advantages such as no cross browser implementation issues, and disadvantages such as the requirement to have an Adobe Flash plug-in installed to run the application. In addition, Adobe's Flex has a mature and well developed software development platform while AJAX still relies on GNU Emacs which, when considering enterprise web application, is a "biggie".

But back to the security assessment of a Adobe's Flex applications...

Because Adobe's Flex application is basically a packaged ActionScript which runs on a client side, a lot can be gleaned from the source code itself. A number of SWF decompilers such as SourceTec Software SWF Decompiler (http://www.sothink.com/product/flashdecompiler/) allows an assessor to break down Flash into components such as shapes, images, sounds, video, text, ActionScript, etc. and examine to identify "leaked" intellectual property (IP), copyrighted material, comments in the source code and other security related goodies.

The next step (or in parallel) would be to review the interaction between the Adobe's Flex application and the back-end server(s) using tools such as network sniffers and analyzers (i.e. WireShark), and application proxy (i.e. Paros, Fiddler2 or Burp). Again, the communication could reveal sensitive information such as user ids, passwords and maybe even credit card numbers. Moreover, communication could be intercepted and tampered to attack the back-end web server and the server application. Here a few buzz words come to mind such as XSS, CSRF and SQL Injection.

Finally, the back-end server deserves some attention as well - not for nothing it runs 8 dual core CPUs with 16GB RAM. Here, the rules of the game are similar to a standard web application assessment (if it is can be called "standard"). First, a quick scan to identify the what is running and how secure it is - basic misconfiguration can leave gaping holes. Then automated and manual security assessment to exploit the identified weaknesses which could range from weak authentication of the administration module to bad coding standards such as lack of input validation or exposure of database internal schema.

Imagination and creativity are assessors best weapons!

The Future of Web Services

2011-11-22T04:39:00.001-05:00

In the late 1990s and 2000s the Internet evolved froma static content web pages into dynamically generated websites with adatabase back-end. The era gave birth to technologies such as ASP andPHP which dominate more than 52 percent of the market (BuiltWithTrends, 2011). Today, as the grid computing, distributed computingand cloud computing are rapidly becoming defacto choice for datastorage and access (Divakarla, U, & Kumari, G 2010), webapplication need to evolve and adopt the emerging data accesstechnologies. In addition, many businesses rely on Business toBusiness (B2B) information which is exposed through web servicestechnologies to provide an additional layer of security (accessauthentication and authorization) as opposed to exposing a directconnection to the back-end database.

Information such as geographical location (MaxMind,Inc. 2011), credit rating (Experian Information Solutions, Inc.2011), employment and income verification (Equifax, Inc. 2011),address lookup and readdressing information (Canada Post, 2011) isavailable to merchants and service provides through standard (SOAPand RESTful) web services. As such, instead of maintaining its owndatabase of geoip information or postal codes, a web application cansimply invoke an exposed web services to get access to the up-to-datedata maintained by an “expert” service provider. Moreover,“Amazon S3 provides a simple web services interface that can beused to store and retrieve any amount of data” (Amazon Web ServicesLLC, 2011) which allows web software developers to create a databasedriven application without having a traditional database back-endrelying completely on standard web services protocols such as SOAPand REST.

The main obstacle in adoption of a distributedinformation storage such as Amazon Web Services is the securityaspect of it. While vendors state that the storage “is secure bydefault” (Amazon Web Services LLC, 2011), there are certain aspectsof security such as physical security which are can not be controlledby the data originator. As such, merchants and service providerswishing to utilize a “cloud” storage option need to evaluate andimplement compensating control such as adoption of HTTPS protocol totransfer the data and encrypt the data before it is stored in the“cloud”. Ideal, on organization wishing to join the "cloud" should assess the risks by conducting a Threat Risk Assessment (TRA) and to make sure there are security controls in place to mitigate the identified risks.

Bibliography

Amazon Web Services LLC, 2011. “Amazon Simple Storage Service” [online]. Available from: http://aws.amazon.com/s3/ (accessed: November 19, 2011).
BuiltWith Trends, 2011. “Top in Frameworks” [online]. Available from: http://trends.builtwith.com/framework/top (accessed: November 19, 2011).
Canada Post, 2011. “Postal Code Data Products” [online]. Available from: http://www.canadapost.ca/cpo/mc/business/productsservices/mailing/pcdp.jsf (accessed: November 19, 2011).
Divakarla, U, & Kumari, G 2010, 'AN OVERVIEW OF CLOUD COMPUTING IN DISTRIBUTED SYSTEMS', AIP Conference Proceedings, 1324, 1, pp. 184-186, Academic Search Complete, EBSCOhost, viewed 19 November 2011.
Equifax, Inc. 2011. “The Decision 360” [online]. Available from: http://www.equifax.com/consumer/risk/en_us (accessed: November 19, 2011).

Internal vs. External Risk

2011-11-08T00:01:00.002-05:00

Recently, I had a very interesting conversation witha CISO about the need (or the lack) of a security assessment for anapplication which was “up and running for quit some time” on theIntranet. The business driver behind the initiative was to expose thesame application, which (of course) relies on authentication, tobusiness partners and clients to access marketing (statistics,geographical and demographical distribution of users, etc.) over theInternet.

It is quite obvious that external exposure hasinherently higher risk than the same resource (document, application,database, etc.) exposed to the internal environment. But have youtried to quantify the risk?

According to U.S. Census Bureau (2007), there are120,604,265 employees in 29,413,039 establishments in US which meansthat the average company size in Us is 4.1 employees (internalexposure). Whereas the total world population (external exposure) isestimated as 6,973,530,974 total population (U.S. Census Bureau,2011). Using simple formula

6973530974 ÷ (120604265 ÷ 29413039)

we can calculate that the external exposure is1,700,708,830 higher.

Naturally, it does not translate directly into riskas the average US company with 4.1 employees does not haveIntellectual Property and not every human on earth have the means(technical equipment, skills, time, motivation, etc.) to identify andexploit security vulnerability. Regardless, even if the number isreduced by million (1,000,000), we are still talking about 1,700 moreexposure ≈ risk.

This numbers are quit impressive...

References

U.S. Census Bureau, 2007. "Statistics about Business Size (including Small Business)" [online]. Available from: http://www.census.gov/econ/smallbus.html (accessed: November 7, 2011)
U.S. Census Bureau, 2011. "International Data Base World Population Summary" [online]. Available from: http://www.census.gov/population/international/data/idb/worldpopinfo.php (accessed. November 7, 2011).

Data Warehousing

2011-11-05T22:59:00.000-04:00

The concept of data warehousing was introduced in80s as a non volatile repository of historical data mainly used fororganizational decision making. (Reddy, G, Srinivasu, R, Rao, M, &Rikkula, S 2010). While the data warehouse consist of informationgathered from diverse sources, it maintains its own database,separated from operational databases, as it is structured foranalytical processes rather than transactional processes (Chang-Tseh,H, & Binshan, L 2002).

Traditionally, data warehouses were used by mediumand large organizations to “perform analysis on their data in orderto more effectively understand their businesses” (Minsoo, L,Yoon-kyung, L, Hyejung, Y, Soo-kyung, S, & Sujeong, C 2007) whichwas designed as a centralized database used to store, retrieve andanalyze information. Those systems were expensive, difficult to buildand maintain, and in many cases made internal business processes morecomplicated.

With the wide adoption of Web (the Internet) as asuccessful distributed environment, data warehouses architectureevolved to a distributed collection of data marts and a metadataservers which describe the data stored in each individual repository(Chang-Tseh, H, & Binshan, L 2002). Moreover, the usage of webbrowsers made deployment and access the data warehouses lesscomplicated and more affordable for businesses.

As a further matter, according to Pérez, J at. al.(2008) the Web is “the largest body of information accessible toany individual in the history of humanity where most data isunstructured, consisting of text (essentially HTML) and images”(Pérez, J, Berlanga, R, Aramburu, M, & Pedersen, T 2008). Withthe standardization of XML as a flexible semistructured data formatto exchange data on the Internet (i.e. XHTML, SVG, etc), it becamepossible to “extract from source systems, clean (e.g. to detect andcorrect errors), transform (e.g. put into subject groups orsummarized) and store” (Reddy, G, Srinivasu, R, Rao, M, &Rikkula, S 2010) the data in the data warehouse.

On the other hand, it is important to consider the“deep web” which accounts for close to 80% of the web(Chang-Tseh, H, & Binshan, L 2002), the data access, retrieval,cleaning and transformation could present further obstacles toovercome. In addition, as the information stored in the datawarehouses becomes more accessible through Internet browsers (ascompare to corporate fat-clients), so does the risk of data theft(through malicious attacks) and leakage. Chang-Tseh at. al. (2002)further notes that the security of the warehouse is dependent primaryon the quality and the enforcement of the organizational securitypolicy.

Bibliography

Chang-Tseh, H, & Binshan, L 2002, 'WEB-BASED DATA WAREHOUSING: CURRENT STATUS AND PERSPECTIVE', Journal Of Computer Information Systems, 43, 2, p. 1, Business Source Premier, EBSCOhost, viewed 5 November 2011.
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004. “Internet & World Wide Web How to Program”. 3^Rd Edition. Pearson Education Inc. Upper Saddle River, New Jersey.
Minsoo, L, Yoon-kyung, L, Hyejung, Y, Soo-kyung, S, & Sujeong, C 2007, 'Issues and Architecture for Supporting Data Warehouse Queries in Web Portals', International Journal Of Computer Science & Engineering, 1, 2, pp. 133-138, Computers & Applied Sciences Complete, EBSCOhost, viewed 5 November 2011.
Pérez, J, Berlanga, R, Aramburu, M, & Pedersen, T 2008, 'Integrating Data Warehouses with Web Data: A Survey', IEEE Transactions On Knowledge & Data Engineering, 20, 7, pp. 940-955, Business Source Premier, EBSCOhost, viewed 5 November 2011.
Reddy, G, Srinivasu, R, Rao, M, & Rikkula, S 2010, 'DATA WAREHOUSING, DATA MINING, OLAP AND OLTP TECHNOLOGIES ARE ESSENTIAL ELEMENTS TO SUPPORT DECISION-MAKING PROCESS IN INDUSTRIES', International Journal On Computer Science & Engineering, 2, 9, pp. 2865-2873, Academic Search Complete, EBSCOhost, viewed 5 November 2011.

PHP in Secure Environments

2011-11-04T22:51:00.000-04:00

While PHP is by far the most popular framework forweb development, according to BuildWith Trends (2011) its popularityis actually on a decline – the graph posted on the PHP.net websiteis from 2007. Newer technologies such as ASP.NET Ajax, Ruby on Rails,Adobe Flex and Microsoft Silverlight are gaining larger market share(BuildWith Trends, 2011). On the other hand, the PHP framework isbeing actively developed and supported therefore its popularity doesnot play a major role when discussing security of the environment.

When discussion secure e-commerce environment, inmany cases the choice of the development language itself is not themajor influencing factor in the overall security stance. In manycases, the hackers are targeting misconfigured or outdated servicesrather than trying to exploit vulnerability such as buffer overflowin the language interpreter (Verizon RISK Team, 2011). Moreover, OpenWeb Application Security Project (OWASP) Top 10 web applicationsecurity risks highlight the fact that majority of exploitablevulnerabilities are related to the web server such asmisconfiguration and insufficient transport layer protection, and thesecurity awareness of the software developers such as injection,cross site scripting and insecure direct object reference (OWASP,2010).

Security awareness of software developers isconsidered by many security experts as the main factor impacting therisk exposure of a web application (Dafydd Stuttard and Marcus Pinto,2011). Lets consider SQL injection as an example; while the SQLinjection vulnerability was first documented in 1998(rain.forest.puppy, 1998) and ranked as a number one security risk bythe Open Web Application Security Project (OWASP, 2010), the codesuch as (potentially vulnerable to SQL injection):

Select* from products where productCode=' " . $prodcode . " ' "

still appears in the university lecture notes(Laureate Online Education, 2007).

Organizations such as PHP Groups and PHP SecurityConsortium provide guides on security of PHP deployment and securecode development using PHP. In addtion, the guide (PHP SecurityConsortium, 2005) covers topics such as input validation, databaseand SQL injections, session management and issues related to sharedhosts.

Bibliography

BuildWith Trends, 2011. “Frameworks Distribution” [online]. Available from: http://trends.builtwith.com/framework (accessed: November 4, 2011).
Dafydd Stuttard and Marcus Pinto, 2011. "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws". 2^Nd Edition. Wiley.
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004. “Internet & World Wide Web How to Program”. 3^Rd Edition. Pearson Education Inc. Upper Saddle River, New Jersey.
Laureate Online Education, 2007. “MSC IN: Programming the Internet Seminar Five – PHP / Database Connectivity”. Laureate Online Education B.V.
OWASP, 2010. “OWASP Top 10 for 2010” [online]. Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (accessed: November 4, 2011).
PHP Security Consortium, 2005. "PHP Security Guide" [online]. Available from: http://phpsec.org/projects/guide/ (accessed: November 4, 2011).
rain.forest.puppy, 1998. "NT Web Technology Vulnerabilities" [online]. Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12. Available from: http://www.phrack.org/issues.html?issue=54&id=8#article (accessed: November 4, 2011).
Verizon RISK Team, 2011. “2011 Data Breach Investigations Report” [online]. Verizon Business. Available from: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf (accessed: November 4, 2011).

Protecting Code

2011-10-29T09:52:00.002-04:00

As the world is shifting from compiled languages suchas C, C++ and Pascal to scripting languages such Python, Perl, PHPand Javascript, so does the growth in exposure of intellectualproperty (the source code). While previously “fat clients”usually written in C and C++ were a compiled machine codeexecutables, more modern applications written in .NET and Javaconsist of bytecode which is a “is the intermediate representationof Java programs” (Petter Haggar, 2001). The same is applicable to.NET applications which could be disassembled using tools shippedwith the .NET Framework SDK (such as ILDASM) and decompiled back intosource code (Gabriel Torok and Bill Leach, 2003). With webtechnologies such as HTML, Javascript and Cascading Style Sheets(CSS) where the source has to be downloaded to the client side inorder to be executed by the web browser, the end user hasunrestricted access to the entire source code.

Ability to access source code can be used both forlegitimate and malicious intent. For example, security tools areusing the ability to decompile Java applets and Flash to “performsstatic analysis to understand their behaviours” (Telecomworldwire,2009). Moreover, the ability to disassemble the source code can beused by the software developers for debugging. On the other hand, itcan also be used to reverse engineer the source code which directlyimpact the ability to protect the intellectual property.

One obvious way to try to protect the source code,thus the intellectual property it carries, is to use obfuscation(Gabriel Torok and Bill Leach, 2003)(Peter Haggar, 2001)(Tony Patton,2008). Regardless of the language used to the develop theapplication, obfuscation usually means:

replacement of variable names to non-meaningful character streams
replacement of constants with expressions
replacement of decimal values with hexadecimal, octal and binary representation
addition of dummy functions and loops
removal of comments
concatenating all lines in the source code

In a way, the process of obfuscation changes thesource code to make it difficult for the “reader” to understandthe logic behind it. It (obfuscation) could be seen as “your kidsister encryption” - “cryptography that will stop your kid sisterfrom reading your files” (Bruce Shneier, 1996). Of course,persistent “reader” can invest enough time and resources toreproduce the source code (deobfuscate) by applying obfuscationprincipals in reverse.

Bibliography

Telecomworldwire, 2009. 'HP unveils HP SWFScan free web security tool' 2009, Telecomworldwire (M2), Regional Business News, EBSCOhost, viewed 28 October 2011.
Bruce Schneier, 1996. “Applied Cryptography”. Wiley; 2nd Edition. Preface.
Gabriel Torok and Bill Leach, 2003. “Thwart Reverse Engineering of Your Visual Basic .NET or C# Code” [online]. Microsoft. Available from: http://msdn.microsoft.com/en-us/magazine/cc164058.aspx (accessed: October 28, 2011).
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004. “Internet & World Wide Web How to Program”. 3^Rd Edition. Pearson Education Inc. Upper Saddle River, New Jersey.
Peter Haggar, 2001. “Java bytecode: Understanding bytecode makes you a better programmer” [online]. IBM. Available from: http://www.ibm.com/developerworks/ibm/library/it-haggar_bytecode/ (accessed: October 28, 2011).
Tony Patton, 2008. “Protect your JavaScript with obfuscation” [online]. TechRepublic. Available from: http://www.techrepublic.com/blog/programming-and-development/protect-your-javascript-with-obfuscation/762 (accessed: October 28, 2011).

Adaptave Web Site Design

2011-10-22T23:00:00.000-04:00

Paul De Bra (1999), identifies a number of issuesrelated to adoptive web site design including “the separation of aconceptual representation of an application domain from the contentof the actual Web-site, the separation of content from adaptationissues, the structure and granularity of user models, the role of auser and application context” Paul De Bra (1999). This essay willdiscuss separation of conceptual representation and the role of theuser in the application context more than ten years after publicationof the original article.

Modern web application development frameworks such as.NET, Spring Framework, JavaServer Faces, Apache Orchestra, Grailsand Struts offer clear separation between application representationand the content. The separation is achieved by implementation ofModel-View-Controller (MVC) architecture where “Model” layer isresponsible for storing and managing access to relevant pieces ofdata, “View” layer is responsible for rendering and layout of thedata, and “Controller” layer is responsible for interaction withthe end user (i.e. Internet browser). No more the entire content hasto be “stored” statically in the HTML page, but generateddynamically based on input received from the user. Moreover, HTML5Web Storage API greatly increase the storage capacity (compared toHTML session cookies) which allows web application to storestructured data on a client side (WHATWG, 2011). This could furtherfacilitate user centric web site design such as storage of userpreferences, data catch, etc.

On the other hand, when discussion “the roleof a user and application context” Paul De Bra (1999), themethodology and the technology is not as mature. Qiuyuan Jimmy Lities the issue to the organization of the web application structureand notes that majority of web sites do not adapt the content to theindividual user. Instead, the web server “provides the same contentthat has been created beforehand to everyone who visits the site”(Qiuyuan Jimmy Li, 2007). Instead, he suggest a framework whichaccounts for users' cognitive style and adopts information contentfor each individual user. Justin Brickell at. al. (2006) takes aslightly different approach and instead suggest mining site accesslongs to identify access patterns and user behavior such asscrolling, time spent on each page, etc. The collected informationcould be used for shortcutting - “process of providing linksto users’ eventual goals while skipping over the in-between pages”(Brickell at. al., 2006).
In addition, it is important to highlight thesecurity and privacy issues when discussing adaptive web-site design.In order for a web application to provide customized content, it (webapplication) requires to acquire or collect personal data aboutindividual user and users' behavior patterns. For example, GoogleGmail uses automated scanning and filtering technology to “showrelevant ads” (Google, 2011). This could be considered by someindividuals as intrusion into privacy, especially if the processedmessage contains sensitive information such as health records orfinancial information.

Bibliography

Google, 2011. “FAQ about Gmail, Security & Privacy” [online]. Available from: http://mail.google.com/support/bin/answer.py?hl=en&answer=1304609 (accessed: October 22, 2011).
H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004. “Internet & World Wide Web How to Program”. 3^Rd Edition. Pearson Education Inc. Upper Saddle River, New Jersey.
Justin Brickell, Inderjit S. Dhillon and Dharmendra S. Modha, 2006.“Adaptive Website Design using Caching Algorithms” [online]. Available from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.155.5537&rep=rep1&type=pdf (accessed: October 22, 2011).
Paul De Bra, 1999. “Design Issues in Adaptive Web-Site Development” [online]. Available from: http://wwwis.win.tue.nl/~debra//asum99/debra/debra.html (accessed: October 22, 2011).
Qiuyuan Jimmy Li, 2007. “Design and Implementation of a User-Adaptive Website with Information Pallets” [online]. Available from: http://dspace.mit.edu/bitstream/handle/1721.1/45636/367589980.pdf?sequence=1 (accessed: October 22, 2011).
WHATWG, 2011. “HTML – Web Storage” [online]. Available from: http://www.whatwg.org/specs/web-apps/current-work/multipage/webstorage.html#webstorage (accessed: October 22, 2011).

