jump to navigation

Advanced Authentication Technologies April 13, 2015

Posted by melihbilen in Security.
add a comment

We are living in world in which we should keep in our minds multiple usernames and passwords. Nowadays, each website, web service or even applications requires signing up and login in order to be able to use that service. Each person should create a username and password and every time they want to use that service they should remember their credentials. People cannot have single username and password for multiple systems. It creates a single point of failure. We cannot survive without having multiple usernames and passwords. Although we have different username and passwords, still we are not safe enough with single level of authentication.  When we talk about authentication factors, there are 3 different factors which are defined by United States Government.

  • Something only the user knows (e.g., password, PIN, pattern);
  • Something only the user has (e.g., ATM card, smart card, mobile phone); and
  • Something only the user is (e.g., biometric characteristic, such as a fingerprint).

Since, single factor authentication is not enough, systems should have two level authentications. This two level authentication should include two factors from list above. Username and passwords are in the category of something only user knows. This type of information is called knowledge factors. Systems allow user to create his password and then they expect user to remember this information when they are trying to be authenticated. Passwords and PINs (Personal Identification Number) are most common information which user knows.

When we talk about user’s possessions, we can give example of tokens with a display, connected tokens, Magnetic stripe cards, SMS one time password or Mobile applications. All these approaches can be defined as something user has. All of these are being used in different systems. ATM machines use magnetic stripe cards with PINs. Tokens are used by companies when they want to protect their systems in a more secured way. SMS one time passwords can be seen in mail services, applications, banking systems. Google, Amazon, Facebook also use this type of authentication. Since, it requires only a basic cell phone with cellular connectivity; it is a very basic but powerful way.

Third and maybe the strongest approach towards authentication is using something only user is. Biometric characteristics can be given as an example of this kind of authentication. In this approach, system uses characteristic information of that user to confirm user identity. Fingerprint sensors or facial recognition systems are examples of biometric authentication. Although, these are most secure ways to authenticate, they have some problems in real world in terms of usability, cost and regulations.

Whom Should You Trust? April 13, 2015

Posted by melihbilen in Security.
add a comment

In his inspiring article, “Reflections on Trusting Trust”, Ken Thompson reveals an inconvenient truth about our development system [1].  We always trust that our development tools are secure. What if, our compiler is trying to put some malicious code to our original source code? Think about it, a stranger changes a compiler binary to create affected versions of original program including itself. This attack is almost undetectable. Since, we are hundred percent sure, we write the code in correct way and we do not include any malicious code parts. We trust our compiler and boom. We just created harmful software without realizing it. Although, there is a way to detect whether our compiler affected or not, we should find a trustable compiler in order to be able to detect. Since we cannot be hundred percent sure than there is no way to understand. Nowadays, our compilers have gotten incredibly complex, this gives attacker more place to hide their malicious software. [3]

Attackers choose our trust as target. They place their code where we trust most. In his article, Tyler Shields says that “Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye. ” [4] Many organizations are working moral, ethics and trust. They try to determine characteristics of these issues. ACM is one of the organizations which work on this. They have published their code-of-ethics in 10/16/92[2]. We can list their general moral imperatives:

  1. Contribute to society and human well-being
  2. Avoid harm to others
  3. Be honest and trustworthy
  4. Be fair and take action not to discriminate
  5. Honor property rights including copyrights and patent
  6. Give proper credit for intellectual property
  7.  Respect the privacy of others
  8. Honor confidentiality

Ken Thompson gave us a specific example of how easy to hide a malicious code into other programs. Besides that, it is very complicated to detect that kind of attack. Therefore, we can only prevent this type of actions by raising new honest ages. ACM and other similar organizations play big role in this.

 

References

[1] http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

[2] http://www.acm.org/about/code-of-ethics

[3] https://www.schneier.com/blog/archives/2006/01/countering_trus.html

[4] http://www.veracode.com/blog/2009/08/trust-your-own-code-trust-your-own-compiler/

 

Evolution of Security in Computer Systems April 13, 2015

Posted by melihbilen in Security.
add a comment

This article includes brief summary and review of Jerome Saltzer’s paper which is published in 1975. In his article “The Protection of Information in Computer Systems”, Saltzer tries to draw an outline for security mechanisms. He includes eight different design principles in his writing.

1)      Economy of mechanism

Basic idea in this principle is keeping design as much as simple and small. This brings several advantages such as easiness of test and validate.

2)      Fail-safe defaults

We can give example of a shop in here. Strangers cannot enter a shop by using emergency exit since that door is built according to this situation. However, when it is needed somebody from inside can use this door easily. This principle claims that computers systems should be designed in this way. They can grant access to somebody while they can deny access to system in other way.

3)      Complete mediation

In this principle, the author says that system should check every access whether it is granted or not. File system authentication control can be given as an example of this situation. Operating system controls each user to understand that the user has access to see that document or not.

4)      Open design

Open design might not seem the best choice especially if you are trying to hide information from somebody. However, system shouldn’t base on way that it tries to hide some information in order to protect system. Instead of that, even attackers know everything about security system; they shouldn’t be able to find a way to enter the system.

5)      Separation of privilege

When it is possible, systems should be designed in a way that it requires two different keys from two entities in order to have access to system. This kind of protection provides more secure and flexible system than the one which grants access to somebody who has only one key. Example of this principle can be seen in different areas including safety deposit boxes to nuclear weapons.

6)      Least privilege

In this article Smith explains this principle like that “Every program and user should operate while invoking as few privileges as possible”. When it is needed, system can grant access to have root or administrative privileges. A user with all privileges is not a desirable case for all systems.

7)      Least common mechanism

Smith states that “Users should not share system mechanisms except when absolutely necessary, because shared mechanisms may provide unintended communication paths or means of interference.”

8)      Psychological acceptability

Each system should design with consideration of usability issues. System should be both secure and usable.

All these principals constitutes base for today’s information security principles. People defined new principals based on these principles.

References

[1] http://www.acsac.org/secshelf/papers/protection_information.pdf

[2] http://www.cryptosmith.com/book/export/html/365

How to Avoid Spreading Worms April 13, 2015

Posted by melihbilen in Security.
add a comment

Most people call all malicious software as computer viruses. This information might be true in terms of user language but there are different kind of malicious programs such as computer viruses, computer worms, trojans and bots. Let’s look at definition from Wikipedia in order to understand what the basic difference between viruses and worm is. Under title computer worms, it defines these programs as “A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program” [1]. Therefore, most basic difference is how they spread. Since, worms do not require user action; they can easily move one computer to another via network connection. Think about it, nowadays all of our devices are connected to the internet and we are using our email accounts in everywhere including business, school and personal issues. Hence, computer worms generally spread through e-mails. Generally they use attachments as their mid-stop. I’m going to give some basic ideas to be protected from these kinds of actions.

Be careful when you open an attachment

Since, worms are using e-mail attachments, you should be very careful when you open an attachment. If you do not know the sender, then definitely you shouldn’t open that attachment. However, today’s worms can spread through somebody’s address book. You can get an infected attachment from somebody you know while he has no idea about this e-mail. You should be very careful about file extension of these attachments. They may use files with double extension such as “.txt.vb” or “.jpg.exe”. If your operating system is hiding file extensions, you see only something like “.jpg” at the end of file name. When you see .jpg part, you think that it is picture file. However, it is not picture file your operating system hid the actual extension which is .exe . As soon as you click that attachment file it is going to try to execute a harmful program. Therefore , you should make file extensions visible.

Use an anti-virus program, anti-spyware program and firewall

All of these programs help you to protect your device from malicious software. Although there are free versions of these programs, you may want to use paid versions if want to be more protected. You should never turn-off your firewall in your operating system.