Forensic Software Analysis

2011-07-29T05:10:00.006-04:00

Linux/GNU provides a wealth of tools which can be used to analyzebinaries such as file, strings, md5sum, hexdump, ldd, strace and gdb.Moreover, profiling tools such as AppArmor could be useful whenanalyzing behaviour of an unknown binary. For the purpose of demonstrating forensic software analysisprocess and recoverable artifacts, a number of Linux/GNU tools willbe used to investigate Skype application. Conclusions of theinvestigation will be presented at the end of the document.

file

file command helps identifying file type and displays general information about the suspected binary.

file command

ldd

ldd command can be used to identify all sharedlibraries used by the suspicious software.

ldd command

gdb

gdb is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment itcrashed” (Free Software Foundation, Inc. 2002). gdb allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using bt command.

gdb command

gdb stacktrace

strace

strace can be used to display system calls and signals, including access to local and remote resources such as /etc/passwd. strace command could be used with-o parameter to output the content to a specified file.
The information includes:

a name of a system call
arguments; and
return values

strace command

strace output

The output file could be parsed with grep with appropriate regular expression to identify accessed and/or modified system resources.

grep strace output

strings

strings prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspectedsoftware.

strings command

strings output

AppArmor

AppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good”behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.

AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation aa-genprof command can be used to record all software activities which could be analyzed at the later stage.

When using aa-genprof to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.

aa-genprof command

skype command

Skype main window

Skype calling echo123

Skype messaging echo123

aa-genprof analyzing Skype access to Pulse resources

aa-genprof analyzing Skype access to system fonts configuration

aa-genprof analyzing Skype access to local chat

aa-genprof analyzing Skype access to Firefox bookmarks

aa-genprof analyze Skype access to Firefox extensions

Conclusions

Skype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.

On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as /etc/passwd raise suspicious as it resembles typical malware behaviour.

Bibliography

Free Software Foundation, Inc. (2002), “GNU Tools Manual”.
AppArmor Security Project (2011), “Wiki Main Page” [online]. Available from: http://wiki.apparmor.net/index.php/Main_Page (accessed: July 27, 2011).

Criminal Activity On Peer-To-Peer (P2P) Networks

2011-07-19T11:52:00.000-04:00

Criminalactivity on peer-to-peer (P2P) networks are usually associated withsharing of illegal such as copyrighted or offensive material (music,movies, snuff films or pornography). There are a number of cases whena law enforcement agencies successfully taken down the sites such asthe case with Elite Torrents group (Charles Montaldo, 2005). Butrecently different peer-to-peer protocols such BitTorrent and Kad arebeing used to command and control an army of digital zombies(botnet). Botnet, controlled by a botmaster, can be used to attackssuch as spam and denial of service.
As botsare getting more and more sophisticated allowing the controller tocapture keystrokes, take screen shots, send spam and participate indenial of service attacks, and much harder to detect due to inclusionof rootkit capabilities, “the most significant feature, however, isthe inclusion of peer-to-peer technology in the latest version of thebotnet's code” (Peter Bright, 2011). Moreover, some bots allowcontrollers to “sublet”, for a price, an IP address to be used asanonymous proxy.
Peer-to-peertechnology allows hacker to eliminate a “single point of failure”- a single (sometimes multiple) Internet Relay Chat (IRC) server or aReally Simple Syndication (RSS) feed to command the botnet. Over theyears, there were a number of attempts by a botnet developers todevelop the next generation utilizing peer-to-peer control mechanismsuch as “Slapper, Sinit, Phatbot and Nugache have implementeddifferent kinds of P2P control architectures” (Ping Wang, SherriSparks, Cliff C. Zou, 2007), each with its weaknesses. For example,Sinit bot used random probing techniques to discover other Sinitinfected machines which resulted in easily detected network traffic.Insecure implementation of authentication mechanism made Slapper easyto hijack. Whereas Nugache contained a list of static IP addressesused as initial seed (David Dittrich, Steven Dietrich 2008) (DavidDittrich, Steven Dietrich 2009).
Modernimplementation of the bots utilizing peer-to-peer protocol withcombination of encryption (based on TLS/SSL) of the network traffic,public-key based authentication mechanism, randomly used ports withprotocol mimicking to avoid anomalies detection on the network leveland prevent hijacking of the botnet network by competing botmastersand law enforcement agencies. The TDL4 (or Alureon) dubbed as “the‘indestructible’ botnet” and it is running on over 4.5 millioninfected computers at the time of writing (Sergey Golovanov, IgorSoumenkov 2011).
To makebotnet more resilient, a hierarchical structure is used with eachservant (a hybrid of bot and server) communicates with a small subsetof bots, and each not contains a small list of other peers (in caseservant is not available). The servants themselves are rotated(dynamic) and updated periodically to prevent capturing anddisturbing the botnet network. Locally, the malware uses rootkitfunctionality to avoid detection by anti-viruses. For example,Alureon botnet “infects the system's master boot record (MBR), partof a hard disk that contains critical code used to boot the operatingsystem” (Peter Bright 2011), meaning that rootkit is loaded beforeoperating system and an antivirus software.
Forensicinvestigation of crime involved advanced peer-to-peer botnet involvesa combination of reverse engineering, operating system and networkforensic. For example, TDL4 infects victims MBR which, up oninvestigation, immediately identify the presence of the rootkit.Moreover, a presence of certain files (recoverable from offlineforensic image) such as cfg.ini and ktzerules in certain locationscould indicate infection. On a network level, upon infection themalware downloads and “installs nearly 30 additional maliciousprograms, including fake antivirus programs, adware, and the Pushdospambot” (Sergey Golovanov, Igor Soumenkov 2011) making it possibleto monitor and detect the botnet activity.

References

Charles Montaldo (2005), “FBI Cracks Down on BitTorrent Peer-To-Peer Network” [online]. Available from: http://crime.about.com/b/2005/05/31/fbi-cracks-down-on-bittorrent-peer-to-peer-network.htm (accessed: July 18, 2011).
David Dittrich, Sven Dietrich (2008), "P2P as botnet command and control: a deeper insight" [online]. Available from: http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf (accessed: July 18, 2011).
David Dittrich, Sven Dietrich (2009), "Discovery techniques for P2P botnets" [online]. Available from: http://www.cs.stevens.edu/~spock/pubs/dd2008tr4.pdf (accessed: July 18, 2011).
Laureate Online Education B.V. 2009, “Computer Forensics Seminar for Week 7: Network Forensics II”, Laureate Online Education B.V
Peter Bright (2011), "4 million strong Alureon P2P botnet "practically indestructible" [online]. Available from: http://arstechnica.com/security/news/2011/07/4-million-strong-alureon-botnet-practically-indestructable.ars (accessed: July 18, 2011).
Ping Wang, Sherri Sparks, Cliff C. Zou (2007), "An Advanced Hybrid Peer-to-Peer Botnet" [online]. School of Electrical Engineering and Computer Science, University of Central Florida. Availble from: http://www.usenix.org/event/hotbots07/tech/full_papers/wang/wang.pdf (accessed: July 18, 2011).
Sergey Golovanov, Igor Soumenkov 2011, “TDL4 – Top Bot” [online]. Kaspersky Lab ZAO. Available from: http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot?print_mode=1 (accessed: July 18, 2011).

Legal Aspect of Remote Monitoring

2011-07-08T18:30:00.003-04:00

Regardlessof the device owners awareness, remote monitoring of a computer ormobile device can be done by an agent deployed on the device, or byanalyzing the traffic generated by the device. Each of theseapproaches have its own pros and cons that will be discussed below.
Remotemonitoring of a computer utilizing locally deployed agent (such asevent log monitor or key logger) can provide a wealth of informationsuch as currently running processes, existing and active users,access to installed applications, etc. Legitimate deployment of suchagents usually done by installing the software on a workstation orlaptop by a system administrator either with or without usersknowledge, while tools such as key loggers used by malicious users orcriminal are usually deployed using existing vulnerabilities in theoperating system, web browser or other installed applications. It isinteresting to note that many legitimate monitoring software packagesare using technology and methods previously used my malware. Forexample, many of employee monitoring software have capabilities suchas keystroke monitoring, send and received Email messages logging,website activity, accessed documents, etc (TopTenReviews, 2011).
On theother hand, monitoring computer activities by analyzing the generatednetwork traffic does not require the installation of a user agent(malware), means it leaves no traces on the computer itself which canbe uncovered by a digital forensic investigator. The disadvantage, ofcourse, is that the information can be deducted only from servicesand applications generating network traffic. For example, laptopsconnected to a domain will try to communicate to a domain controller,Java JRE and Adobe Reader periodically checks for available updatestherefore providing the intruder with a list of potential targer(services and applications). In some cases, when devices communicatesusing insecure protocols, it is possible to gather information suchas user names and passwords. Moreover, there are some attack vectorswhich can subvert the traffic such as DNS poisoning, ARP poisoningand Man In The Middle (MiTM) Proxy to servers/devices controlled bythe intruder.
From alegal point of view, the technical aspect of data acquisition couldfall into a different category. For example, in the US data collectedwhile in transit, such as Email message, falls under the Wiretap Acttherefore requires special permission. On the other hand, “dropping”a key-logger and collecting data as it is being drafted does notviolate the Wiretap Act. Similarly, “at the recipient’s end, theU.S. District Court of New Hampshire in Basil W. Thompson v. Anne M.Thompson, et al., ruled that accessing email stored on a hard drivewas not an "interception" under the Wiretap Act” (Ryan,DJ. & Shpantzer, G. 2005). Moreover, the age of the acquireddata impacts the applicable legal requirements; Recent data, lessthan 180 days, which would include network log files, even logs, etc.“requires a warrant issued under the Federal Rules of CriminalProcedure or equivalent State warrant, while older communications canbe accessed without notice to the subscriber or customer” (Ryan,DJ. & Shpantzer, G. 2005).
Finally,network environment introduces unique challenges to the digitalforensic process, such as inability to take a snapshot, distributedgeographic locations with different legal requirements and the amountof available data, requires some adaptation of the AAA principals(Laureate Online Education B.V., 2009). In order to be admissible inthe court of law, the handling of network traffic as a digitalforensic evidence, has to be in accordance with Daubert guidelineswhich “assess the forensic process in four categories: error rate,publication, acceptance and testing” (John Markh 2011). Moreover,due to the high volatility of the artifacts, the investigators arerequired to pay additional attention to the chain of custody.

Bibliography

Laureate Online Education B.V. 2009, “Computer Forensics Seminar for Week 6: Network Forensics I”, Laureate Online Education B.V.
Markh J. 2011, “Week 5 Discussion Question - UNIX Forensic Tools”. Laureate Online Education B.V.
Ryan, DJ. & Shpantzer, G. 2005. “Legal Aspects of Digital Forensics” [online]. Available from: http://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf (accessed: July 07, 2011).
TopTenReviews 2011, “2011 Monitoring Software Review Product Comparisons” [online], TechMediaNetwork.com, Available from: http://monitoring-software-review.toptenreviews.com/ (accessed: July 7, 2011).

Criminal Profiling in Digital Forensic

2011-07-07T06:28:00.001-04:00

Criminalprofiling has been used by crime investigators for centuries. Itgained world wide attention after being used in England in Jack theRipper case. Diamon A. Muller (2000) describes criminal profiling asa process “designed to generate information on a perpetrator of acrime, usually a serial offender, through an analysis of the crimescene left by the perpetrator” allowing law enforcement agencies tobetter utilize limited resources. Criminal profiling has two distinctapproaches: inductive and deductive analysis (Rogers M. 2003). Theinductive approach relies on the statistical analysis of behaviourpatterns from previously convicted offenders while deductive focuseson the case specific evidence. One of the examples of criminalprofiling methodologies is “diagnostic evaluation (DE), crime sceneanalysis (CSA), and investigative psychology (IP)” (Diamon A.Muller, 2000).
There aretwo contradicting points of view on criminal profiling; some claim itis an art while others claim it is a science similar to criminologyand psychology. Moreover, as oppose to criminology or physiology,human lives may be depended on accuracy of criminal profiling: “ifa profile of an offender is wrong or even slightlyinadequate police maybe misled allowingthe offender to escapedetection for a little while longer—and innocent people may be deadas a result.”(Diamon A. Muller, 2000). As a result, many law enforcement agenciesare still evaluating the adoption of criminal profiling.
Sincedigital forensic investigation is in essence crime investigation,that has similar investigation phases (acquisition of evidence,authentication, analysis and reporting/presentation), criminalprofiling can be used as well to predict offenders behaviour. Justlike in the traditional crime investigation, “digital” offendershave motives, different skill levels and tools. Regardless on theprofiling methodology (inductive or deductive), the results ofcriminal profiling can greatly aid digital forensic investigation.
“Thenetwork evidence acquisition process often results in a large amountof data” (Laureate Online Education B.V. 2009) and the results ofcriminal profiling can help the investigator conduct a more specifickeyword search, focus of specific area (i.e. allocated andunallocated space) and geographical location (IP addresses).Moreover, the profiling information can pinpoint supporting orcorroborating evidence such as IRC chat channels, FTP sites,underground forums and newsgroups (Rogers, M 2003).
Just liketraditional criminals, “digital” offenders have weaknesses thatcould be used when interviewing/interrelating suspects or witnesses.Although the interview process itself could be completely differentfrom what we traditionally understand as “interview” (i.e. IRCchat rooms, forums, mailing lists, etc.), Rogers M. notes that“individuals who engage in deviant computer behaviour share somecommon personality traits, and given the proper encouragement, show awillingness to discuss and brag about their exploits” (Rogers, M2003).

Bibliography

DAMON A. MULLER 2000, “Criminal Profiling: Real Science or Just Wishful Thinking?” [online], HOMICIDE STUDIES, Vol. 4 No. 3, August 2000 234-264. Sage Publications, Inc. Available from: http://www.uwinnipeg.ca/academic/ddl/viol_cr/files/readings/reading22.pdf (accessed: July 7, 2011).
Laureate Online Education B.V. 2009, “Computer Forensics Seminar for Week 6: Network Forensics I”, Laureate Online Education B.V.
Rogers, M 2003, 'The role of criminal profiling in the computer forensics process', Computers & Security, May, Business Source Premier, EBSCOhost, viewed 7 July 2011.

Forensic Investigation of Celullar and Mobile Phones

2011-07-02T05:21:00.000-04:00

“Ingeneral, the same forensic principles that apply to any computingdevice also apply to mobile devices in order to enable others toauthenticate acquired digital evidence.” (Casey E. at. al. 2011)therefore a forensic investigator should follow the same forensicprocess as with any computing device. When an acquired digitalevidence involves a recovered phone call, the investigation processusually include accessing data collected by the cellular networkprovider. A number of countries have erected laws to expedite theaccess of the law enforcement agencies to the client information,such as The Regulation of Investigatory Power Act of 2000 (RIPA) inUK, USA Patriot Act, The Surveillance Devices Bill 2004 in Australiaand The Search and Surveillance Powers Bill 2008 in New Zealand.These laws require (telephone and internet) service providers tomaintain a log of all communication such as calls, Email messages,SMS (text messages), MMS (multimedia messages), established Internetconnection, etc.
Withappropriate legal documents (as required), the investigator canobtain information such as customer name, billing name, geographiclocations (based on the Base Station Transceiver), list of calls,etc. which could be helpful for the investigation process. More over,while it is generally believed that prepaid cellular phones are cheapenough and difficult to trace (Casey E. at. al. 2011), the devicecan still contain useful information. In addition, service providercould maintain information such as “credit card numbers used forpurchases of additional time or an email address registered onlinefor receipt of notifications” (Jansen W. and Ayers R. 2007).
Due to thediversity in the functionality and capabilities of the mobile devices(cellular phones, smart phones, etc) there is no one singleinvestigation methodology of the cellar phone. In general, theprocess involves manual review of the information available throughthe menu such as address book, last call, text messages, etc.Specialized tools are used only when extraction of deletedinformation or access to “hidden” data (such as Apple iPhone celltowers and Wi-Fi hotspots database) is required (LaureateOnline Education B.V. 2009).The potential evidences related to the mobile device include:

handset identifier - International Mobile Equipment Identity (IMEI)
Subscriber Identifier (SIM)
call register
address book
calendar
photographs
videos
voice mail
passwords such as Internet Mail accounts, desktop (for synchronization), etc.
installed applications
attached peripheral devices and special modification
accessed Wifi hotspots
cell towers

Bibliography

Apple 2011, “Apple Q&A on Location Data” [online]. Available from: http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html (accessed: June 2, 2011)
Ayers R., Jansen W., Cilleros N., Daniellou R. 2005, “Cell Phone Forensic Tools: An Overview and Analysis” [online]. National Institute of Standards and Technology. Available from: http://csrc.nist.gov/publications/nistir/nistir-7250.pdf (accessed: July 1, 2011)
Casey E., Turnbull B. 2011, “Digital Evidence and Computer Crime 3^rd Edition” [online]. Elsevier Inc. Available from: http://www.elsevierdirect.com/companions/9780123742681/Chapter_20_Final.pdf (accessed: July 1, 2011)
CBC News 2009, “Internet surveillance laws in Canada and around the world” [online]. Available from: http://www.cbc.ca/news/canada/story/2009/06/19/f-internet-cellphone-wiretap-surveillance-law.html (accessed: July 2, 2011)
Jansen W., Ayers R. 2007, “Special Publication 800-101: Guidelines on Cell Phone Forensics” [online]. National Institute of Standards and Technology. Available from: http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf (accessed: July 1, 2011)
Laureate Online Education B.V. 2009. “Seminar 5: Investigating UNIX, Macintosh, and Handheld Devices”.

Vishing and VoIP Forensics

2011-06-24T10:26:00.000-04:00

RoyalCanadian Mounted Police (2006) defines Vishing (or Voice Phising) as“the act of leveraging a new technology called Voice over InternetProtocol (VoIP) in using the telephone system to falsely claim to bea legitimate enterprise in an attempt to scam users into disclosingpersonal information”. Vishing could be viewed as natural evolutionof Phishing which uses Email messages by the con artists to gleanprivate information such as credit cards, social insurance numbersand PIN numbers. While the general public is getting more and morefamiliar with this type of con as well as Email software vendorsinclude functionality to prevent Phishing attacks, the fraudsters aremoving on to the technology still trusted by the users – telephony.
Traditionally,in the world of public switched telephone network (PSTN), althoughpossible (Art of Hacking, 2000) it was much harder to spoof Caller ID(CID) as “each circuit on either end of the call is assigned aphone number by the phone company.” (Reardon M. 2009). Today, withthe the move to SIP trunks and VoIP technology, spoofing caller ID isfairly trivial. Moreover, there are legitimate ways to acquire atelephone number in a any region in the world such as Skype OnlineNumber. According to Adam Boone (2011), “telecom securityresearchers over the past two years have reported a very sharp risein attacks against unsecured VoIP systems”. As a result, phishershave access to infrastructure which could be used to launch vishingattacks as demonstrated in scam targeting Motorola Employees CreditUnion, Qwest customers and Bank of the Cascades (Krebs B. 2008).
In mostcases, vishing attack involves calling someone using either a wardialler or legitimate voice messaging company. When call is answered,an automated message informs the caller that either the credit cardor their bank account has an suspicious activity, and asks to call apredefined number to verify their account by entering their creditcard number.
Digitalforensic investigation of a vishing suspect is not a trivial matter.Since the attack is usually initiated by calling or texting (SMS) alarge number of phone numbers, an investigator could look for unusualbehaviour pattern. A number of forensic software can parse Skypeartifacts, either in memory (RAM) or on an acquired image, such asSkypeex, Nir Sofer Skype Log Viewer and Belkasoft Skype Analyzer. Forother software such as Astrix, a manual review of the log file willbe required. Moreover, a forensic investigator utilize foremostcommand to look for .wav or .mp3 files which could be used as arecorded message. Finally, the SIP trunk service provide which wasused by the frtaudsters could provide information such as user-id.This information could be used in the string search (srch_stringscommand) in acquired memory or non volatile storage images toidentify suspected hardware.