Updating your OS Regularly

Companies releases some security updates when they realize that their software has open doors. Because of this reason, you should update your operating system or other programs.

References

[1] http://www.wikihow.com/Avoid-Getting-a-Computer-Virus-or-Worm-on-Your-Windows-PC

[2] http://email.about.com/library/weekly/aa050800c.htm

[3] http://spaf.cerias.purdue.edu/tech-reps/823.pdf

 

 

Cryptosystem Failures April 13, 2015

Posted by melihbilen in Security.
add a comment

Cryptosystem consists of two different words , cryptographic system. A cryptographic system is a computer system which has cryptography in it. Cryptology is very common in today’s world. You can see basic or complex implementations throughout everywhere. In his article “Why Cryptosystems Fail” , Prof. Ross J Anderson focuses on how can easily Automatic Teller Machines (ATM) be hacked in those days[1]. He argues this issue in terms of two different aspects social and technical attacks. You might be surprised since there is a social side of these attacks too. The most important thing according to him is that cryptosystems generally do not fail because of weaknesses of algorithm but due to human factors such as errors in implementation or management.  Basically he has three main points. First, deploying a cryptosystem is not a simple task. It is very a complex process including designing, implementing and maintaining. These processes need to be done by a group of people working on different areas like management, consultancy, programming, maintenance etc. They should work in harmony in order to be able to produce a robust system. Secondly, there are problems when a cryptosystems is being developed. These problems are due to lack of guidelines to design and implement solutions. As I talked in first part, since it is not an easy and simple task , there should be a methodology to follow in all steps of process from design to maintain. Besides, people who are in that project should be educated in security area. Thirdly, general tendency in security is that when the owners of security system realize that there is a leak in the system , they try to hide it. Creators of that crypto system will never realize the problem in their design since they don’t get any feedback from users of the system. After , discussing all these stuff Anderson proposes a general solution to this situation. According to him this problem can be solved by educating people and building methodologies. You may want to look at following video.

http://www.youtube.com/watch?v=4p6Ff7DcnBc

References

[1] http://www.cs.utexas.edu/~dahlin/Classes/GradOS/papers/p32-anderson.pdf

[2] http://www-cs-students.stanford.edu/~dbfaria/quals/summaries/Anderson-1994.txt

Mobile Security April 13, 2015

Posted by melihbilen in Security.
add a comment

Most people don’t see mobile devices vulnerable as much as they see their computers. They mainly focus on security in their computers. They buy and install anti-virus programs, regularly they scan their devices. However, we are using our mobile devices more and more as time passes. Mobile devices steal role from computers. We use our mobile devices for both business and personal purposes. Why we don’t pay that much attention to security issues in our devices? Actually there are some basic rules you can apply when you are using mobile devices if you want to be secure. In the article  “10 Best Practices for Mobile Device Security”, Ericka Chickowski groups these actions under 10 main principles.

1)      Choose Devices Carefully

2)      Turn On Encryption

3)      Require Authentication

4)      Utilize Remote Wipe Capabilities

5)      Set Up a Lost Phone Hotline

6)      Control Third-Party Apps

7)      Set Unique Firewall Policies

8)      Use Intrusion Prevention Software

9)      Keep an Open Mind About AV(Anti Virus)

10)  Shore Up Bluetooth

I’m not going to talk about each one of them so I want to focus on couple of them which seems to be more crucial. Requiring authentication is very important since many people do not put necessary effort to protect their devices. Defining a secure enough pass code is very simple and powerful action which you can do first. We live in app based world. Without having application in our smart devices, they would be pretty useless. Therefore, we should be extremely conscious when we are installing and granting access to third party applications. Applications generally ask for permission to have access your personal data like contacts, pictures etc. If we do not know that much about the developer of that application or we are not sure about why that application wants to access personal data , then we shouldn’t allow that app to have permission to see our personal data. We shouldn’t just click yes, yes, ok then finish button.  These two ones are really simple and easy to apply tricks when you are using a mobile device. If you want to see more information about you can check the link in the references.

References

[1] http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/1/

If you focus on one thing only April 13, 2015

Posted by mtv in Security.
add a comment

Focus on your password strength, it is one of the few things you have control over to protect yourself.  When reading about the internet worm that hit in 1988, the average user would find the subject matter dizzying–as would an above average user or even an IT professional!  I can understand the overwhelming feeling of fearing something you don’t understand, and feel that end users hear so many scary things about computer security yet don’t quite understand what any of it means.  What am I actually afraid of?  How do I know I am safe?  What can I do?  I prefer not to provide answers related to hosts, sockets, or protocols, rather keep it simple and say: if you focus on one thing and one thing only, let it be your password: change it regularly and don’t make it simple.  When I say don’t make it simple, I don’t mean make it hard to enter or remember.  You can make it “easy” for yourself without making it simple.  If I set my password to “Michael” that’s both easy and simple, whereas “Michaelsetsreallylongpasswords!” is not a simple password, yet can be easy to remember and enter.

Throughout the article, “The Internet Worm Program: An Analysis,” you’ll find a detailed tour of the worm, discussing what it does at a high and low level.  What does it all have in common?  At the end of the day the worm is attempting to find or guess passwords.  That’s it.  That is the key to a worm’s success.  At every stage in these multi-staged attacks, the worm is trying a logical way to break passwords, and “once a password was broken for any account, the worm would attempt to break into remote machines where that users had accounts” [1].  I think this is the best line to convey to users that the nature of infections are strikingly similar between computer systems and our own bodies.  I think of this in the exact same way I do antibiotic resistance, as best described on the CDC’s website:

Q: Why should I be concerned about antibiotic resistance?

A: Antibiotic resistance has been called one of the world’s most pressing public health problems. Almost every type of bacteria has become stronger and less responsive to antibiotic treatment when it is really needed. These antibiotic-resistant bacteria can quickly spread to family members, schoolmates, and co-workers – threatening the community with a new strain of infectious disease that is more difficult to cure and more expensive to treat. [2]

In the same fashion, users may question why they should be so concerned with password strength, why should they care?  I answer that it not only affects you and your personal security, but it affects us all in that the world is connected via (IT or immune) systems–for better or for worse.

[1] Spafford, Eugene H. “The Internet Worm Program: An Analysis.” Technical Report, Department of Computer Science, Perdue University, West Layfayette, 1988.

[2] http://www.cdc.gov/getsmart/antibiotic-use/antibiotic-resistance-faqs.html

Start with security …or end with it April 13, 2015

Posted by mtv in Security.
add a comment

I work with a wide variety of software vendors and see varying levels of security-mindedness in the products they peddle.  At best I’ll find moderate security-mindedness, but more often than not security is low on the vendor’s list of concerns because it is not their security at stake–it’s yours.

A few weeks ago I discovered a worm on one of my systems (running my least favorite/secure piece of software), notified the vendor, and a few days later the vendor sent out an alert to customers with steps to remediate the threat.  What was the fix?  To remove an unutilized jboss management interface.  What’s even worse is that this same web application was exploited 3 years ago, and the fix then was to remove yet another unutilized management interface.  Why were these interfaces included in their custom jboss implementation to begin with?  Laziness, in my opinion, and a clear failure to consider security in the development process.

We see time and time again that exploits occur when less-than-secure default configurations are not tightened up, and the time to do that is during development stages, NOT after a system is live.  Once you’re in production, the level of effort required to tackle security changes multiplies tenfold.  By ignoring these concerns initially you’ve made it so much harder for yourself, your organization, and your end users.