Bibliography

'Beware of phishing--and vishing' 2006, Nursing, 36, 12, p. 66, Academic Search Complete, EBSCOhost, viewed 24 June 2011.
Art of Hacking (2000), “Beating Caller ID” [online]. Available from: http://artofhacking.com/files/beatcid.htm (accessed: June 24, 2011).
Boone, A 2011, 'Return of the Phone Phreakers: Business Communications Security in the Age of IP', Security: Solutions for Enterprise Security Leaders, 48, 4, pp. 50-52, Business Source Premier, EBSCOhost, viewed 24 June 2011.
Chow, S, Gustave, C, & Vinokurov, D 2009, 'Authenticating displayed names in telephony', Bell Labs Technical Journal, 14, 1, pp. 267-282, Business Source Premier, EBSCOhost, viewed 24 June 2011.
Krebs B. 2008, “The Anatomy of a Vishing Scam” [online]. Available from: http://blog.washingtonpost.com/securityfix/2008/03/the_anatomy_of_a_vishing_scam_1.html (accessed: June 24, 2011).
Swarm, J 2007, 'A Closer Look at Phishing and Vishing', Community Banker, 16, 7, p. 56, Business Source Premier, EBSCOhost, viewed 24 June 2011.
Reardon M. 2009. “Protect yourself from vishing attacks” [online]. CNET News. Available from: http://www.zdnet.com/news/protect-yourself-from-vishing-attacks/303175 (accessed: June 24, 2011).
Royal Canadian Mounted Police (2006), “Vishing or Voice Phishing” [online]. Available from: http://www.rcmp-grc.gc.ca/scams-fraudes/vish-hame-eng.htm (accessed: June 24, 2011).

Firefox 3 Forensic Analysis

2011-06-23T15:26:00.002-04:00

Accessinginformation on the Internet leave variety of footprints such asvisited websites, viewed content, downloaded documents, etc. Theforensic information could be found in single files, directories,local databases and Windows registry. Moreover, Windows operatingsystem maintains in registry a log of all local and wireless networkconnections (including the MAC address of the switch/router) whichcan further help forensic investigation to identify the physicallocation of the suspect (Laureate Online Education B.V., 2009)(Jonathan Risto, 2010).

Accordingto W3School (2011), the five most used web browsers are Firefox (42%)followed by Chrome (25%) and Internet Explorer (25%), then Safari(4%) and Opera (2.4%). As such, digital forensic investigator shouldbe knowledgeable in all four and geared up to perform extraction andanalysis of the data collected by these Internet Browsers. In mostcases, Internet browsers use local cache to store information toincrease access time, history of visited web sites, favourites, etc.In some cases (Firefox), the stored information indicates if thesuspect typed the Uniform Resource Locator (URL) showing intent ofcriminal or illegal activity. Furthermore, autocomplete history andcookies can provide the forensic investigator on information typedentered to the websites, or stored locally. In addition to that, theincreasing use of web chats such as Yahoo! Chat and Gmail Chat allowprovides potential access to additional information.

WhileInternet Explorer and Firefox traditionally stored the information ina file, from Firefox version 3 the information stored in the SQLitedatabases. For example, bookmarks and browsing history are stored inplaces.sqlite, passwords are stored in the key3.db andsignons.sqlite, autocomplete history in formhistory.sqlite andcookies in cookies.sqlite (Mozilla.org, n.d.) Numerous tools areavailable to perform forensic analysis of the information captured bythe Firefox, including f3e and a simpel SQLite command line utility.

To locateSQLite 3 database, an investigator can utilize signature based search(i.e. foremostcommand) and look for the following hex value: 53 51 4C 69 74 65 2066 6F 72 6D 61 74 20 33. To makesure that the identified SQLite database file is indeed a file usedby Firefox, the following signature could be used to validate thefile: 43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B6D 61 72 6B 73.

Aftercurving the SQLite 3 database file (using ddor foremostcommands), it could be accessed simply by using sqlitecommand. AllFirefox SQLite 3 files, are in essense a database with multipletables. For example, places.sqlite contains the following tables:moz_anno_attributes, moz_favicons, moz_keywords, moz_annos,moz_historyvisits, moz_places, moz_bookmarks, moz_inputhistory,moz_bookmarks_roots and moz_items_annos.

SinceSQLlite does not require authentication to work with the database,SQL statements could be used to retrieve relevant information (casespecific). Forexample, the following query will retrieve 20 most visited websites:

sqlite>SELECT rev_host FROM moz_places ORDER BY visit_count DESC LIMIT 20;

toretrieve all places associated with the word “drugs”:

sqlite>SELECT * FROM moz_places WHERE url like "%drugs%";

or, todisplay all completed downloads (firefoxforensics.com, 2008):

SELECTurl, visit_date
FROM moz_places, moz_historyvisits
WHEREmoz_places.id = moz_historyvisits.place_id AND visit_type = "7"
ORDERby visit_date

Firefox Anti-forensic Features

Firefoxincludes a number of anti forensic features which could be eitherinvoked by the suspect, or automatically by the Firefox itself suchas removal of old history records after a period of 90 days.Moreover, a suspect could use “Private Browsing” functionality ormanually invoke “Clear Recent History”. In these cases, Firefoxfills the space of each record with zeros, effectively wiping thedata.

Regardless,although the content of the records is wiped, Pereira, M (n.d.) hasdemonstrated that “when searching all disk, record vestiges wasfound in unallocated space” either due to reallocated data by theunderlying OS or due to the “rollback” journal used by the SQLiteengine.

Bibliography

Jonathan Risto (2010), “Wireless Networks and the Windows Registry - Just where has your computer been?” [online]. SANS Institute. Available from: http://www.sans.org/reading_room/whitepapers/auditing/wireless-networks-windows-registry-computer-been_33659 (accessed: June 23, 2011).
Firefoxforensics.com (2008), “Firefox Research” [online]. Available from: http://www.firefoxforensics.com/research/index.shtml (accessed: June 23, 2011).
Laureate Online Education B.V. (2009). “Seminar for Week 4: Investigating Windows Systems”.
Mozilla.org (n.d.), “Profiles” [online]. Available from: http://support.mozilla.com/en-US/kb/Profiles (accessed: June 23, 2011).
Pereira, M (n.d.), 'Forensic analysis of the Firefox 3 Internet history and recovery of deleted SQLite records', DIGITAL INVESTIGATION, 5, 3-4, pp. 93-103, EBSCOhost (accessed: 23 June 2011).
W3School.com (2011), “Browser Statistics” [online]. Available from: http://www.w3schools.com/browsers/browsers_stats.asp (accessed: June 23, 2011).

Destruction of Sensitive Information

2011-06-17T06:31:00.000-04:00

Destructionof sensitive information has being on the agenda of manyorganizations and governments. As a result, numerous standard weredeveloped such as U.S. Department of Defence (DoD) 5220.22-M,National Institute of Standards and Technology (NIST) 800-88 andCanada Communications Security Establishment (CSE) ITSG-06, toprovide guidance to the IT administrators and owners to protectagainst information retrieval when recycling or disposing of storagemedia.
NIST listsfour types of sensitization types: disposal, cleaning, purging anddestroying. In most cases, disposal of the storage media is notconsidered as secure method of discarding media containing sensitiveinformation. The rest of this paper will review the defined standardfor the data cleaning standards.
Cleaningrefers to a method of removing sensitive infromation that wouldprotect the data “against a robust keyboard attack” (RichardKissel at. al., 2006). Simple deletion of files is not sufficient forclearing as operating systems simply mark the appropriate entries inthe FAT File AllocationTable,or equivalent in other file systems, as deleted leaving in the DataRegionunchanged. As a result, the data could be potentially recovered usingforensic tools. Up until 2001, the standard method of securelyclearing sensitive information was overwriting the data with zero,one, random or predefined patterns such as “Gutmann Method”(PeterGutmann, 1996). For example, Communications Security Establishment(2006) defines overwrite process as “process itself must include aminimum of three passes including 1s, 0s, and a pseudo-random patternover the entire accessible area of the magnetic tape or disk,followed by verification of results by the human operator.”
Theintent of the overwriting process is to overcome the the track-edgephenomenon allowing recovery of the magnetic pattern residue fromtrack boundaries using magnetic force microscope. Using the microscope, the researches examine the relative peaks of magnetictransitions, to recover the binary data. Although the attack on thetrack-edges were documented in the laboratory environment, “itrequires a very well equipped research laboratory with costlymicroscopy equipment and highly trained researchers with a great dealof time and patience” Communications Security Establishment(2006). Moreover, as the data written to the magnetic media becomeand more dense. According to Seagate press release (2011), it hasreached “areal density of 625 Gigabits per square inch”, which is310 million times over the density of the first hard drive. As aresult, the effort required to recover the data makes it virtuallyimpossible. Richard Kissel et. al. (2006) writes that “studies haveshown that most of today’s media can be effectively cleared by oneoverwrite.”
Furthermore,since about 2001, all ATA IDE, SATA and SCSI hard drive manufacturerinclude support for the "Secure Erase" or “SecureInitiate” commands which writes binary zeros using internal faultdetection hardware. Although the method not does precisely followsthe DoD 5220.22 “three writes plus verification” specification,the university of California Magnetic Recording Research (2008)“showed that the erasure security is at the level of DoD 5220,because drives having the command also randomize user bits beforestoring on magnetic media”. Moreover, NIST Special Publication800-88 classifies “Secure Erase” command as acceptable method ofpurging, equivalent to media degaussing.

Bibliography

Communications Security Establishment (2006), “Clearing and Declassifying Electronic Data Storage Devices” [online], Available from: http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/itsg06-eng.html (accessed: June 17, 2011).
Gutmann P. (1996), “Secure Deletion of Data from Magnetic and Solid-State Memory” [online]. Department of Computer Science, University of Auckland. Available from: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html (accessed: June 17, 2011).
Gordon F. Hughes (2008) “CMRR Protocols for Disk Drive Secure Erase” [online]. University of California San Diego, Center for Magnetic Recording Research. Available from: http://cmrr.ucsd.edu/people/Hughes/CmrrSecureEraseProtocols.pdf (accessed: June 17, 2011).
Hughes, G.F. Coughlin, T. Commins, D.M. 2009, “Disposal of Disk and Tape Data by Secure Sanitization”, Security & Privacy, IEEE volume 9 issue 3, p29-34.
Richard Kissel, Matthew Scholl, Steven Skolochenko, Xing Li (2006), “NIST Special Publication 800-88: Guidelines for Media Sanitization” [online]. National Institute of Standards and Technology. Available from: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf (accessed: June 17, 2011).
Seagate Technology LLC (2011a), “Media Sanitization Practices During Product Return Process Best Practices Statement” [online]. Available from: http://www.seagate.com/staticfiles/support/docs/warranty/SeagateMediaSanitizationPractices19-Mar-2011.pdf (accessed: June 17, 2011).
Seagate Technology LLC (2011b), “Seagate Breaks Areal Density Barrier: Unveils The World's First Hard Drive Featuring 1 Terabyte Per Platter” [online]. Available from: http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=unveils-1-terabyte-platter-seagate-pr&vgnextoid=6fbdb5ebf32bf210VgnVCM1000001a48090aRCRD (accessed: June 17, 2011).

Disclosure of Evidence

2011-06-11T11:27:00.000-04:00

When anexpert witness is required to disclose evidence that can damage itsclient's case, the conflict of interests could be examined from twostandpoints: ethical and legal obligations.
InOntario, Canada, under the Private Security and InvestigativeServices Act (PSISA) 2005, all individuals who conduct“investigations to provide information on the character, actions,business, occupation, or whereabouts of a person”, includingdigital forensic experts, require a Private Investigation license.The act, which came into force in 2007, is a way to professionalizethe industry and ensure that all practitioners are qualified to actas private investigators (PI). The investigators are required to befamiliar with criminal and civil legislation, privacy acts, and(hearing) procedural requirements. Moreover, the individuals mustaccept PSISA Code of Conduct (Government of Ontario 2005b) whichstates that every individual licensee must act with honesty andintegrity, and comply with all federal, provincial and municipallaws.
Inaddition to that, private investigators should have the ability(skills and knowledge) to present evidence in the court of law. InOntario, Canada, the act that governs the hearing procedures in thecourt of law is the Statutory Powers Procedure Act (SPPA). Section5.4 of SIPPA states that the “tribunal may, at any stage of theproceeding before all hearings are complete, make orders for, (a) theexchange of documents; (b) the oral or written examination of aparty; (c) the exchange of witness statements and reports of expertwitnesses; (d) the provision of particulars; (e) any other form ofdisclosure. ” (Government of Ontario, 2009). The intent is toensure fair hearing procedures and to prevent the conflict ofinterests of the expert witnesses hired by either the defence or theprosecution.
From theethical standpoint, according to the PSISA Code of Conduct, an expertis required to act with “honesty and integrity” (Government ofOntario 2005b), therefore a licensed private investigator is expectedto provide a full and truthful disclosure of the discovered evidence.Moreover, under SEPPA section 5.4, the tribunal may order for a fullexchange of expert witness statements and reports. As a result,failure to provide a truthful and full disclosure may result in therevocation of the Private Investigation license and criminal caseagainst the expert witness.

Bibliography

Government of Ontario (2009), “Statutory Powers Procedure Act” [online]. Available from: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90s22_e.htm (accessed: June 11, 2011)
Government of Ontario (2005a), “Private Security and Investigative Services Act” [online], Available from: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_05p34_e.htm (accessed: June 11, 2011).
Government of Ontario (2005b), “Private Security and Investigative Services Act – Code of Conduct” [online], Available from: http://www.e-laws.gov.on.ca/html/regs/english/elaws_regs_070363_e.htm (accessed: June 11, 2011).

Chain of Custody

2011-06-09T22:47:00.004-04:00

Chain ofcustody is defined as “the order in which a piece of criminalevidence should be handled by persons investigating a case, specif.the unbroken trail of accountability that ensures the physicalsecurity of samples, data, and records in a criminal investigation”(Dictionary.com, n.d.). Royal Canadian Mounted Police (RCMP), abranch of Canadian Government responsible for investigating digitalcrime in Canada, refers to chain of custody as “the tracking ofevidence items from the scene of a crime to the item presentationin a legal proceeding.”(Royal Canadian Mounted Police, 2008a). In other words, chain ofcustody is a process of handling (digital) evidence in order ensureauthenticity, therefore admissibility of the evidence in the court oflaw. It is imperative to maintain the chain of custody, especially incases where there is a store reliance on the digital evidence since“altered [evidence] and a break in the chain of custody wouldundoubtedly compromise the evidential weighting in a criminal case”(Royal Canadian Mounted Police, 2008a).
As aresult, in its guide for victims of copyright and trademarkinfringement (Royal Canadian Mounted Police, 2008b), RCMP instructsevidence handle to keep it under lock and key, and to maintain chainof custody – document all handling and movement of the exhibit,including date and signature of the individual handling the evidence.Furthermore, chain of custody has to be maintained (recorded andtraced) from the initial evidence acquisition to the presentation inthe court of law.
Theimportance to maintain the chain of custody is relevant not only tocriminal cases. For example, a decision to dismiss an employee forviolating corporate policy could end up in the court as a noncriminal case. The employee could file a “wrongful dismissal”suit against the employer and the collected digital data could becomea critical evidence. If a defence alleges that the digital evidencehas been altered or could have been altered, it is up to theprosecution to prove otherwise (Douglas Schweitzer, 2003).
In manycases, the traditional methods of handling digital data are notsufficient to ensure admissibility of the digital evidence in thecourt of law. For example, standard file copying technique, such asusing copyor cpcommands, could alter access time of the original file thereforeimpacting the authenticity of a potential evidence. Furthermore,simply “pulling the plug” (as a way to preserve the data on thenon-volatile storage) approach could result in a loss of a vastamount of volatile data such as encryption keys and “hacking toolsand malicious software that may exist solely within memory”(Association of Chief Police Officers, 2008).

Bibliography

Association of Chief Police Officers (2008), Good Practice Guide for Computer-Based Electronic Evidence [online]. 7Safe. Available from: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence_v4_web.pdf (accessed: June 9, 2011).
Dictionary.com (n.d.), "chain of custody" in Dictionary.com's 21st Century Lexicon [online]. Available from: http://dictionary.reference.com/browse/chain of custody (accessed: June 09, 2011).
Douglas Schweitzer (2003), “Incident Response: Computer Forensics Toolkit”, Wiley Publishing, Inc., p61.
Royal Canadian Mounted Police (2008a), Computer Forensics: A Guide for IT Security Incident Responders [online]. Technical Security Branch Technical Operations, Royal Canadian Mounted Police. Available from: http://www.rcmp-grc.gc.ca/ts-st/pubs/it-ti-sec/g2-008-eng.pdf (accessed: June 9, 2011)
Royal Canadian Mounted Police (2008b). A Guide for Victims of Copyright and Trademark Infringement [online]. Available from: http://www.rcmp-grc.gc.ca/fep-pelf/ipr-dpi/guide-eng.htm (accessed: June 9, 2011).

Ethics, Law and Motivation

2011-06-04T11:51:00.000-04:00

In order to discuss the differences between an unethical act andan illegal act, and motivation for these acts, we need to understand the definition of the words themselves. Dictionary.com (n.d.) definesethical as “in accordance with principles of conduct that areconsidered correct, especially those of a given profession or group”while the term legal is defined as “established by or founded uponlaw; lawful” Dictionary.com (n.d.). Finally, motivation is definedas “desire to do; interest or drive; incentive or inducement”Dictionary.com (n.d.).
From the definitions given above, it is clear that in order for anact or action to be considered unethical, it has to contradict thepersonal judgement of what is considered to be correct. Whereasillegal act is an act violating an official law or regulation. Forexample, in software development domain, when an employer forcesemployees (software developers) to develop only a partiallyfunctioning software in order to increase profitability of thecompany, while not illegal it could be considered as unethical act. On the other hand, when an European Union (EU) based hosting companystores personal records of its clients on servers in North America,as a backup or disaster recovery site, with the same or strictersecurity controls in place, although it does not violate any ethicalprincipals it is forbidden by official EU rules (European Commissionof Justice, 2009). In practice data transfer to non-EU entities ispossible if the same core principals of data protection are providedto the personal records of the individuals. Furthermore, EU and theDepartment of Commerce (DoC) have developed a framework – SafeHarbor, to bridge between privacy approaches and streamline the tradebetween the EU and US (export.gov,2011).

Moreover, when discussing motivationsto conduct an illegal act and unethical act, there is a cleardistinction between the two. Since ethical behaviour is dictated bypersonal principals, an individual would have no desire to conduct anunethical act. On the other hand, illegal acts as shown in theexample above, not always contradict personal ethical principals,therefore an incentive or gain (financial, personal, etc.) could be adriver for an illegal act.

As a continuation of this topic, itwould be beneficial to examine the potential conflict betweencorporate policies, as oppose to provincial or federal laws whichwere discussed above, and personal ethical principals. As highlightedby Verizon Business 2008 data breach investigations report, infinance and tech industries, 39 and 39 percent respectively ofbreaches originated from internal sources – internal employees(Wade H. Baker at al, 2008).

Bibliography

Dictionary.com, "ethical," in Collins English Dictionary - Complete & Unabridged 10th Edition. Source location: HarperCollins Publishers. http://dictionary.reference.com/browse/ethical. Available: http://dictionary.reference.com. Accessed: June 04, 2011.
Dictionary.com, "legal," in Collins English Dictionary - Complete & Unabridged 10th Edition. Source location: HarperCollins Publishers. http://dictionary.reference.com/browse/legal. Available: http://dictionary.reference.com. Accessed: June 04, 2011.
Dictionary.com, "motivation," in Collins English Dictionary - Complete & Unabridged 10th Edition. Source location: HarperCollins Publishers. http://dictionary.reference.com/browse/motivation. Available: http://dictionary.reference.com. Accessed: June 04, 2011.
European Commission of Justice 2009, Data Protection [online], Available from: http://ec.europa.eu/justice/policies/privacy/index_en.htm (accessed June 04, 2011).
export.gov 2011, The U.S.-EU & U.S.-Swiss Safe Harbor Framework [online]. Available from: http://www.export.gov/safeharbor/ (accessed June 04, 2011).
Wade H. Baker, C. David Hylender, A. Bryan Sartin, Peter Tippett and J. Andrew Valentine 2008, 2008 Data Breach investigations Supplemental Report [online]. Available from: http://www.verizonbusiness.com/resources/whitepapers/wp_supplemental-report-specifics-for-the-financial-services-food-beverage-retail-and-tech-services-industries_en_xg.pdf (accessed June 04, 2011).