Ethics by example April 13, 2015

Posted by mtv in Security.
add a comment

The ACM Code of Ethics is a set of guidelines designed to serve as the basis for ethical decision making for computing professionals [1].  The code applies to just about every role & responsibility in modern IT, from customer service objectives to legal responsibilities.  I found this to be a very rewarding experience as I got to perform a personal inventory of how I stack up with these ethical imperatives, and although satisfied I admit I didn’t form these ethical standards overnight.  The example that comes to mind is property rights, particularly based on my college years aligning with the rise and fall of the Napster days, when the world as a whole seemed unprepared for what was coming down the IT pipeline.  Being part of the “cusp generation,” as I call it, the last to have had the possibility of a computer-less childhood, a lot of ethical decisions had to be made with very little information or precedent.  I question when it was that I began to form a better sense of ethics–or one more aligned with ACM’s code–and for me it really began with entering the IT field and being put in a position of responsibility for software licensing and compliance.  To me, responsibility is the greatest teacher–if you don’t learn it with your neck on the line, you’ll probably never learn.

We see a new generation growing up today, one in which children barely a year old can figure out how to operate a smart phone or laptop–even if just to play a game or favorite song, this is a significant change.  A question I often raise in friendly discussion is: there seem to be those with a good work ethic, and those without–where does a good work ethic come from?  Everyone has their own experience in how theirs was formed, but by-and-large this is a matter of upbringing and learning by example.  Teaching children to honor property rights in technology was not/could not have been an objective for parents when I was growing up, but for anyone raising a child today, guess what you can add to your already hefty lesson plan?

[1] http://www.acm.org/about/code-of-ethics

Privacy issues in mobile computing December 17, 2013

Posted by 8237mcraew in Security.
add a comment

What is privacy?  Privacy and privacy rights for users relate to the collection, use, disclosure, storage, and destruction of personal data.  Mobile computing allows users to share information, data, applications, and software over networks. This allows users to access data and applications wherever they can connect online and use various mobile devices to access their data and information. Inherent to cloud computing are privacy concerns as service providers will have access to all the data, and could accidentally or deliberately disclose it or use it for unauthorized purposes.  The utilization of mobile devices in a cloud computing environment exacerbates these privacy concerns.

Mobile devices, such as smartphones and tablets, are handheld computing devices that are typically equipped with WI-FI, Bluetooth and GPS capabilities.  In addition, they are designed to run software applications that come from a number of sources.   These sources can vary in their methods of validation and privacy requirements.

There are some unique privacy challenges for mobile devices that add additional concerns for users.  Because of their mobile nature, mobile devices must support heterogeneous networking [1].  This requires the device to support automatic discovery and configuration of local network services, such as local printers and DNS servers.  Mobile devices current location affects network configurations and must dynamically transmit such location information.  A mobile device carried by a user is likely to be used in a variety of domains.  The security and privacy restrictions of one domain may be significantly different from another.  The inconsistency of domains a mobile user may have access to increase the risk of data mining.

Another unique privacy challenge for mobile devices is its utilization of location dependent information in support of dynamic location queries [2].  In order for your mobile device to provide accurate directions to the nearest restaurant or train station, the device must access the user’s current location.  In some applications, especially social, the device is also required to know the location of another user.

The applications mobile devices use add an additional concern to privacy.  These applications are designed to function within multiple operating environments and there is an additional effort made to create a customized experience for the user.  As a result applications provided by service provider and applications purchased by users collect data about the user.  This often done in a manner that is unobtrusive to the user, and therefore typically invisible to the user.  As regulatory standards have yet to established across the board for mobile devices, the user may not even be aware fully of the data that is collected.  In addition, while an application may expressly access benign and user authorized information, by the nature of its integration with the operating system the application may also have access to related but more sensitive user information.

There are also two security concerns that contribute to privacy issues for mobile devices in the cloud.  The mobile device requires a wireless broadcast network that is inherently less secure as anyone can see the connection, and can access with pirated access protocols.  Secondly, mobile devices increase the chance of physical theft of device and information stored on the device.