Privacy Issues in RFID Technology

2011-01-05T15:51:00.000-05:00

RFID, like any other information technology, has inheritedsecurity and privacy risks; some, are due to technologicallimitations while others are a result of a incorrect deployment andusage. Office of the Privacy Commissioner of Canada (2008) believesthat “RFID may have dramatic implications for privacy protectionand that it is now necessary to identify good practices fororganizations subject to the PIPEDA and the Privacy Act.”Regardless, by understanding the risks and applying security bestpractices, one can significantly reduce the privacy exposure. TomKarygiannis (2007) concludes that “for RFID implementations to besuccessful, organizations need to effectively manage that risk, whichrequires an understanding of its sources and its potentialcharacteristics”. We also need to distinguish between privacy andsecurity concerns; not every security issues is related toinformation privacy, whereas a proper security of personal andprivate information is required by privacy laws and Information FairUsage legislation.
The main privacy concern, ability to track and identify the tagcarrier, has it roots in the historical purpose of the RFID tagswhich is “tagging objects like shipping containers, munitions,automobile parts, or even live cattle” (Juels, Ari, and Stephen A.Weis. 2009) and since it is highly unlikely that a person would becarrying a shipping container or cattle, individual privacy was notconsidered an issue. By carrying an RFID enable item, a personalidentity could be compromised and it could happen without ownersknowledge that his/her identity was acquired by a 3rd party.
Furthermore, association could be established between a person andprivate information such as citizenship, medical prescriptions andpersonal interests. For example, from 2006 U.S. Department of Stateissues RFID enabled passport which “contains the name, nationality,gender, date of birth, and place of birth of the passport holder, aswell as a digitized photograph of that person” (Grant Gross, 2005).and although the information is encrypted, a simple scan of a crowdin the airport could identify US citizens. Juels, Ari, and Stephen A.Weis. (2009) confirm that “even if the semantic meaning ofinformation on tags is well protected, tags may still be recognizablebetween appearances, and thus subject to tracking”. Or, by caring aprescribed drug a person could unintentionally leak medicalinformation which could be “picked up” remotely, without ownersknowledge.
In addition, by needlessly storing information which is protectedby privacy laws, one takes unnecessary risk, even if steps are takento protect the information. For example, an encryption algorithmemployed to protect the digital information of Dutch citizensembedded into e-passport was cracked within 2 hours of it beingintercepted “giving full access to the digitized fingerprint,photograph, and all other encrypted and plain text data on the RFIDtag” (Thomas Ricker 2006). Even more interesting is the fact thatthe same ISO 14443 RFID tag and encryption scheme is used by the RFIDenabled passports issued by the U.S. Department of State.
To address security and privacy concerns, we need to understandthe core of the problem. According to Marc Langheinrich (2009) “thecore RFID privacy problem is that of unauthorized tag readout: withthe help of wireless communication, third parties can in principleread the tags of personal items from large distances, and without anyindication that such a readout is taking place” therefore bycontrolling the remote access to the information has the utmostimportance. There are a number of possible approaches to controlaccess to the information including tag deactivation and tagshielding. The first, could be implemented using “kill switch” or“kill command” to permanently deactivate the tag eitherautomatically (command from a RFID reader) or manually, or by using a“sleep command” to temporary disable the attached RFID tag. Thesecond approach is usually implemented using either The Faraday Cage,Jamming and Blocking Tag approaches (Sitlia, Hanan, Habib Hamam, andSid-Ahmed Selouani. 2009). This approach is used by the U.S.Department of State whereby all issued passports are provided withthe "antiskimming" sleeve that reduces the RFID tageffective range.
Furthermore, encryption could be used as a potential technicalsolition to safeguard the information stored on RFID tags, andalthough it is often seems as a obvious solution many porposedschemes are ingnord mainly due to difficulties assossiated with thekey management. Marc Langheinrich (2009) summarises “consequently,encryption might only work well in controlled systems such as paymentcards and identification systems”.
Additional technical solutions to RFID privacy concerns is readerauthentication where the interegating party (the reader) has toprovide a secret key before RFID tag disclose stored information. Inthe simples implementation, the tag will hash and compare the valueof the provided “challenge response” key known only to thelegitimate reaaders. An extention to the authentication scheme wasproposed by Weis at al. to reduce the risk assossiated with usage ofstatic hash value (posibility of a brute force attack).
Lastly, a number of policy makers require organizations to assignaccountable for privacy compliance who “must be aware of allcollections of personal information by the RFID system and allsubsequent uses, disclosures and the retention period” (Office ofthe Privacy Commissioner of Canada, 2008). Furthermore, theaccountable individual has to complete the Privacy Impact Assessment(PIA) to ensure that RFID system complies with the privacy laws.

Bibliography

Gross, Grant (2005), United States to Require RFID Chips in Passports [online]. PCWorld. Available from: http://www.pcworld.com/article/123246/united_states_to_require_rfid_chips_in_passports.html (accessed January 4, 2011).
Juels, Ari, and Stephen A. Weis. 2009. "Defining Strong Privacy for RFID." ACM Transactions on Information & System Security (TISSEC) 13, no. 1: 7-7.23. Computers & Applied Sciences Complete, EBSCOhost (accessed January 4, 2011).
Langheinrich, Marc. 2009. "A survey of RFID privacy approaches." Personal & Ubiquitous Computing 13, no. 6: 413-421. Computers & Applied Sciences Complete, EBSCOhost (accessed January 4, 2011).
Office of the Privacy Commissioner of Canada (2008). Radio Frequency Identification (RFID) in the Workplace: Recommendations for Good Practices. A Consultation Paper. Available from: http://www.privcom.gc.ca/information/pub/rfid_e.pdf (accessed January 4, 2011).
Sitlia, Hanan, Habib Hamam, and Sid-Ahmed Selouani. 2009. "Technical Solutions for Privacy Protection in RFID." European Journal of Scientific Research 38, no. 3: 500-508. Academic Search Complete, EBSCOhost (accessed January 4, 2011).
Spiekermann, Sarah. 2009. "RFID and privacy: what consumers really want and fear." Personal & Ubiquitous Computing 13, no. 6: 423-434. Computers & Applied Sciences Complete, EBSCOhost (accessed January 4, 2011).
Tom Karygiannis, Bernard Eydt, Greg Barber, Lynn Bunn and Ted Phillips (2007), Guidelines for Securing Radio Frequency Identification (RFID) Systems [online]. National Institute of Standards and Technology (NIST). Special publication 800-98. Available from: http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf (accessed January 4, 2011).
Thomas Ricker (2006). Dutch RFID e-passport cracked -- US next? [online]. Available from: http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/ (accessed January 4, 2011).

Security, Spam and Internet Governance Challenges in Canada

2011-01-02T14:54:00.000-05:00

Spam,accordingto Industry Canada (2005)“has become a significant social and economic issue, affecting thebusiness and personal productivity of citizens and economies aroundthe globe”. Furthermore,spam is used for illegal activities such as distribution ofunsolicited marketing materials, phishing and Denial of Service (DoS)attacks, and distribution of viruses and Trojans Horses. Spam affectsnot only the home user, but Internet Service Providers (ISP) who mustinvest in the anti-spam technologies and maintain utilize existingbandwidth, commercial retailers whose legitimate messages are beingfiltered out, and private and public sector organizations whoseemployees are wasting time and corporate resources.
In 1997,Industry Canada has conducted a study investigating the possibilityto regulate the content on the Internet. The report concluded thatnone of the available technologies would prevent technically savvyCanadians from accessing “content that violates pre-defined rulesof acceptability, nor would they ensure that the user would beexposed to any measure of desirable content” (Miller, Gerry et al,1999). In2005, Canada has established a task force to analyze and providerecommendations on dealing with spam.The provided report (Industry Canada, 2005) outlines multifacetedmeasures required to deal withspamincluding involvement of legislative body (on federal and provinciallevels) to provide legislation,regulation and enforcement,involvement of InternetService Providers (ISP) and other network operators, user educationand security awareness. Thelatest released statistics by theCanada Anti-Fraud Centre indicatedthat although “Telephone/Fax” is still the most prevalent methodofthe MassMarketing Fraud, which include “telemarketing fraud, West Africanfraud, internet fraud and Identify Theft” (CanadianAnti-Fraud Centre, 2010),thehighest financial loss in 2009 is through usage of Email and Internetsolicitation methods.Althoughthe number of victims and the total dollar loss from MassMarketing Fraud schemes hasreduced from 2007 from $66M to $59M, thereis a slightincrease in the Identity Theft victims from 2007 whichis accountingfor $10,882,279.04 loss in 2009. Followingthe study, aBill C-27 (the Electronic Commerce Protection Act)wasre-introduced as Bill C-28 (Fighting Internet and Wireless Spam Act,or FISA) and became a law on December 15, 2010. The intent of thelegislation is to deter the most damaging and deceptive forms ofspam, such as identity theft, phishing and spyware, from occurring inCanada and to help to drive out spammers.
Furthermore,Canada, through Industry Canada Electronic Commerce Branch, is activein promoting a common international policy framework to handle issuessuch as spam, privacy, identity theft and fraud, throughcollaboration with international bodies such as Organisation forEconomic Co-operation and Development (OECD), Asia-Pacific EconomicCooperation (APEC), International Telecommunication Union (ITU),Messaging Anti-Abuse Working Group (MAAWG) and G8 High-Tech CrimeSub-Group (Industry Canada, 2009).
Data and data privacy are governed on a federal level by PrivacyAct and Personal Information Protection andElectronic Documents Act (PIPEDA). On a provincial level, anumber of laws and acts exists such as he PersonalHealth Information Protection Act (Ontario), Freedom of Informationand Protection of Privacy Act (Ontario), The Personal InformationProtection Act (Alberta) and An Act Respecting the Protection ofPersonal Information in the Private Sector (Quebec). Officeof the Privacy Commissioner of Canada (OPCC) isconsider to be one of the more active in evaluating technologies andthe use of these technologies with potential privacy concerns.Furthermore, CanadianRadio-television and Telecommunications Commission (CRTC) isinvestigating and perusing businesses who break the law, such asrecent investigationsinto Bell Canada and Xentel DM for violated of the National Do NotCall List (CBCNews 2010).

Bibliography

Canadian Anti-Fraud Centre (2010). Annual Statistical Report 2009 - Mass Marketing Fraud & ID Theft Activities [online]. Available from: http://www.antifraudcentre-centreantifraude.ca/english/documents/AnnualStatisticalReport2009_001.pdf (accessed January 02, 2011).
CBC News (2010). Telemarketer hit with $500,000 CRTC fine [online]. Available from: http://www.cbc.ca/money/story/2010/12/17/crtc-xentel-do-not-call-penalty.html (accessed January 02, 2011).
CBC News (2010). Bell fined $1.3M for breaking do-not-call rules [online]. Available from: http://www.cbc.ca/technology/story/2010/12/20/do-not-call-fine.html (accessed January 02, 2011).
Industry Canada (2005), Stopping Spam [online]. Available from: http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/vwapj/stopping_spam_May2005.pdf/$file/stopping_spam_May2005.pdf (accessed January 02, 2011).
Industry Canada (2009), Policy Development and Harmonization [online]. Available from: http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00483.html (accessed January 02, 2011).
Miller, Gerry et al (1999). Regulation of the Internet: A Technological Perspective [online]. Available from: http://www.ic.gc.ca/eic/site/smt-gst.nsf/vwapj/005082_e.pdf/$FILE/005082_e.pdf (accessed January 02, 2011).
Office of the Privacy Commissioner of Canada (2005), Complying with the Personal Information Protection and Electronic Documents Act [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_16_e.cfm (accessed January 02, 2011).

Merry Christmas and a Happy New Year

2010-12-24T17:34:00.003-05:00

Who Owns Our Data?

2010-12-19T14:25:00.000-05:00

When considering the ownership of information about a person, weneed to consider a number of factors. Initially, we need to establishwho generated the information as this will impact the entitlement tostore and access the information. For example, Social InsuranceNumber (SIN) is generated Service Canada when a person is born orimmigrates to Canada, therefore there is legitimate business need to store the information in its database. On the other hand, if theinformation was generated by a different entity (even the personitself), it is questionable if the government has a legitimate needto access that information. Although the legal complexity increasesas the technology advances and more and more information is stored,in majority of countries the ownership of the data is governed by alaw or a privacy act.
Whereas, as mentioned by Jones, Andy, Glenn S. Dardick, GarethDavies, Iain Sutherland, and Craig Valli (2009) “there has alsobeen an increasing trend in the use of the same computer to processand store both the organisation’s and the individuals personalinformation” therefore in corporate environment the lines are moreblurry. For example, if a person uses corporate resources to send andreceive Email messages containing private information, does theorganization have a potential entitlement for the information?
To thoroughly examine the complexity of data ownership, considerthe following scenario. An employee is required to provide medical,credit and personal (previous employment, skills, etc.) informationprior to employment. Then, an employer generates information aboutthe employee such as salary, weekly utilization and performancemeasurement. Finally, during the employmentthe employee generates information such as documents, software code,idea and thoughts which could be owned by the organization or by theemployee itself. The last case is usually covered by an employmentcontract but the other cases are not always defined by a contract oran applicable legislation.

Bibliography

College, Mitchell A. 2010. "Disclosure and Secrecy in Employee Monitoring." Journal of Management Accounting Research 22, 187-208. Business Source Premier, EBSCOhost (accessed December 19, 2010).
Jones, Andy, Glenn S. Dardick, Gareth Davies, Iain Sutherland, and Craig Valli. 2009. "The 2008 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market." Journal of International Commercial Law & Technology 4, no. 3: 162-175. Academic Search Complete, EBSCOhost (accessed December 19, 2010).
Yekhanin, Sergey. 2010. "Private Information Retrieval." Communications of the ACM 53, no. 4: 68-73. Business Source Premier, EBSCOhost (accessed December 19, 2010).

Privacy and Data Protection Laws in Canada

2010-12-13T10:53:00.000-05:00

Garrie and Wong (2010) state that “users of social networkingsites (SNS) and platforms are realising that their personalinformation, given for what was believed to be a “limited purpose”,has been hijacked, sold, repackaged, misused, abused and otherwiselaid bare to the world” therefore it is imperative that dataprotection frameworks are established by the government to protectpersonal information of its citizens.
On a federal level, Canada has two privacy laws: PersonalInformation Protection and Electronic Documents Act (PIPEDA) and thePrivacy Act. On a provincial level, laws such as The Personal HealthInformation Protection Act (Ontario), Freedom of Information andProtection of Privacy Act (Ontario), The Personal InformationProtection Act (Alberta) and An Act Respecting the Protection ofPersonal Information in the Private Sector (Quebec) were declared bythe federal Governor.
PIPEDA applies to private and public sector organisations “whocollect, use or disclose personal information in the course ofcommercial activities” (Treasury Board of Canada Secretariat,2003). The act which became a law in 2004 is divided into five partsand covers information about an identifiable individual includingpersonal health information. The act establishes ground rules forcollection, exchange and disclosure of the information covered underthe act. The Office of the PrivacyCommissioner of Canada (2005) summarizes PIPEDA as follows:

If your business wants to collect, use or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
You can use or disclose people's personal information only for the purpose for which they gave consent.
Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.
Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
There's oversight, through the Privacy Commissioner of Canada, to ensure that the law is respected, and redress if people's rights are violated.

The maindifference between the PIPEDA and Privacy Act is the fact that PIPEDAis a consent-basedact, meaning that you must have consent to collect, use or discloseinformation. The PrivacyActis authority-based,meaning that you must ensure that you have the legal authority tocollect, use or disclose information (Treasury Board of CanadaSecretariat, 2003).
While themajority of the legislation bodies are still in the game of “catchup” (Daniel B. Garrie and Rebecca Wong, 2010), Office of thePrivacy Commissioner of Canada (OPCC) is proactively looking intotechnologies and the use of these technologies with potential privacyconcerns. For example, a number of studies have been conducted toidentify privacy issues related to the use of RFID and Street Imagingtechnology (i.e. Google Earth), as well as the use of credit cardnumbers and social networking sites. Furthermore, Canadian InternetPolicy and Public Interest Clinic (CIPPIC) filed a complaint againstFacebook Inc. for noncompliance with the PIPEDA. According to Denham(2009), the central issues in the investigation was “whetherFacebook was providing a sufficient knowledge basis for meaningfulconsent by documenting purposes for collecting, using, or disclosingpersonal information and bringing such purposes to individuals’attention in a reasonably direct and transparent way”.
Furthermore,Kong (2010) notes that “after assessing the Personal InformationProtection and Electronic Documents Act (PIPEDA) of Canada, theEuropean Commission deems the transfer of data to Canadiantransferees subject to this Act legal” which results in additionalbusiness opportunities between the EU and Canada.

Bibliography

Austin, Lisa M. 2006. "Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices." Canadian Business Law Journal 44, no. 1: 21-53. Business Source Premier, EBSCOhost (accessed December 12, 2010).
Daniel B. Garrie and Rebecca Wong (2010), Social networking: opening the floodgates to "personal data". Computer and Telecommunications Law Review 2010, 16(6), p167-175.
Elizabeth Denham (2009), Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act [online]. Office of Privacy Commissioner of Canada. Available from: http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm (accessed December 12, 2010).
Lingjie Kong (2010), Data protection and transborder data flow in the European and global context. European Journal of International Law 2010, 21(2), p441-456.
Office of the Privacy Commissioner of Canada (2005), Complying with the Personal Information Protection and Electronic Documents Act [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_16_e.cfm (accessed December 12, 2010).
Office of the Privacy Commissioner of Canada (2006), RFID Technology [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_28_e.cfm (accessed December 12, 2010).
Office of the Privacy Commissioner of Canada (2009), Captured on Camera - Street-level imaging technology, the Internet and you [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_39_prov_e.cfm (accessed December 12, 2010).
Office of the Privacy Commissioner of Canada (2009), Truncated Credit Card Numbers - Why stores should print only partial credit card information on customer receipts [online]. Available from: http://www.priv.gc.ca/fs-fi/02_05_d_44_tcc_e.cfm (accessed December 12, 2010).
Rivkin, Jennifer. 2005. "What's a Pipeda?." Profit 24, no. 2: 11. Business Source Premier, EBSCOhost (accessed December 12, 2010).
Treasury Board of Canada Secretariat (2003), Personal Information Protection and Electronic Documents Act [online]. Available from: http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/course1/mod2/mod2-3-eng.asp (accessed December 12, 2010).

Data Protection – For the Rich Only?

2010-12-12T14:44:00.000-05:00

“Preventing improper information leaks is a greatest challengeof the modern society” state Aldini and Alessandra (2008).There arevirtually countless ways (channels) sensitive data can be leakedthrough. First, there is a question of the intent; data leakage couldbe intentional, for example through a disgruntled employee who wishesto take a “souvenir” home, or unintentional as a result of asimple misunderstanding of security best practices. Then, technicaland business environment should be evaluated and assessed todetermine the most efficient and cost effective way to safeguard thedata.
When discussing data leakage and protection on the consumermarket, the boundaries between intentional and unintentional dataleakage blend. Security aware consumers are not disclosinginformation such as credit card numbers, bank accounts and birthdates publicly, therefore it is safe to assume that it is eitherpublished as a result of a lack of understanding of security bestpractices or the malicious information theft.
Chichowski (2010) notes seven technologies that could prevent or limit data leakage for smalland medium businesses. These include hosted Email security, Web/URLfiltering, anti-malware software, patch management and whole diskencryption. Google (2010) provides a similar checklist consisting ofeighteen items to make sure information is secure. Based on Paretoprinciple, by implementing those technologies a consumer could reducethe overall risk of data leakage by 80%. The question arises: arethese technologies for rich only?
Instead of using locally installed E-mail security software whichis capable of filtering spam, detecting phishing attacks and scanningfor viruses, a consumer could use web based Email accounts such asGoogle, Live and Yahoo, which provide different levels of security.For example, Google Mail provides all of the above mentionedcapabilities in addition to free storage space.
A number of security software vendors, including segment leaderssuch as Symantec and Kaspersky, offer free anti-malware scans capableof detecting “viruses, Trojans, Spyware or other malicious codes”(Kaspersky, 2010). In addition, free security software such as McAfeeSiteAdvisor and AVG LinkScanner allow users to check the reputationof each website before opening it in a browser.
Today update or patch management technologies are an integral partof operating systems and consumer applications. For example,Microsoft Windows 7, Ubuntu OS and Mac OSX all come with build inupdate manager, which informs the user when security and regularupdates become available. On Ubuntu, patch management softwareupdates applications managed by the operating system such as OpenOffice, Firefox Web Browser and Adobe Reader.
Full disk encryption technology intends to provide last resortprotection in case a laptop or a desktop is stolen. Encrypting thedata stored on non-volatile memory devices such as hard drive, solidstate disk or removable USB device prevents malicious users fromaccessing the information stored. In additional to corporatesolutions such as PGP Full Disk encryption and McAfee EndpointEncryption , Check Point Full Disk Encryption, there is a number offree applications capable of protecting These are: MicrosoftBitLocker Drive Encryption and TrueCrypt.
It is evident that the security aware businesses and consumershave a wealth of options when in comes to technological solutions toprotect sensitive or personal information. According to AVGTechnologies (2010) only “46% of identity theft victims installedantivirus, anti-spyware, or a firewall on their computer after theirloss”, therefore the main problem lies in the security awareness ofthe users rather than in the availability or cost of data leakageprevention solutions. While in large enterprises, Chief InformationSecurity Officer (CISO) is required to provide internal employeeswith the security awareness program to, the question that remainsopen is: Who is responsible for the educating the end user when incomes to consumer market?

Bibliography

Aldini, Alessandro, and Alessandra Pierro. 2008. "Estimating the maximum information leakage." International Journal of Information Security 7, no. 3: 219-242. Business Source Premier, EBSCOhost (accessed December 12, 2010).
AVG Technologies (2010), AVG LinkScanner [online]. Available from: http://linkscanner.avg.com/ (accessed December 12, 2010).
Chichowski, Ericka. 2010. "Sound the Alarm." Entrepreneur 38, no. 6: 54-59. Business Source Premier, EBSCOhost (accessed December 12, 2010).
Google (2010), Gmail Security Checklist [online]. Available from: http://mail.google.com/support/bin/static.py?hl=en&page=checklist.cs&tab=29488&ctx=share (accessed December 12, 2010).
Kasperski (2010), Free Virus Scan [online]. Available from: http://www.kaspersky.com/virusscanner (accessed December 12, 2010).

Security and Ethical Impact of Technological Advancement

2010-12-11T08:53:00.000-05:00

The advancement in computer technologies provides us with everchanging capabilities such as fast Internet access, larger storagecapacity, mobile computing, electronic financial transactions,smaller and faster processors, cloud-based computing andvirtualisation. . Those in turn are utilised by the consumers andbusinesses to expand their operations to previously unattainabledomains. For example, in the banking sector computing resources areused for tasks such as calculating risk factors and facilitatingmonetary transactions. Complex models that once took hours to updatecan now be modified within seconds, and transactions which used to take days are now instantaneous. Another example is that “Cloudinfrastructure can save 40% to 50% in up-front costs, allowingpricing model flexibility, including paying per use, low or noup-front costs, no minimum spent and no long term commitment”(Tisnovsky, Ross 2010).
Cloud computing is one of the faster growing technological andbusiness segments in the IT industry. Both individuals andenterprises are questioning the controls in place to safeguard theinformation stored outside the “secure” corporate boundaries.Subashini at.al. (2010) notes that “security is one of the majorissues which reduces the growth of cloud computing and complicationswith data privacy and data protection continue to plague the market.”
Additional concerns are privacy and compliance issues, especiallyfor international enterprises. Different privacy acts and regulationsrequire companies to safeguard their data and restrict its migrationto different geographical locations. In addition to that, differentcountries and regions have different security standard and compliancemodels such as GLBA, HIPAA, SOX and PCI) which organizations arerequired to comply with, therefore it is imperative those aspects arereviewed and addressed. According to recent statistic published byErnst & Young (2009) “Only 34% of polled entities indicatedthey had an established response and management process in regards toprivacy related incidents, while 32% have a documented inventory ofassets covered by privacy requirements”.
Furthermore, ownership and control are additional issues, whichcompanies are concerned about when discussing the implementation ofCloud based computing. Legal issue in data ownership and the lack ofcomplete control of access to the stored information causedifficulties to organisations manifesting themselves in a number ofsecurity related issues, such as backup and disaster recovery. RossTisnovsky (2010) notes that “customers need formal contractualclauses to ensure data remains available if the supplier goes out ofbusiness or is acquired and for data redundancy across multiplesites”.
Finally, consistency and accuracy of the information should beconsidered when migrating sensitive data to the Cloud basedinfrastructure. For example, Data Protection Act (DPA) 1998 requiresentities to review the information stored for accuracy. Whenfactoring in issues discussed previously such as ownership of theinformation and the control over the information, a process ofensuring accuracy and consistency of the information stored should beconsidered and, in some cases, be part of contractual obligation withthe service provider.
Given the advantages Cloud-based computing offers enterprises toensure that data and application migration follow best practices andstandards of security such as Open Web Application Security Project(OWASP) “Cloud Top 10 Security Risks” and “Security Guidancefor Critical Areas of Focus in Cloud Computing” by Cloud SecurityAlliance (CSA). Understanding security and ethical issues, adoptionof security frameworks and periodic risk assessments associated withthe use of a particular technology will reduce the negative exposureof the enterprise.

Bibliography

Bodde , D. L. 2004 Intentional Entrepreneur: Bringing Technology And Engineering To The Real New Economy, M.E. Sharpe
Bublitz, Erich. 2010. "Catching The Cloud: Managing Risk When Utilizing Cloud Computing." National Underwriter / Property & Casualty Risk & Benefits Management 114, no. 39: 12-16. Business Source Premier, EBSCOhost (accessed December 8, 2010).
Cloud Security Alliance (2009), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 [online]. Available from: http://www.cloudsecurityalliance.org/guidance/csaguide.pdf (accessed December 8, 2010).
Ernst & Young. (2009). Outpacing change. 12th Annual Global Information Survey [online]. Available from: http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf (accessed December 8, 2010).
Farrell, Rhonda. 2010. "Securing the Cloud-Governance, Risk, and Compliance Issues Reign Supreme." Information Security Journal: A Global Perspective 19, no. 6: 310-319. Business Source Premier, EBSCOhost (accessed December 8, 2010).
OWASP (2010), Cloud Top 10 Security Risks [online]. Available from: http://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project (accessed December 8, 2010).
Subashini, S., and V. Kavitha. "A survey on security issues in service delivery models of cloud computing." Journal of Network & Computer Applications 34, no. 1 (January 2011): 1-11. Business Source Premier, EBSCOhost (accessed December 8, 2010).
Tisnovsky, Ross. 2010. "Risks Versus Value in Outsourced Cloud Computing." Financial Executive 26, no. 9: 64-65. Business Source Premier, EBSCOhost (accessed December 8, 2010).

Professional Ethics and Responsibility

2010-12-05T19:47:00.000-05:00

According to Deborah Johnson (2008), the distinction between“guns-for-hire” and professionals is the fact that “guns for hire” will doeverything in his or her capabilities for the prices. By contract, aprofessional will take responsibility for his or her action.
In an ideal world, every professional adheres to a core set ofvalues of the profession. Ethical values include a value of humanlife in medicine, accuracy in auditing, integrity (among the others)in military and safety in engineering. Number of computer ethicsbodies published and maintain code of ethics and conduct such as BCS,ACM and IEEE but due to variability in computing field it isdifficult to define ethical behaviour of computing professional.
Since so many non-experts rely on a computer professionalexpertize, it puts the computer professional in a position of power.Furthermore, the result of a work conducted by a computer expert hasdirect and indirect impact on users of the product. “Computerexperts generally work either as employees in organizations(including corporations, government agencies, and nongovernmentalorganizations) or as consultants hired to perform work for clients.Often their employer or client does not have the expertise tounderstand or evaluate the work being performed” Deborah Johnson(2008).
When we consider a role of a company (employer) and the impact ofcorporate policy and goals on a computer expert, the equation becomeseven more complicated. Debora Johnson (2008) explains that “acomputer experts might think of themselves as merely agents. Theymight presume that their client, employer, or supervisor is in chargeand the expert’s role is merely to implement the decisions made bythose higher up”. Furthermore, the role of a computer expert has adirect impact on the way an organization conducts business. Certainroles pf a computer professional could have conflicting interestswith the business goals. For example, a security consultant shouldaccurately identify security vulnerabilities and provide objective(vendor neutral) recommends without being compensated for up-sellinga service or a hardware solution.
Debora Johnson (2008) summarizes that “computer experts aren’tjust building and manipulating hardware, software, and code; they arebuilding systems that help to achieve important social functions,systems that constitute social arrangements, relationships,institutions, and values.”

Bibliography

Association for Computing Machinery (1992), ACM Code of Ethics and Professional Conduct [online]. Available from: http://www.acm.org/about/code-of-ethics (accessed December 5, 2010).
British Computing Society (2006), Code of Conduct [online]. Available from: http://www.bcs.org/server.php?show=nav.6030 (accessed December 5, 2010).
Johnson, Deborah G. 2008. "Computing Ethics Computer Experts: Guns-for-Hire or Professionals?." Communications of the ACM 51, no. 10: 24-26. Business Source Premier, EBSCOhost (accessed December 5, 2010).
IEEE (2006), IEEE Code of Ethics [online]. Available from: http://www.ieee.org/membership_services/membership/ethics_code.html (accessed December 5, 2010).

Internet Communication

2010-12-05T15:03:00.001-05:00

When language is used by non native speaks, they tend to simplifythe language. It is evident that English, as a lingua franca - “alanguage systematically used to communicate between persons notsharing a mother tongue” (Wikipedia, n.d.) is evolving withdevelopment of new abbreviations and slang, and easing grammarstructure to simplify the language . Bill Templer (2009), notes that“we need a slimmer, sustainable lingua franca specially fortrans-cultural working-class communication needs, a kind of'convivial' English for the Multitude counterposed to English forEmpire”.
At the same time, as human being we are constantly expressingemotions though facial expressions and gestures. In conversation,words, as well as body language are used to express our feeling, andin many cases slang is used to convey the message.
Similar process is happening to the language used for the onlinecommunication. For example, in China “as a result of the rapiddevelopment of computer-mediated communication, there has emerged adistinctive variety of Chinese language, which is generally termedChinese Internet Language” (Gao, Liwei. 2006). English is not anexception and new abbreviations such as LOL (Laughing Out Loud), ROFL(Rolling On Floor Laughing), WILCO (Will Comply) *$ (Starbucks) andW8 (Wait) are widely used in online forums and chat rooms.Furthermore, according to Alla Markh (2004), different communicativesituations involve different style of languages. Lexical andstylistic items of one style can be transferred to another style, inother words those can influence each other to a certain extent. Forexample, in the modern English language, abbreviation LOL appears notonly in chats where it derives from, but also in the written andspoken language.
David Crystal (2009) explains that “abbreviations are a natural,intuitive response to a technological problem”. He argues thattexters would not be able to use the technology (mobile phones,forums and chats) at all without having at least base knowledge instandard English writing system. In addition, the creation ofabbreviation and slang should not be attributed to a youngergeneration influenced by the Internet. For example, the words “wot”(“what”) and “cos” (“because”) are part of Englishliterary tradition and were used by Charles Dickens and Mark Twain.Furthermore, those words were given entry to Oxford Englishdictionary in the 19^th century demonstrates that thelanguage evolves with time to keep pace with society.

Bibliography

Crystal, David 2009, Txtng: frNd or foe?The Linguist, The Threlford Memorial Lecture, 47 (6), 8-11. Available from: http://www.davidcrystal.com/DC_articles/Internet16.pdf (accessed December 5, 2010).
Gao, Liwei. 2006. "Language contact and convergence in computer-mediated communication." World Englishes 25, no. 2: 299-308. Academic Search Complete, (accessed December 5, 2010).
Markh, Alla (2004), Nonverbal Means of Expressiveness in Internet Communication. On the Material of English and Russian Chats. International Higher School of Practical Physiology.
Netlingo (2010), The List of Chat Acronyms & Text Message Shorthand [online]. Available from: http://www.netlingo.com/acronyms.php (accessed December 5, 2010).
Templer, Bill. 2009. "A Two-Tier Model for a More Simplified and Sustainable English as an International Language." Journal for Critical Education Policy Studies (JCEPS) 7, no. 2: 187. EDS Foundation Index, EBSCOhost (accessed December 5, 2010).
Wikipedia (n.d.), Lingua franca [online]. Available from: http://en.wikipedia.org/wiki/Lingua-franca (accessed December 5, 2010).

Benefits and the Perils of Artificial Intelligence

2010-11-28T12:23:00.002-05:00

Artificial Intelligence is a field of computer science which is seeking to build a set of machines that can complete some complex task without human intervention (Brookshear 2007).
Today, artificial intelligence (AI) is widely used in number of different domains to support human decision making. Although an intelligence of a decision making machine is a questionable matter as those could be seen as a algorithmic processes, the benefits of utilizing machines to aid out decision are unquestionable. Combining uninterruptable operability, higher computing power and appropriate algorithm, a machine has far superior problem solving ability. Thoseinclude market predictions in financial sector, weather forecast and biological simulations in engineering and exact science, as well asmanagement and medical fields. For examples, computers are used inmedical field to process (MRI) images to recognize tumours, or inlinguistics to aid understanding of language acquisition process.Furthermore, artificial intelligence is used by space agencies (NASA)for automated lunar and planetary terrain analysis and aviationsystems to aid navigation during poor visibility conditions (Zia-urRahman at. al., 2007).
In many cases, we (human) are exposed to information which can beconsidered confidential, sensitive or ethical. In those cases, thedecision taking process includes moral judgements. According to BlayWhitby (2008) “these include systems that give advice on patientcare, on social benefit entitlement, and even ethical advice formedical professionals”. Even in more traditional informationtechnology domains, data such as usage statistics analysis could beseen as ethical and need to be handled appropriately. Therefore, thephilosophical debate and possible development of moral status ofartificial intelligence should be examined carefully.
In 1976, Isaac Asimov proposed ‘‘three laws of robotics’’which are considered by some as an “ideal set of rules for suchmachines” (Susan Leigh Anderson, 2008):

A robot may not injure a human being, or, through inaction, allow a human being to come to harm.
A robot must obey the orders given it by human beings except where such orders would conflict with the first law.
A robot must protect its own existence as long as such protection does not conflict with the first or second law.

Susan Leigh Anderson (2008) argues that the rules proposed byIssac Asimov three laws of robotics are “an unsatisfactory basisfor machine ethics”. The question of “meta-ethics” anddevelopment in artificial intelligence moral judgement could be seenas major obstacles needed to be overcome.

Bibliography

Anderson, Susan Leigh. 2008. "Asimov’s “three laws of robotics” and machine metaethics." AI & Society 22, no. 4: 477-493. Computers & Applied Sciences Complete, EBSCOhost (accessed November 28, 2010).
Bringsjord, Selmer. 2008. "Ethical robots: the future can heed us." AI & Society 22, no. 4: 539-550. Computers & Applied Sciences Complete, EBSCOhost (accessed November 28, 2010).
Brookshear J.G. (2007) Computer Science: An Overview, (9th Ed). Boston: Pearson Education Inc. P452-500
Whitby, Blay. 2008. "Computing machinery and morality." AI & Society 22, no. 4: 551-563. Computers & Applied Sciences Complete, EBSCOhost (accessed November 28, 2010).
Zia-ur Rahman,Daniel J. Jobson, Glenn A. Woodell (2007), Pattern Constancy Demonstration of Retinex/Visual Servo (RVS) Image Processing, NASA, Available from: http://dragon.larc.nasa.gov/VIP/pattern_constancy_demonstration_report.pdf (accessed November 28, 2010).

Interpreted vs. Compiled Code

2010-11-07T12:40:00.004-05:00

A source code needs to be translated from a set of primitives into a language understood by the machine (CPU). Compiled program is translated into a machine specific instructions (CPU specific) whereas interpreted program is educed to machine instructions at runtime. This has number of associated weaknesses but also allows certain functionality which cannot be implemented in a compiled program.
Interpreted programs are usually associated with slower runtime and that is because the code needs to be translated at runtime. In addition, it is much more difficult to enforce Intellectual Property rights since the code needs to be distributed. Both were partially solved by programming languages such as Java and C# by translating the code into bytecode which is executed in turn by a framework such as Java Virtual Machine. As noted by Peter Haggar (2001) “bytecode is an important part of the size and execution speed of your code”.
On the other hand, interpreted languages allow software developers to do thing that can not be done in a compiled language. For example, since the source code is usually stored in a text file, it could be manipulated by the program during the runtime - it allows the program to modify or mutate itself. In addition, interpreted languages are usually associated with easier software development process since the it is not required to recompile the code every time it changes. This feature is particular useful for operating system (OS) administrators who often tweak a script, executed by the OS itself, to suit a specific need without recompilation associated with the compiled programs. Another benefit of interpreted language is theinteroperability of the developed program or script since the machine level translation happens at the execution of the program. This is demonstrated by the fact that a program written in C or C++ (usually) requires recompilation for every execution platform while code written in Java does not.
In reality, there is no clear distinction between compiled and interpreted software development language. According to Wikipedia (n.d.) “Many languages have been implemented using both compilers and interpreters, including Lisp, Pascal, C, BASIC, and Python”, therefore the discussion should be more focused on a specific implementation of the software development language.

Bibliography

Brookshear J.G. (2007) Computer Science: An Overview, (9th Ed). Boston: Pearson Education Inc. P273-327
Haggar, P. (2001), Java bytecode: Understanding bytecode makes you a better programmer [online]. Available from: http://www.ibm.com/developerworks/ibm/library/it-haggar_bytecode/ (accessed 7 November 2010).
Wikipedia (n.d.), Interpreted language [online]. Available from: http://en.wikipedia.org/wiki/Interpreted_language (accessed 7 November 2010).

Structured vs. Object Oriented Paradigm

2010-11-07T12:38:00.000-05:00

According to K. Hopkins (2001) structured, orimperative, programming paradigm are build three fundamental constructs which are sequence, decision and repetition. Brookshear (2007) defines structured programming paradigm as a “programming process to be developed of a sequence of commands that, when followed, manipulate the data to produce the desirable result”. Therefore, it could be summarized as a process of implementing an algorithm as a sequence of commands. Structured programming paradigm suffered from a number of crucial issues such as memory leaks and deep hierarchies.
Object oriented programming paradigm decompose the system into a collection of objects each of which is capable of performing functionality related to itself. In addition, objects caninteract between themselves to create a complex network of relationships to solve the problem at hand. Software development process using object oriented paradigm described by Mohamed, AhmedYakout A.; Hegazy, Abd El Fatah A.; Dawood, Ahmed R. (2010) as a process of orchestrating a data flow between collection of objects each manipulating the data to solve software problem. Those, in turn, allows better re-usage of objects and decoupling between the classes. A book published by Erich Gamma at al. (sometimes called “Gang of Four”) describes describes common programming problems and patterns for solving them allowing re-usage not only of thesource code (objects) but re-usage of the design patterns as well.
According to Brookshear (2007), object oriented programming paradigm is based on a key five elements which are class, abstraction, encapsulation, inheritance, and polymorphism.

Class defines data object including characteristics such as attributes and methods or operations. For example, class Fish would includes attributes such as eyes, mouth, fins, and will be able to perform the following operations/methods: eat and swim.

Inheritance is a technique to described similar yet difference class characteristics. For example, Class Mammals would define attributes such as eyes, mouth and limbs and methods such as eat and walk. Then, class Dog would inherit all attributes and methods of Mammal with addition of specific methods such as bark. This allows software designer to reuse already implemented classes and extend those to solve a specific problem.

Abstraction, according to Wikipedia (n.d.) is “the act of representing essential features without including the background details or explanations”.

Encapsulation refers to ability of the class to conceal or restrict access to certain internal properties or methods. For example, a method bark could in theory use internal methods to implement the functionality but methods are considered as private (i.e. accessible by the object itself).

Polymorphism allows inheriting objects to mutate functionality to suit type-specific behaviour. For example, classes Doberman Pincher and German Shepherd both inheriting class Dog, could override the implementation of the method bark to match the distinct features of that specific bread.

Based on the characteristics of object oriented paradigm, it could be said that it better reflects the human way of thinking due to the fact that each real-world item is represented as object within the software with all relevant concepts (implemented as attributes and methods). On the downside, object oriented programming is usually associated with reduced performances and higher memory consumption due to the fact that each object has to be initiated and destroyed at the end of the object life cycle.
It is also important to note, that emerging software programming paradigms are constantly being developed. For example, aspect oriented that “that seeks new modularization of software systems in order to isolate secondary or supporting functions from the main program's business” (Mohamed, Ahmed Yakout A. at al 2010). According to aspect oriented programming paradigm, similar concepts or aspects such as error handling, logging and catching should be implemented in a separate functional units to solve the issue of code scattering and tangling.

Bibliography

Brookshear J.G. (2007) Computer Science: An Overview, (9th Ed). Boston: Pearson Education Inc. p273-311
K. Hopkins (2001), How the Structured Programming Paradigm developed [online]. Available from: http://portal.newman.wa.edu.au/technology/12infsys/html/KWH2003/StrucThrmKH.htm (accessed 7 November 2010).
Mohamed, Ahmed Yakout A.; Hegazy, Abd El Fatah A.; Dawood, Ahmed R.. Computer & Information Science, 2010, Vol. 3 Issue 3, p256-27
Wikipedia (n.d.), Object Oriented Programming [online]. Available from: http://en.wikipedia.org/wiki/Object-oriented_programming (access 7 November 2010).

Software Tunning vs. Verification Process

2010-10-30T12:10:00.002-04:00

According to Wikipedia (n.d.) performance tuning is the process of “modifying a software system to make some aspect of it work more efficiently or use fewer resources”. This is distinctivelydifferent process from program verification which is described in Wikipedia (n.d.) as “the act of proving or disproving the correctness of intended algorithms underlying a system with respectto a certain formal specification or property”. The difference could be summarized as the performance versus functionality of the software. In addition, program verification process assess the assess the software under certain preconditions to verify functionality as per design requirements without changes to the source code, the tuning process modifies the program to better utilize the allocated resources (such as memory and CPU). As a result, both issues will be discussed separately.
Program verification process make sure that the software functionless as per design requirements. This could be verified by inspection of the source code, or by running a pre-defined (as per software requirements) test cases. The process is semi-automated by usage of automated testing software (for example, HP WinRunner) to run test case scenario against the assessed software, but those need to be configured/loaded by a human operator. Recently, due to the rising number of security exploit in applications, software vendors began using automated software capable assessing the application for flaws leading to security vulnerabilities such as Cross Site Scripting (XSS), Buffer Overflow, Cross Site Request Forgery (CSRF). Although the automated tools are very efficient in running the per-defined test case scenario, human interaction requires to define the test cases. Furthermore, number of functional flaws are a result of logical incorrectness and will require assessment by human capable of understanding the application as demonstrated by the following code:

procedure login(user, password)
(
success <--- true
if call authenticate(user, password) = true
then (...)
else (success <--- false)
return success
) end procedure

the functional requirement of the procedure is to authenticate the user using the provided values. Since it is a functional requirement to handle two inputs and provide a Boolean output, it would be a fair to assume that automated tool or inexperienced assessor will not try to mutate the input to a level causing the authenticate procedure to fail on line 4 which could under certain conditions result in a successful authentication (procedure returns the value true). Verifications as such require not only human understanding of the application, but also experience therefore will remain as “work of art”.
Performance tuning, on the other hand, can achieve a fairly good results using automated tools. Of course, an experienced software architect can make a difference at the design stage by choosing efficient algorithms and implementation technologies, but reusable designed and patters can compensate for lack of experience. Additional tuning could be achieved by optimization on the source code level and using an optimizing compiler which relies on differenttuning techniques such as loop optimization, common sub-expression elimination and redundant store elimination. It could be demonstrated by the following code:

procedure calculate(a ,b)
(
c <--- 4
result <--- (a+b)-(a+b)/4
return result
) end procedure

Program tuning could be achieved by removing line 3 and calculating the expression a+b in line 4 only once. The result of compiler optimization could be:

procedure calculate (a,b)
(
c <--- a + b
result <--- c – c/4
return result
) end procedure

Further optimization could be achieved by performing a run time optimization “exceeding the capability of static compilers by dynamically adjusting parameters according to the actual input or other factors” (Wikipedia, n.d.).

Bibliography

Wikipedia (n.d.), Formal verification [online]. Available from: http://en.wikipedia.org/wiki/Program_verification (accessed 30 October 2010).
Wikipedia (n.d.) , Program optimization [online]. Available from: http://en.wikipedia.org/wiki/Program_optimization (accessed 30 October 2010).

Network as Super Operating System

2010-10-24T12:01:00.000-04:00

It is unarguable that today a lot of developed applications are web enabled. Furthermore, more and more offered services are in the cloud, distributed or network aware. Examples to that trend are Google Apps which is “Web-based word processor, spreadsheet, presentation, form, and data storage service offered by Google.” (Wikipedia, n.d.), Amazon Web Services which provide cloud based services such as Amazon Elastic Compute Cloud, Elastic Load Balancing, Amazon Relational Database Service, Amazon Simple Storage Service and Alexa Web Information Service. Another example is a Cloud OS which is according to Good OS (2010) “is a web browser plus operating system, enabling the browser to perform everything that the desktop is able to perform”. The extend of offered services is much more that only technology based services as it is demonstrated by Amazon Mechanical Turk which “enables companies to programmatically access this marketplace and a diverse, on-demand workforce”. Those services, as countless others, are based on the standard and mature protocols such as SOAP, HTTP and XML which allowinteroperability between different operating systems and web browsers, making heterogeneous environment not an operational issues. But can the network be seen as a super operating system?
The main obstacle of network as a “true operating system” is the fact that network itself is everywhere and all the time. For example, recent (June 30, 2010) statistic published by thewww.internetworldstats.com by Miniwatts Marketing Group. (2010) shows that although 77.4 percent of population in North America are using Internet, only 10.9 percent of Africa population and 21.5 percent of Asia population haveavailable Internet access. In total, less then a third (only 28.7 percent) of the world population are using Internet in one way or another.
It is can not be denied that the world is moving towards network enabled, distributed services. Increasing availability of the Internet in the developed countries, technological innovations and lowering cost of personal computers drive further the penetration of the network for personal and corporate usage. According to Miniwatts Marketing Group. (2010), the grows of total Internet users is a staggering 2,357.3 percent in Africa, 1,825.3 percent in the MiddleEast and 1,032.8 percent in Latin America. Regardless, at the moment the network can not be seen as a super operating system simply because it is not accessible to the large majority of the world population.
According to Brookshear (2007) “an operating system is the software that controls the overall operation of a computer” which allows users to interact with preferential devices and external environment via set of drivers, utilities and applications. The network, could be seen as a information exchange media, connecting a single instance of operating system and the userto the external environment such as the Intranet and Internet. To some degree, network can be substituted with different information exchange methods such as removable media (CD, DVD, etc.) and paper printouts, and in many cases those would be the only available methods to exchange information.

Bibliography

Amazon (n.d.), Amazon Web Service [online]. Available from: http://aws.amazon.com/ (accessed 24 October 2010)
Brookshear J.G. (2007) Computer Science: An Overview, (9th Ed). Boston: Pearson Education Inc, p. 136.
Good OS (2010), Good OS – gOS and Cloud Operating Systems [online]. Available from: http://www.thinkgos.com/ (accessed 24 October 2010).
Google (n.d.), Google Apps [online]. Available from: http://www.google.com/apps/ (accessed 24 October 2010).
Miniwatts Marketing Group (2010), World Internet Users and Population Stats [online]. Available from: http://www.internetworldstats.com/stats.htm (accessed 24 October 2010).
Wikipedia (n.d.), Google Docs [online]. Available from: http://en.wikipedia.org/wiki/Google_Docs (accessed 24 October 2010).

Comparison of CISC vs. RISC Architecture

2010-10-16T15:23:00.003-04:00

Both RISK (Reduced Instruction Set Computing) and CISC (Complex Instruction Set Computing) are CPU architectures with different design philosophies. RISK design principles is based on the idea that it more efficient to execute a large number of simplified infrastructures instead of single complex instruction. One famous example which inspired RISK architecture philosophy is DEC VAX index instruction which was, according to John Bayko (2003), 45% to 60% faster when replaced by a number of simple instructions in a loop. As a result of larger number of instructions, execution program were more complex and required more main memory space. Examples of CPU based on the RISK design are DEC Alpha, ARC, ARM, AVR, MIPS, Power, and SPARC.
CISC, on the other hand, is a direct competitor to RISK. It is based on a general lack of main memory to store large number of instructions when executing the program. Instead, a single instruction would result in number of low level operations such as memory read, arithmetic operation and memory write, resulting in a more dense code. In addition, high level programming languages were not available in the early days of the computer history therefore hardware designers tried to architect a set of complex instructions that would do as much as possible on behalf of compilers. CISC as a term was mainly used to contrast to RISK architecture and was basically used to described computer architectures such as the IBM S/370, DEC VAX, Intel x86, and Motorola 680.
The main strengths of the RISK architecture are in the number of available registers and the computation speed (of simple instructions). The disadvantage, as note previously, is a larger code size resulting in higher memory requirements. Although previously RISK based architecture was assosiated with a more complex development process, it slowly becomes irrelevant with introduction of higher level software development languages. Since RISK architecture excels in higher throughput of arithmetic actions (both integer and float point), is more applicable to systems requiring high computing power such as image processing, biological and geographical simulations, and trading applications.
The fundamental advantage of CISC architecture is a more dense code with requires fewer accessed to main memory, and although there are constant advancements in the RAM technology, both in clock speed and size, the main memory is still slower then CPU registers. The disadvantages are a more complex hardware architecture and the need to translate (transcode) even a single simple instruction which make CISC processors less efficient than RISK. Based on that, CISC processors are more applicable to desktop environment where frequent access to main memory is required.
However, according to Gao Y., Tang S. and Ding Z. (n.d.) “In 90's, the trend is migrating toward each other, RISC machines may adopt some traits from CISC, while CISC may also do it vice versa”. This is evident in the evolution of the Intel microprocessors which are converting, starting with Intel Pro family, CISC based instructions to micro-ops (RISC instructions).

Bibliography

Bayko, J. (2003), Great Microprocessors of the Past and Present (V 13.4.0) [online]. Available at: http://www.cpushack.com/CPU/cpu.html (accessed on 16 October 2010).
DeMone P. (2000), RISC vs. CISC Still Matters [online]. Available at: http://www.realworldtech.com/page.cfm?ArticleID=RWT021300000000 (accessed on 16 October 2010).
Gao Y., Tang S. and Ding Z. (n.d.), Comparison between CISC and RISC [online], Available at: http://www.cc.gatech.edu/grads/z/Howard.Zhou/micellaneous/gre_cs_sub/risc_cisc.pdf (accessed on 16 October 2010).
Wikipedia (n.d.), Reduced instruction set computing [online], Available at: http://en.wikipedia.org/wiki/Reduced_instruction_set_computing (accessed on 16 October 2010).
Wikipedia (n.d.), Complex instruction set computing [online]. Available at: http://en.wikipedia.org/wiki/Complex_instruction_set_computer (accessed on 16 October 2010).

Effects of Development in Non-Volatile Memory Technology

2010-10-15T15:18:00.001-04:00

According to Wikipedia (n.d.), non-volatile memory or NVN, is a computer memory capable to storing the data without constant power supply. Previously, non volatile memory was associated with rotating hard drives were associated with non-volatile memory, characterizing with slow performance, bulky size and high electricity demand, and electrically erasable programmable read-only memory (EEPROM) characterizing with low density (small storage size) and slow write speeds.
Advances in non-volatile memory technology such as ferroelectric random access memory (FeRAM), phase change random access memory (PRAM), resistive random access memory (RRAM) and magneto resistive random access memory (MRAM) attempt to “achieve high speed, high density and low cost while incorporating non-volatility with robust endurance and retention characteristics” (Mitchell Douglas, 2010).
Number of different opinions exist with regards to the most prominent technology. According to Mitchell Douglass (2010), MRAM is the most promising of the technologies listed above, while Seong N., Woo, D., and Lee H. (2010) believe that “compared to other non-volatile memory alternatives, PCM is more matured to production, and has a faster read latency and potentially higher storage density”.
The availability of increased memory storage, combined with smaller physical size and more efficient power utilization will have a direct impact on mobile devices such as Personal Digital Assistance (PDA), smart phones and notebooks, all have limited resources including power (battery) and processing capabilities. The fact that mobile devices will be able store more information while consuming less power, will allow system architects to design mobile application with additional functionalities and features, directly impacts the end user. In addition, it will make data processing and storage techniques more distributed across the broader network.
On the other hand, availability of non volatile memory has a direct effect on the security of the data. If previously it was stored in relatively secure enterprise environment, today it is quite common to find the data stored on mobile devices. Furthermore, as noted by Enck W., Butler K., Richardson T., and McDaniel P (2006) “sensitive data written to main memory is now available across system reboots and is vulnerable as the system is suspended”. Techniques to safeguard the data will have to evolve to support hundreds of terabytes of data stored within distributed environment.

Bibliography

Enck W., Butler K., Richardson T., and McDaniel P (2006), Securing Non-Volatile Main Memory [online], The Pennsylvania State University. Avaiable at: http://nsrc.cse.psu.edu/tech_report/NAS-TR-0029-2006.pdf (accessed on 16 October 2010).
Mitchell D. 2010, High-performance, Non-volatile Memories [online], Global Semiconductor Alliance. Available at: http://www.gsaglobal.org/forum/2010/1/articles_everspin.asp (accessed on 15 October 2010).
Seong N., Woo, D., and Lee H. (2010), ACM SIGARCH Computer Architecture News (ACM Digital Library), June 2010,-394, 12p
Wikipedia (n.d.), Non-volatile memory [online]. Available at: http://en.wikipedia.org/wiki/Non-volatile_memory (accessed on 15 October 2010).

PCI DSS & PA DSS version 2.0

2010-10-09T23:00:00.000-04:00

Slowly but surely, PCI (Payment Card Industry) standards are getting more and more mature. As it stands today, PCI SSC (Secure Standard Council) maintains 3 security standards:

Payment Card Industry Data Security Standard (PCI DSS)
Payment Application Data Security Standard (PA DSS)
PIN Transaction Security (PTS)

Those who expected the council to release a minor updates of PCI DSS and PA DSS (i.e. version 1.2.1 to version 1.3) and now dreading the “oh mighty” version 2.0 can rest at east as the majority of the changes are no more that clarification and restructure of the standards.

The biggest change is to the Approved Scanning Vendor (ASV) program where vendors, who previously could offer simple vulnerability scanning services, are now required to adopt a more comprehensive approach. The scanning vendors will be required to educate their employees by going through PCI SCC training and certification process, work closely with merchants and service providers through remediation and rescanning, and provide their customers with standardized report and Attestation of Scanning Compliance (AoSC). Not only that, the vendors are expected to include environment discovery and verification of the scanning scope with the customer. From a security standpoint, those are welcome changes...

Future of the Information Security Expert

2010-10-08T15:14:00.004-04:00

From the beginning of time, there were individuals and groups who had something which other desire. The object of desire changed throughout the centuries reflecting the state and the norms of the human society at the time, but there was always a need to safeguard the object of desire.
Association between information and power exists from Biblical times, and therefore the need to for information security. One of the means to protect information is encryption which is defined by the Oxford dictionary as an action of “convert (information or data) into a cipher or code, especially to prevent unauthorized access”. According to Fred Cohen (1995) “cryptography probably began in or around 2000 B.C. in Egypt, where hieroglyphics were used to decorate the tombs of deceased rulers and kings”. Base on that, we can safely assume that the need to protect information, such as intellectual property, financial data and medical records, will remain in the near future. Therefore, a position information security expert will exist as well to make sure information remains confidential, accurate and available.
The skill set of the information security expert will have to evolve with the information itself and the methods to store and access the information. For example, if previously information was captured on a printed material and storage required physical security, today information security experts are dealing mainly with electronic date. In addition, methods used to access the information, both legitimate and methods used by malicious users, will have impact on the role of information security expert. For example, number of attacks conducted through web applications increased significantly from 2000. It is further confirmed by the Cenzic (2008) report stating that “the percentage of Web application vulnerabilities went up to a staggering 80 percent”. The same could be said about the training required – it will have to evolve to provide information security experts with the required skill set.
Automation of the information security will have a major influence on the role of information security expert. If previously, network based scans and attacks were conducted manually, today numerous tools such as Nessus, nmap, nCircle and SAINT automate the task. The same trend happens with the web application security. Security tools are catching up with the industry to provide automated tools to identify (and exploit) web application security vulnerabilities. Naturally, automated tools will have their limitation and that is where information security expert will have to fill in the gap. As of today, assessments such as analysis of logical application flow could not be done by a computer, due to a need to understand the application, until it (computer) could pass a Turing test.

Bibliography

Cenzic 2008, Web Application Security Trends Report Q3-Q4, 2008 [online], Available at: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2008.pdf [accessed October 08, 2010]
Cohen F. 1995, A Short History of Cryptography [online], Available at: http://all.net/books/ip/Chap2-1.html [accessed October 08, 2010]
Oxford Dictionaries. April 2010, encrypt [online]. Oxford University Press. Available at: http://oxforddictionaries.com/view/entry/m_en_us1244009 [accessed October 08, 2010]
Stanford Encyclopedia of Philosophy 2008, The Turing Test [online], Available at: http://plato.stanford.edu/entries/turing-test/ [accessed October 08, 2010]

Microsoft Security Development Lifecycle (SDL) - Version 5.0

2010-04-12T11:16:00.000-04:00

Microsoft has release it's fifth version of Secure Development Lifecycle document. It provide guidance and illustrates the way Microsoft applies the SDL to its products and technologies. In addition, it includes security and privacy requirements and recommendations for secure software development at Microsoft. It addresses SDL guidance for Waterfall and Spiral development, Agile development, web applications and Line of Business applications.

It can be downloaded from http://go.microsoft.com/?linkid=9724944.

Screen for more productivity

2010-04-08T14:12:00.000-04:00

Today, majority of people are using Windows but what I’m going to talk about is Screen.

Screen is a GNU utility that allows you to use multiple windows (virtual VT100 terminals) in Unix/Linux. Although, if you have a console access, you could spawn multiple terminals, there are two features I would like to highlight.

First, is the fact that screen stays active, even when SSH session is terminated. All processes initiated will keep running and could be re-attached once SSH connection is re-established. Furthermore, since screen session initiates a separate process rather than login session, it is more resource efficient.

In addition, using Screen, it is possible to share processes between multiple users and/or protect using password. For example, you create a screen session and run a command. Another person would be able to list existing screen sessions (screen –ls) and attach a session to their terminal (screen –r). Of course, that is not very secure, therefore it is possible to protect the screen session using user password.

jmarkh@ubuntu-01:~$ screen -S nmap
[detached]
jmarkh@ubuntu-01:~$ screen -S nessus
[detached]
jmarkh@ubuntu-01:~$ screen -ls
There are screens on:
15833.nessus (10-04-08 10:52:20 AM) (Detached)
15813.nmap (10-04-08 10:52:10 AM) (Detached)
15620.pts-0.ubuntu-01 (10-04-08 10:29:38 AM) (Detached)
3 Sockets in /var/run/screen/S-jmarkh.

Here are some commands/shortcuts that could be used with Screen (note that every screen command begins with Ctrl-a):

Ctrl-a c	Create new window (shell)
Ctrl-a k	Kill the current window
C-a C-x	Lock this terminal.
Ctrl-a w	List all windows (the current window is marked with "*")
Ctrl-a 0-9	Go to a window numbered 0-9
Ctrl-a n	Go to the next window
Ctrl-a Ctrl-a	Toggle between the current and previous window
Ctrl-a [	Start copy mode
Ctrl-a ]	Paste copied text
Ctrl-a ?	Help (display a list of commands)
Ctrl-a Ctrl-\	Quit screen
Ctrl-a D (Shift-d)	Power detach and logout
Ctrl-a d	Detach but keep shell window open

The man pages for screen are quite readable and make a good tutorial.

man screen

The WASC Threat Classification v2.0 is Out

2010-01-06T06:05:00.000-05:00

The WASC Threat Classification v2.0 was released two days ago. It is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users.
For more information, http://projects.webappsec.org/Threat-Classification.

MasterCard SDP Program Changes

2009-12-18T07:05:00.001-05:00

MasterCard announced new SDP Program changes to drive consistency and quality of Merchant QSA Training in the December 15, 2009 Global Security Bulletin. Tha main change is the fact that from 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
For a more detailed information, please refer to http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

Backtrack Applications for Your Ubuntu

2009-12-13T07:47:00.000-05:00

This post is for those among us who use Ubuntu as they main operating system and would like to install their favourite forensic and/or information security tools.

First step is to create a .list file for the Backtrack repository:

sudo echo http://deb repo.offensive-security.com/dist/bt4 binary/ > /etc/apt/sources.list.d/backtrack.list

Then, we need to download and import the GPG key

wget http://repo.offensive-security.com/dist/bt4/binary/public-key && sudo apt-key add public-key

Finally, update the sources:

sudo apt-get update

Just keep in mind Backtrack is Backtrack and Ubuntu is Ubuntu. Don't try to make Backtrack out of Ubuntu.

SHODAN - Computer Search Engine

2009-12-07T09:57:00.000-05:00

SHODAN is a search engine that allows you to find servers/routers/etc. It scans the Internet and indexes the headers that come back. What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it

To demonstrate, let us find an FTP server in China with anonymous access. To do that, I typed FTP port:21 country:CN. In response, SHODAN gives a list of systems matching the criteria:

Running an FTP command with a IP address from the list confirms that the server exists:

Please remember that it is illegal (in most countries) to scan and/or fingerprint a system without proper authorisation from the owner. Considering SHODAN capabilities, one should consider a question of ethical aspects of the "cloud hacking".

URL: http://shodan.surtri.com/

PCI SSC "Ask the Council" Webminar

2009-12-04T08:21:00.000-05:00

This session will offer a brief update on PCI SSC initiatives, followed by a live Q&A session with opportunities to address Bob Russo, PCI SSC General Manager, and other members of the PCI SSC team. The updates will cover:

Community Meeting outcomes
Next steps in the lifecycle process
Recently published Council resources

Questions many also be submitted in advance through the online registration tool.

To register for the Tuesday, December 8, 2009 session, please use the following link:
http://register.webcastgroup.com/l3/?wid=0801208094997
To register for the Wednesday, December 9, 2009 session, please use the following link: http://register.webcastgroup.com/l3/?wid=0801209094998

The webinars will be recorded and available for download on the Participating Organization’s area of the Council’s Web site for those Participating Organizations who cannot attend any of the sessions.

For more information, please refer to https://www.pcisecuritystandards.org/pdfs/pr_091130_open_mic.pdf

OWASP Top 10 -2010 RC

2009-11-20T04:37:00.010-05:00

Open Web Application Security Project (OWASP), an open-source application security project, has published a release candidate version of the OWASP Top 10 Project for comments and feedback. You can download it from http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf.

It was always perceived that OWASP Top 10 is about 10 most common weaknesses in web applications; this release makes it clear that OWASP Top 10 Project is about Top 10 risks. As a result, OWASP reshuffled the order of the items on the list since now it is based on the estimate risk, instead the frequency of the associated weakness.
In addition, there are two new items:

ADDED: A6 –Security Misconfiguration
ADDED: A8 –Unvalidated Redirects and Forwards
REMOVED: A3 –Malicious File Execution
REMOVED: A6 –Information Leakage and Improper Error Handling.

Please review and contribute your thought and comments.

Ubuntu 9.10 Is Out!

2009-11-10T05:16:00.001-05:00

Ubuntu 9.10 (nicked named Karmic Kuala) is out and it has number of security improvements (over the previous version) that I would like to highlight:

AppArmor - AppArmor was introduced earlier that Karmic Kuala; In this release, it features an improved parser that uses cache files, greatly speeding up initialisation on boot making it less likely to be switched off by users, and a bunch of additional profiles.
Uncomplicated Firewall - Another "not new" feature which now supports filtering by interface and egress filtering.
Non-eXecutable Emulation - Non-eXecutable (NX) memory protection, also known as eXecute-Disable (XD), can help block many exploits an attacker might run from stack or heap memory. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation.
Blocking Module Loading - To block the loading of any further modules after boot, the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.
Position-Independent Executables - All programs built as Position Independent Executables (PIE) with "-fPIE -pie" (gcc -pie -fPIE) can take advantage of the exec Address Space Layout Randomisation(ASLR). This protects against "return-to-text" and generally frustrates memory corruption attacks.

A full list of Ubuntu security features can be found at https://wiki.ubuntu.com/Security/Features.

Information Disclosure at it Best!

2009-10-20T08:12:00.001-04:00

Wanted to share this example of OWASP Top 10 2007-Information Leakage and Improper Error Handling vulnerability. Considering the amount of resources available (OWASP Top 10, SANS 25, etc) freely on the Internet, I am quite surprised to see those appear as often as they are.

New Microsoft Security Essentials

2009-09-29T09:22:00.000-04:00

Microsoft has announced the launch of the free anti-malware Security Essentials. It uses the Dynamic Signature Service, a Microsoft technology that ensures users are protected by the most current virus definitions available without having to wait for the next scheduled download. In addition, it is designed to run quietly in the background and limits CPU and memory usage. Unfortunatly, it is a still in beta and available to customers in the United States, Israel, China and Brazil only.

Although I think that the age of the "Signature Based" security is over and the furure lays with concepts such as profiling (AppArmor), labeling (SELinux and Solaris Trusted Extensions) and Mandatory Access Control, that is a still welcomed edition to the information security domain.

Security Development Lifecycle Tools from Microsoft

2009-09-17T13:26:00.000-04:00

Microsoft has released two additional tools to supplement secure development life cycle (SDLC) tools portfolio which includes well known AntiXSS, FxCop and Cat.NET.

The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to verify that required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.

Both tools (and others) are available to download for free from the Microsoft Security Development Life cycle Tools Repository.

How we protect you... Yeah, how?

2009-09-15T14:36:00.001-04:00

Seriously, I don't get it. It is 2009, the network firewalls have been here fore more that twenty years and people (information security professionals, no more no less!) still make those amateur assumptions that they will solve all their security problems.

I've been reading HSBC's "Security guarantee" on their website (http://www.offshore.hsbc.com/1/2/international/internet-banking/how-we-protect-you) which states that they use the most advanced security systems and software to protect customer accounts including:

Combination of user name and password
Encryption (that would be https)
Network firewalls
SSL certificate (that still would be https)

Now that is secure, is not it? Well, no… Since application has access to the database, a skilled hacker would use encryption to bypass network firewalls (since firewall can not inspect the encrypted traffic) and user name/password fields could be used perform phishing, Cross Site Scripting (XSS) and SQL injections (diagram above).

In a year 2009, application security should be on the CISO agenda and network firewalls should be left to network administrators. Web applications should be protected by Web Application Firewalls (WAF), by constantly reviewing the source code to detect vulnerabilities and by training software architects and developers.

Flash Cookies - Yammy!

2009-09-08T01:07:00.000-04:00

For some reason, everybody talks about flash cookies! But those are not much different to a traditional browser cookies we all know and love (to hate). The differences are that they are not controlled through a standard "privacy" setting of Internet browsers and they are less known (sadly, even to a Information Security specialists).

So where do you find those nasties and what to do about them?

To find these flash cookies all you have to do is to look for .sol extension in the following directories:

Windows: Within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
Mac OS X: ~/Library/Preferences/Macromedia/FlashPlayer.
GNU-Linux: ~/.macromedia

There are number of alternatives to treat the problem:

Browser extensions (I know of Better Privacy extension for Firefox)
Schedule a task (using Task Scheduler for Windows or Cron job on Unix/Linux) to remove .sol files
Set access control permission on the relevant directory to be read only

And there is legal twist to this story as well. Apparently, usage of Flash cookies is illegal in UK according to Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003.: "Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
* is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
* is given the opportunity to refuse the storage of, or access to, that information."

AntiXSS v3.0

2009-09-03T01:27:00.000-04:00

For years, (security aware) software developers were using OWASP ESAPI (Enterprise Security API) as a security framework to validate input/output to prevent Cross Site Scripting (XSS). Although it supports Java, Python, PHP and .NET among the others, only Java toolkit is mature enough to be used by the enterprises in production environment.

Now .NET users have Microsoft Anti-Cross Site Scripting Library to help protect applications from XSS attacks. In addition, enterprises may find Security Runtime Engine very useful since it has the ability to protect legacy applications from XSS attacks without having to change too much code.

Malicious Facebook application

2009-08-17T11:08:00.000-04:00

Facebook had it share of a limelight (http://www.scmagazineuk.com/Warnings-made-over-malicious-Facebook-application/article/146596/) following bad publicity that hit Twitter previously. The way I see it, Facebook developers can try to develop a more secure application that will make attacks such as those more difficult, but unless people change their attitude towards their own private information nothing will stop hackers from obtaining it and using it for their own benefit.

As an organisation that owns the data, you can deploy smart perimeter security devices (Web Application Firewalls, Intrusion Prevention Systems, Network Access Control, Content Inspection, etc.), anti-malware software on your servers, perform rigorous patching and even use behaviour inspection databases. But, unless you address the core of the problem, which is lack of security awareness, and educate users (be those internal employees, software developers or the actual consumers of your services) those will have only a limited impact on the level of the security.

Now, the real questions is whose responsibility is it, anyway? As a Facebook user myself, I would expect Facebook to tell me right from wrong...

Whose Responsibility is it Anyway?

2009-08-15T12:02:00.000-04:00

Yesterday, SC Magazine published an article about PCI DSS compliance responsibility (http://www.scmagazineuk.com/Whose-responsibility-for-compliance-is-it-anyway/article/146476/) which I found very amusing. Why? Well, how come when you give something that is dear to you, you don't consider whom you give it to?

From a user prospective, if you don't think twice before you give away your private information, you have no one to blame but yourself. As a merchant or a service provider, you need to make sure that information that was given to you by the end user stays secure throughout data lifecycle and if you share it, it has to be someone who can provide at least the same level of security as you do.

PCI DSS requirement 12.8 is there to enforce that. Right now, merchant and/or service provider is not required to use only PCI DSS certified service providers but it is their responsibility to maintain a register of all third parties that have access to cardholder data, to have a proper contract in place (which includes acknowledgement by the third party of their responsibility for securing cardholder data) and review the associated risk regularly.

IBM has announced the acquisition of Ounce Labs

2009-08-05T05:59:00.000-04:00

IBM has announced the acquisition of Ounce Labs, a provider of enterprise source code security testing (http://www.scmagazineuk.com/IBM-announces-acquisition-of-Ounce-Labs/article/140881/).
Earlier (I think last year), they acquired AppScan and now Ounce Lab; although both provide slightly different capabilities (source code security vs. web application vulnerability) it seems that IBM wants either to eliminate the competition or to have a single leading product in application security space. Would be interesting to see how it plays out...

Technological Means to Prevent Data Leakage

2007-11-21T13:11:00.000-05:00

Before we dive into “Geeky Stuff”, let me tell you what this article is not about. This article will not detail data leakage prevention policies and procedures, nor will it detail specific vendor solutions.
This article will, however, provide a brief overview of the ways data can leak and details the technological means of protecting yourself from data leakage.

Why is Technology Important?
Let’s start with a question: What do the following individuals have in common - an underpaid developer in an off-shore software house who sold millions of code lines to competitors, a well paid employee who stored client files on his stolen laptop and an extremely well-paid manager in a governmental organization who decided to post two CDs on the Web containing data about millions of British citizens (including date of birth, addresses and back accounts)?
The aforementioned cases did not lack a data prevention policy – the organizations did have well-defined data leakage prevention policies and procedures – however they did lack technological means to enforce these policies.

Technology without Policy
Don’t get me wrong, policies are part of my bread and butter. Without well-defined and management approved policies there will be no legitimate reason to have technological tools in first place. Policies define which one of these digital streams is considered sensitive information and who is allowed (or not) to access and handle this information.
The Ways to Leak Data are Limitless
I will assume that our internal network and data storage are as secure as possible. In this case, there are only two ways to remove data from our stronghold:

Physical removal (such as hardcopy of softcopy on media such as CD/DVD, USB, etc.)
Electronic means (dial up, Internet, FTP, SCP and every other existing way to transfer information).

From here, there are endless variations of each method.

How to Protect Yourself
There are many tools and solutions out there, but as I mentioned before this article will not go into detail on the solutions. There are a number of locations where we can detect the leakage and prevent it:

1. The Inner Circle
This is the best place to start. It is very tricky to prevent physical removal of information, but we can make it really hard for someone to try. So, why not limit access to the data in first place?
Many solutions exist to tackle this one. In my opinion, Role Based Access Control (RBAC) is the best approach to allow legitimate use of the sensitive information for business purposes while denying access to another.

2. Everything in Between
Here is where we need to think how to prevent data leakage. As I mentioned before, it is no simple task to prevent intentional or accidental leakage of sensitive data.
First, we need to make sure that all the hardcopies will be destroyed before leaving the premises. For that, we need to make sure that shredders are available and easily accessible.
Second, discontinue the use of writeable CD/DVD drives on your client systems. There is normally no reason for the average user to burn CD/DVDs. Furthermore, disable USB/Firewire storage and removable media. You might want to set up a number of stations where it will be possible to write CD/DVD, however limit access to managers or someone with higher privileges in order to filter the data leaving the organization.

3. The Outer Perimeter
Firewalls are our outer perimeter protectors. Usually, they are configured to block incoming traffic, however they allow most of the outgoing communication. This is also the best location to place a proxy server that will inspect all the outgoing traffic. Based on predefined rules (that is where policies come), a proxy can decide which data can leave the organizational network and what should stay in.
But even in organizations where a proxy is used to scrutinize outbound traffic, there are many additional services that are permitted through the firewall which are not inspected by the proxy. We can use NMAP (nmap –sT –p 0-65535 ) to map all the authorized ports through the firewall in order to get an idea of the existing potential areas for data leakage.
The most common way of bypassing a proxy inspection is to use an SSH port, which is usually open for administrative tasks. Users can easily tunnel anything they like over SSH. Also, as I mentioned before, just because the default port for SSH is 22, it doesn’t mean the SSH cannot run on any other port (such as over 80 or 443).
Additional methods include DNS or ICMP Tunneling. For example, tools such as OzymanDNS, NSTX and DNScat allow tunneling SSH traffic over DNS (and other protocols). In many cases, it is impossible to block a DNS protocol altogether, but for example, you can use internal a DNS server and allow DNS traffic only from that specific server through the firewall.

4. The Wide Wild West
In those rare cases when we do need our sensitive data to leave the protective walls of our organization, we need to make sure that the data is sufficiently protected. Believe me, using a ZIP file with ‘1234567890’ password (and that is a long password) is not considered protection at all. As an alternative, you could use PGP (of GnuPG) to encrypt your files with recipient(s) key(s) and then either write the data to CD/DVD or send it using electronic means, such as Email or Bittorent. Even in a case when CD/DVD will be lost, you can sleep quietly due to the fact that it is currently impossible to break an RSA1024 bit key (this is a minimum standard for today’s encryption).

Conclusion
Introducing a good set of organizational Data Leakage Prevention policies is not enough. On the other hand, technological solutions are meaningless without a good set of policies since you need to define what is allowed and what is not.
Technology is a necessary ‘tool’ to backup and enforce policies and in order to limit data leakage in an organization (it would be unwise to believe that it is possible to prevent data leakage altogether). A good combination of both technologies and policies is needed.

Published under Comsec Consulting UK

Security in a “Virtual” Reality

2007-08-08T13:05:00.000-04:00

Today, every business tries to cut costs in order to be competitive in tomorrow’s market. Sometimes, this is done by outsourcing IT, HR or other non-core services. In other organizations, cost reduction is achieved by consolidating its IT environment by using Virtualization.
By creating multiple virtual machines which share resources such as CPU, memory, hard drive, network devices, etc. organizations are able to reduce the cost of management of server operation. This includes the hardware, maintenance and human resources needed to manage, operate and administer these servers on a daily basis.
Furthermore, in regard to Disaster Recovery Planning (DRP), virtualization can also enhance the security level by providing means to faster, more flexible, and more reliable disaster recovery at a lower cost. It also significantly reduces planned and unplanned downtimes.
This demand created many software vendors who would be happy to sell you their product. Examples include OpenVZ, Xen, VirtualBox, Virtual Iron, Virtual PC, VMware, QEMU, Adeos, Mac-on-Linux, Win4BSD, Win4Lin Pro, z/VM, and more.
However, failure to configure and harden your Virtual server might have very unpleasant results, especially when implemented without security considerations. In a number of cases we witnessed a hacker bringing down an entire virtual infrastructure because of a memory leak flaw on one of the servers. By exploiting this flaw, the hacker was able to consume all the available memory to a point where the entire system crashed.
The saying “Start Secure – Stay Secure” is a simple slogan used by Comsec to emphasize that security has to begin from the very first stages of design and integration, and should be integrated into every following step.
So, how do we secure a virtual environment?

Design a Secure Virtual Environment
Each solution has its own approach, which does not always suits the organizational needs. Some of these solutions completely separate each OS while others create separate “zones” with a shared kernel. Organizations need to determine security requirements that should correlate with the organizational security policy. A Security Architect should be involved in this stage in order to define parameters such as access control to server consol, design of virtual network architecture, design of virtual machines, communication protocols, etc.

Firewall
When implementing a virtual environment, some of the communication can relay on an internal, virtual network. For example, when a virtual web server communicates with a virtual database, the packets traverse through a virtual network only. A traditional firewall will not be able to filter this communication if needed.
There are a number of possible solutions. One of them is to use a firewall integrated into a virtual server application. The second option is to configure the virtual machines to route all the communication through an external firewall by connecting virtual machines to separate physical network cards. A third option is to use a “virtual” firewall which usually comes in the form of a virtual appliance. These appliances function as “traditional” firewall devices and can perform functions such as “Deep Packet Inspection”, session based rules, filtering, etc.

Hardening Virtual “Guest” Servers
In most cases we can assume that each virtual machine is fully isolated from another virtual machine running on the same server. These servers need to be hardened and tested periodically as their “physical” counterparts. Security vulnerabilities existing on one of the virtual machines could allow an attacker to skip from that machine to another in the network.

Hardening Virtual “Host” Server
“Host” servers are responsible for allocating memory and CPU to “Guest” servers, as well as providing access to storage and network devices. By receiving access to file systems on the “Host” server, an attacker will gain access to files stored on virtual machines. It is also possible to shut down the "Host" server which will result in DoS on each of the hosted "virtual" machines. These are only a few of the possible scenarios.
The “Host” server should be hardened and should undergo very strict access control. Only administrators and dedicated operators should have access to consol and virtual server management interfaces. The server should be updated with the latest security patches and it should be configured in a secure fashion.

(Security) Policies… Policies… Policies…
Every security decision should be backed up by an existing and approved policy. These policies should include:

Password Policy (expiration, password length, etc.)
Authentication Policy (Token, LDAP, local / etc/passd, etc.)
Access Control Policy
Network Connectivity Policy (such as separation to VLANs, firewall rules, etc.)

It is important to review these policies at least annually to make sure that they are updated with new standards and best practices.

Security Auditing
Security auditing should be performed on a periodic basis. Auditing should include:

Security testing of “Guest” servers’ operating system and services
Security testing of “Host” servers’ operating system
Security testing of “Host” server virtualization application
Relevant network equipment (switches, firewalls, routers, etc.)

This auditing is important in order to discover security issues such as new vulnerabilities, redundant services, outdated firewall rules and routing tables, etc.

Conclusions
Virtualization technology offers many operational and financial advantages. It even provides some security benefits. Nevertheless, this concept introduces several security weaknesses. The associated vulnerabilities include potential denial of service, data leakage and others.
With a proper and professional security approach towards the virtualization concept, one could achieve secure and reliable environment.
This approach should include proper secure design, secure configuration of the environment, secure maintenance, and proper periodical security audits.

Published under Comsec Consulting UK

Security Considerations for Data Centres

2007-04-10T13:36:00.000-04:00

Communications in data centres today are most often based on networks running the IP protocol suite. Data centres contain a set of routers and switches that transport traffic between the servers and to the outside world. Redundancy is sometimes provided by getting the network connections from multiple vendors.
So, what are the other considerations we need to take in count when designing data centre?

Network Security
Most people take it for granted, but network security plays important role in securing our data. Every package, encrypted or not, traverse the network and affected from network state.
Usually, data centres must have crypo-capable routers and switches with comprehensive ACL rules, firewalls whom are capable to deal with different protocols required by your business (like VOIP, VPN) and perform application data inspection, role based access control to managing the network and other security features (such as anti-virus, anti-span, etc.).

Business Compartmentalization
Since business information stored on servers is the core of business, we need to make sure that this information is not accessible to third party. It is considered a good practice to separate each enterprise to a separate VLAN and, if possible, to separate each business application to different compartment. This way, virus outbreak or DoS attack that affects one compartment, will no influence the business information flow in the other.

Administrative Traffic
Sniffing administrative traffic can be very helpful when you are trying to break into “digital fortress”. This traffic may contain access password, IP addresses, configurations, etc. Data centres need to make sure that this information is inaccessible and doesn't mixed up with production data. To do so, create separate VLAN segment for administrative traffic and make sure that this traffic is encrypted. In this case, separate network segment not only increase security, as intruder will have to break through another layer of defence, but also improve performance of production segment.

Logging and Monitoring
High-quality event logging and monitoring is the lifeblood of incident response operations. Many organizations have implemented pretty good event logging at the network and operating system level, but very rarely at the application level. To the incident response analyst, each layer of logging brings its own perspective on a security event. And a full complement of those perspectives is necessary to really understand what took place at the
For example, when trying to forensically determine how a site was compromised, the network logs show the date, time, protocol, source, etc., of the attack. The operating system logs show what the intruder did and accessed on the host's operating system. The application logs provide insight into what data the intruder accessed, modified, deleted, etc., within the compromised application. Without that ''big picture'' view, it is exceedingly difficult to provide company executives with an accurate damage assessment so they can make the appropriate business decisions on how to proceed.

Regulations Compliance
Sometimes it is very important that your data centre provide complies with different regulations and standards as it may affect your organization's compliance. There are different regulations such as BS7799 / ISO17799 Information Security Management, Basel II and the Basel Capital Accord, and the Sarbanes-Oxley Act 2002, which provide guidance for investment institutions and ISO14000 Environmental Management System.

DRP (Disaster Recovery Plan)
Not only DRA is compulsory compliance (such as Sarbanes-Oxley and HIPAA), it is essential to business continuity. Disaster recovery plane gives you the ability to respond to an interruption in services by implementing a plan to restore an organization's critical business functions, and since the core of business is the data stored in our data centers. Is is important to design, implement, test and update DRP to ensure regulation compliance, and more important, continuity of the business.

And, Physical Security
Some will argue that physical security has nothing to do with information security. I don't believe so. Since the core values of information security are confidentiality, integrity and availability of the data we are trying to protect, and they are affected from physical factors, we have to take them in count when protecting our data.

Water
Data centre have to be located as far as possible from flooded locations and ensure humidity between 35-85%. Water, or humidity can damage our servers, therefore integrity of our data and availability of business services.
Too much humidity and water may begin to condense on internal components; too little and static electricity may damage components.

Fire
Data centrers must have elaborated fire prevention and fire extinguishing systems. The best practice is to have zoned fire prevention and detection systems and high-quality fire-doors and other physical fire-breaks. In case a fire does break out it can be contained and extinguished within a small part of the facility. Fire detection systems must consist of a very sensible heat sensors, which should detect even the smallest heat rise or spark in order to deal with the situation before full scale fire incident.

Electricity
Backup power must be catered for via one or more uninterrupted power supplies and/or diesel generators. To prevent single points of failure, all elements of the electrical systems, including backup system, have to be fully duplicated, and critical servers connected to both the "A-side" and "B-side" power feeds.

Access Control
Perhaps the most important factor is data centre security is access control. If server can be damaged, the data will not be available. Another scenario, if data is encrypted but the server is stolen, not only our data is not available, which can damage business, it also can be take to external location where sensitive information can be decrypted.
Physical access to the site must be restricted to allowed personal only. Organisation must consider using access cards (with smart chip), biometric systems and double door with separate access tokens. In many cases, surveillance cameras and guards are used to increase the security.

Published under Comsec Consulting UK

Five Most Important Security Considerations for VoIP

2007-04-05T13:30:00.000-04:00

It is understandable why so many organizations are moving to a Voice over IP infrastructure. VoIP is one of the fastest growing technologies in telecommunications today, thanks to its low cost and great flexibility. However, due to VoIP's special security vulnerabilities, the assimilation of VoIP systems in enterprises involves major security risks, and requires deep organizational thought and examinations regarding the ideal VoIP architecture. Enterprises are under the mistaken assumption that existing network architecture can still be used “as is” following the addition of a VoIP infrastructure. However, this addition can damage the quality of service in the enterprise. Moreover, this can also cause financial damage and damage to the organization's reputation.
Enterprises that decide that they wish to change their voice communication infrastructure into VoIP face a great challenge. This change requires principal thoughts and raises essential questions regarding issues that affect the architecture of the network and the interface between VoIP and the data network.
The following section will outline the risks that financial organizations have to consider when implementing a VoIP infrastructure:

Risk to Existing Data Network
The deployment of some VoIP systems can damage an enterprise's information security layout including the quality of services provided by these systems. As VoIP services run on the organization’s existing platforms, they are exposed to the same information security breaches. Networks that are not secured enough can damage VoIP and other environments in the enterprise, thus they must be designed and secured in the most appropriate way. Since a financial organisation relays on the existing data network for business critical applications, e-Banking infrastructure and transactions, damaging it could lead to a huge financial loses as well as lost of trust.

Opening VoIP to the Internet
Privacy and security regulations dictate that financial institutions are ultimately responsible for the privacy of their client/partners. Opening VoIP components to external communication besides the inter-organizational communications increases the exposure of the internal network to security risks. In addition to that, VoIP applications are exposed to data stealing, eavesdropping, impersonation and denial of service; vulnerabilities which can affect the data network if not configured correctly. The leakage of unpublished financial reports or client’s confidential information can damage organization’s reputation as well as lead to financial loses. Organizations need to ensure that VoIP deployment does not minimize enterprise's information security or quality of services and examine the risks to its information.

Data Stealing and Eavesdropping
Similarly to other data, VoIP is exposed to attacks and attempts to make use of software breaches. VoIP eavesdropping attempts are even more easily executed than PSTN calls. Organizations need to inspect the access control list and policy enforcement; will make sure that the machinery is configured in such a fashion that only permitted individuals can use VoIP and implement a maximal secured network with context to VoIP oriented attacks. All of these can contribute to making the financial institution's infrastructure more secure from external and internal threats.

Assuring Business Continuity
Availability of e-Banking applications, financial databases and other business IT assets is critical to financial organisation. A single power outage can cause financial and image damages to the enterprise and its services due to the lack of ability to use VoIP. Organizations will have to evaluate the options, costs and efficiency in business continuity in case of a power outage that prevents the ability to use VoIP. Also, organizations will have to examine and evaluate various business continuity plans to overcome this obstacle.

Endpoint Security Issues
Integration of some types of endpoints into VoIP systems can damage the security level of the network. VoIP systems use a wide variety of forms for communication, ranging from the traditional telephone handsets to conferencing units, mobile units and soft-phones. However, malicious codes and other various vulnerabilities are very common on PCs connected to the Internet, and must be checked in the integrative network to ensure its security. The organization will have to check the quality of Wi-Fi protection and soft-phones, if used.

Conclusions
Financial enterprises will have to ensure the optimal security before, during and after VoIP deployment in the enterprise. Inadequate security may cause financial damage and damage to the organization's reputation.

Published under Comsec Consulting UK

KVM: Kernel-based Virtual Machine for Linux

2007-03-06T15:24:00.000-05:00

OK, I'm impressed...
I have tried a lot of virtualization "solutions" but this time I'm really impressed.
KVM (abbreviation of Kernel-based Virtual Machine) work fast, installed in less that 5 minutes and really easy to manage. And the best part is, that every virtual machine is just a process on the host. You can monitor (top) and/or kill it in a sec...
While still in the early development stages, KVM shows a real potential. I even can say that I have enjoyed "playing" with it.

http://kvm.sourceforge.net/

The Future Of “Signature Based” Security

2007-02-16T13:15:00.000-05:00

In today's digital world, one cannot afford to be unprotected. It does not matter if you are a multi-national enterprise or a home user, there is someone out there who will want to use your PC to collect sensitive data or to infiltrate into your network.
We use computers for everything – from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).
Most of our information security devices use malware “signatures” to identify different types of malware and thus protect our assets. These signatures can be in the form of firmware for our switches and routers, configuration and patches for IPS/IDS, firewalls and other servers, and virus/malware signatures for our anti-virus servers. We, as computer users, need to update these signatures on a daily basis in order to stay protected.
But, is it enough?

Is it Enough?
Apparently not.
According to CERT, 8,064 vulnerabilities were detected in 2006 alone.
But that is not all. The amount of time it takes for a virus to be distributed varies, though typically the fiercer attacks also spread more rapidly: 'Low Intensity' attacks take approximately 7 hours to 2 days; 'Significant' attacks take 1 hour to 1 day; and 'Medium' to 'Massive' attacks were swiftly distributed in 3 to 5 hours.
This means that vendors will have to update their firmware and release patches on a daily basis, while we will have to dedicate most of our time to patching our devices and servers.
But even that may not be enough. In some organizations there is a very strict patch release control which can take more that a week, and in some organizations, the Information Technology (IT) is so large, that it is not a task for one man. You may need to hire additional personnel for this one task.
Failure to comply will expose the organization to various threats. Furthermore, there is a chance that you might be attacked before a patch will be applied.

What is the Alternative?
The alternative, as I see it, is to do what the financial sector (banks) did and still does to client's on-line transactions.
Most of the banks today have fraud detection systems. And if they don't – they should. These systems analyse client's behaviour patterns over a period of time and then detect any digression in behaviour. After that, they may pop-up an authentication box or block the transaction, depending on vendor and configuration.
Why not take this approach into the IT world?
Instead of analysing client behaviour, we will analyse the normal behaviour of our software and then monitor it for any abnormal activity. For example, Microsoft Word will never try to rename a word.exe or try to manipulate .DLL files. In general, programs do not try to rename themselves.
We can take two different approaches. One, we will analyse “good” programs and allow them to function according to the patterns of their behaviour. The other approach can be analysis of “bad” software and thus block every software that behaves the same.

Why is it Good?
This alternative approach gives us the ability to react to any abnormal behaviour in our IT infrastructure and react fast, be it a registry key change or TCP packages manipulation. We will not have to deal with situations where we already lost the information and now we have to close the gap. With good and appropriate behaviour analysis, the gaps simply won't be there.
Since behaviour of malware does not change often, we won't have to spend the whole day patching our servers or disconnecting them to handle a virus outbreak.
For an attack to be successful, each attacker will have to come up with totally different intrusion scenarios, and I don't mean buffer overflow through a different DLL file.

Published under Comsec Consulting UK

AJAX - The Evil Within

2007-02-12T13:21:00.000-05:00

What is Ajax?
Ajax shorthand for Asynchronous JavaScript and XML and it is a web development technique for creating interactive web applications. Ajax isn’t a technology. It’s really several technologies, each flourishing in its own right, coming together in powerful new ways. Ajax incorporates:
Standards presentation using XHTML and CSS
Dynamic display and interaction using the Document Object Model (DOM)
Data interchange and manipulation using XML and XSLT
Asynchronous data retrieval using XMLHttpRequest
JavaScript that binds everything together
The main reason for Ajax is reduce bandwidth usage and increase interactivity and user experience. By using the XmlHttpRequest object to request and return data without a re-load, a programmer by-passes this requirement and makes the loosely coupled web page behave much like a tightly coupled application.

The “Traditional” Web Applications
In “Traditional” web applications, the default architecture was considered as back-end servers to store and manipulate the data while front end (HTML web page) was mostly used to style and display the information.
A lot of information security best practices were written to support the growing demand on business to go on-line. Users started to be aware of security implication and the on-line behaviour like, don't press the “Submit” button twice, "Wait a bit longer, it's just processing," or "Don't press the 'back' button after you've submitted the form.
But you can throw that basic knowledge out of the window now that AJAX is here.

“Ajax” Web Applications
The data is still resides in the back-end data servers, but Ajax extends program across both the client device and the server. Instead of seeing blank browser window and an hourglass icon, Ajax don't “steal” user's interaction with the application.
Every user action that normally would generate an HTTP request to the server. Now, any response to a user action that doesn’t require a trip back to the server, such as simple data validation, editing data in memory, and even some navigation, the Ajax engine handles on its own. If the engine needs something from the server in order to respond, the engine makes those requests asynchronously, usually using XML.

Threats in Ajax
As we seen before, Ajax extends programs across both the client device and the server, creating far more opportunities for hackers to deliver malware onto sites.

Multiple Transmissions
If before, when user fill the form, the information was submitted only once to the server, an Ajax-enabled form, which automatically relays the data from each field as data is entered, will launch multiple transmissions that virus writers can latch into.

Screen Capturing Attacks
Before Ajax, the user were been able to control (with more or less granularity) the information which website was able to get access to. The user was able to review the information couple of times before hitting the “Submit” button. Now, So-called screen-scraping attacks and Web session hijacking attempts, both of which also seek to steal users' data, could also be performed more easily by taking advantage of Ajax. With AJAX, a user's actions can be constantly and meticulously monitored. Because it can be done, it will be done, and that will lead to a headache bigger than just wasted bandwidth, gigabytes of useless information, and slower page load times.

Cross Site Scripting
Ajax introduce a lot more JavaScript code into the web pages. Before, most of the business logic was hidden safely on our servers and the client was presented with mostly processed data and very few lines of script. Now, Ajax moves fair amount of business logic to front-end which allow bigger “surface” to attack.

DoS (Denial of Service)
Though this problem is not new, Ajax approach may increase this vulnerability. Just imagine the following scenario: Web server is serving 1000 users to lookup ten digits serial number. Poorly implemented Ajax web page will do a look up for every digit user type. This will increase the load server needs to handle tenfold.

Source Code Hiding
Since Ajax allow to perform any action in the background, it also allow malicious web page to change the JavaScript code on right button click. In other words, it's possible to add or modify JavaScript functions and code in the background even after a page load!
So even if you inspect the page source for code that might be sending keystrokes or mouse movements back to the Web server, you can't be certain that the code you see is the only code that's executing.

Intellectual Property
Commercial application vendors regard their source code as their intellectual property, and are likely to want to obfuscate client side code to protect it. AJAX implementations introduce a large amount of client side code so we are likely see a lot of commercial applications implement JavaScript obfuscation. This may be an understandable approach from a legal perspective, but it breaks apart when the intention is to obfuscate security controls.
Even average developer with malicious intentions and with enough time could reverse-engineer, and get “insider view” on security control of such applications.

Eavesdropping
Eavesdropping is one of the simplest and the oldest techniques for data theft: an unauthorized party listens to conversations between systems and collects their data. Eavesdropping could be done simply to get access to data like credit card account information, or it could be used to hijack identity credentials and start an authentication attack as described above.

Data Integrity and Replay Attacks
Eavesdropping enables both data integrity attacks and replay attacks. Using data obtained by eavesdropping with slight modifications (recall that XML is a text-based, human-readable format) before sending it on its way is known as a data integrity attack. The most basic version is a simple message forgery.
Replay attacks occur when a hacker uses stolen messages and continually replays that same valid (maybe we validate the schema) message at potentially high rates. Obviously that type of attack could have serious repercussions like server overload.

Knowledge and Best Practices
This might be the biggest problem of Ajax today, lack of knowledge base and best practices. For the last 1o years, a lot of security experts and developers gathered huge knowledge base, expertise and best practises of how to secure and migrate risks in standard web application. Nothing of this kind exist for Ajax. Ajax applications have a huge attack surface, much larger than traditional applications, and the buzz around Ajax is creating immense security implications, as the available knowledge bases and types of resources available for developers are poor.
Inexperienced developers fail to properly protect their work and attackers learn to use the benefits of Ajax to their advantage. His (inexperienced Ajax programmer) use of widely available Ajax code in their own programs without proper understanding, a common practice, will create even more problems.

XML Security
Since the other end point of Ajax is Web Service with understand XML, all security threats exits in XML are relevant with usage of Ajax. The XML threats are:

Schema Poisoning - Manipulating the XML Schema to alter processing information.
XML Parameter Tampering - Injection of malicious scripts or content into request parameters.
WSDL Scanning - Scanning the WSDL interface can reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities.
Oversized Payload - Sending oversized messages to create an XDoS attack.
Recursive Payload - Sending mass amounts of nested data to create an XDoS attack against the XML parser.
SQL Injection - SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data.
External Entity Attack - An attack on an application that parses XML input from un-trusted sources.
Malicious Code Injection - Scripts embedded within a SOAP message can be delivered directly to applications and databases; traditional binary executables and viruses attached to SOAP payloads.

How to protect your application
Actually, there is nothing new. We still need to validate the input received from he users, perform output encoding and improper access control. AJAX in itself does not introduce these vulnerabilities – poorly web applications have been susceptible to these problems long before AJAX.

Spajax
Sprajax (sometimes called as “Atlas” ajax security scanner , since it can only detect the “Atlas” framework and the SOAP web services used by the “Atlas” framework) is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities.

XML Firewall
XML firewalls are different breed of application firewall. It can examine SOAP headers and XML tags, and based on what they find, distinguish legitimate from unauthorized content.
In addition, XML firewalls can look into the body of the message itself and examine it down to the tag level. It can tell if a message is an authorized one, or coming from an authorized recipient. Also, they can understand metadata about the Web service's service requester as well as metadata about the Web service operation itself. They can gather information about the service requester, such as understanding what role the requester plays in the current Web service request, for example. XML firewalls can also provide authentication, decryption, and real-time monitoring and reporting.

Same Old, Same Old
Maybe Ajax is new in town, but it is just a combined usage of existing technologies.
Number of tips to secure your application:

Secure architecture – Design your application to be secure. Start secure and stay secure by including security as a component in each stage of the software development life cycle.
Trusted software libraries - From encryption to session management, it’s best to use components that are trusted, reliable, tried and thoroughly tested. No need to reinvent the wheel and repeat the mistakes of others.
Validate user's input - Web applications must NEVER trust the client (web browser).
Secure principles - Every component of the website should be configured with separation of duties, least privilege, unused features disabled, short session lifetime and error message suppressed.
Threat Management – Continuous vulnerability assessments are the best way to prevent attackers from accessing corporate and customer data. By perform periodic penetration tests, gap analysis and threat migration plan it is possible to stay ahead of the malicious users and protect our assets.

The future
Despite security threats mentioned above, the business' drive to attract more clients by improving their websites and web applications will create a increasing usage of Ajax. Customers love dynamic and interactive website, everything that Ajax represents, so there is a lot of demand. But the problem is, most of Ajax developers know nothing about security.
As I see it, the threat of improper usage of Ajax won't stop companies for massive adoption of technology which can give them advantage over their competitors. It will take a number of attacks on popular web site and large business before they will realise the security impact on their business.
Ajax in itself is not “evil”. When it was created it had only best intentions in mind, but as all technologies can be used by malicious users, so do Ajax can be a deadly threat to security of your organization if those threats are not mapped, analysed and migrated.

Published under Comsec Consulting UK