In summary, mobile devices increase privacy concerns for computing environments.  Efforts must be made by consumers and network service providers to regulate storage, retention, and destruction of personal information.

[1] Satyanarayanan, M.  “Fundamental Challenges in Mobile Computing”. School of Computer Science, Carnegie Mellon University, July 1999.

[2] Bal, G¨okhan. “Revealing Privacy-Impacting Behavior Patterns of Smartphone Applications”. Goethe University Frankfurt, Germany, April 2012.

Avoiding Cryptosystem Failure December 17, 2013

Posted by 8237mcraew in Security.
add a comment

Ross Anderson’s article Why Cryptosystems Fail is a peek into the contradictory world of system security.  Anderson uses a series of case studies detailing instances of ATM fraud [1] in order to demonstrate the of understanding security requirements in system development.   Improper integration of security mechanisms gave organizations a false sense of security in these instances.  Anderson’s vignettes demonstrate how security seems fail, not due to the weaknesses usually studied formally in universities or companies such as cryptanalysis, but due to human error, negligence, or malignance, lack of quality control, lack of a feedback loop, and incomplete standards.  Many organizations, in the interest of self-preservation, refuse to share information regarding security breaches.  This makes it difficult to organizations to anticipate and address common security concerns.

In order to affect change, a cultural shift must occur within organizations.  A commitment must be made to integrate security within the aspects of the system development life cycle (SDLC).  Security can be integrated into the traditional SDLC by using the following guidelines [2]:

Phase 1: Planning/requirements

During the planning phase it is important for the development team to conduct a data sensitivity assessment.  The team should also determine what data will be handled, as well as how the data will be classified.  It would be appropriate to conduct a Preliminary Risk Assessment at this point.  In addition, it would be prudent to determine the answers to the following question – What happens if the data is disclosed, lost or changed?

Phase 2: Development/acquisition

Security controls need to be included in the specifications.  These controls need to cover features, vulnerabilities, malicious insiders, and set contingency plans.  Coding standards also need to be set to avoid known causes for buffer overflows.  Recommendations include making available to programmers the vulnerabilities and potential exposures associated with programming languages and operating systems before getting into the implementation phase and setting up regular peer review of the code.

Phase 3: Testing/implementation

As part of the testing/implementation phase security test cases based on the requirements, and common vulnerabilities need to be developed.  Points in the source code where the program takes input from users and from another program or un-trusted source need to be identified. Contingency and disaster recovery plans should be written and reviewed.

Phase 4: Operations/maintenance

Administrators need to run backup, restore, and restart instructions and procedures with Cryptography keys.  User administration and access privileges need to be monitored and maintained.  Audit of log files and system interdependencies are required.

Phase 5: Disposal

Disposal plan needs to include storage of cryptographic keys,  legal requirements of records retention and destruction, and means to sanitize media.

Security integration is just as important in the Agile System Development Life Cycle.    Some planning consideration include [3]:

1.  Conducting an initial round of security analysis

2.  Develop related security stories and tasks

3.  Prioritize tasks in order to prevent “security debt”

-Security debt refers to uncompleted tasks that have security relevance [3].

4.   If possible integrate security experts

The bottom line is, security must be integrated from the beginning of the system development life cycle in order to foster a secure environment.

[1]  Anderson, Ross J. “Why Cryptosystems Fail.” Communications of the ACM, November 1994: 32 – 40.

[2]  http://searchsoftwarequality.techtarget.com/tip/Secure-SDLC-Integrating-security-into-your-software-development-life-cycle

[3] http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf

The Internet Worm: Don’t Get Hooked December 17, 2013

Posted by 8237mcraew in Security.
add a comment

On the evening of 2 November 1988, the world witnesses the birth of the Internet Worm.  Designed to exploit BSD-derived UNIX systems, this worm eventually spread to thousands of machines, and disrupted normal activities and Internet connectivity for many days [1].  Within days, steps were taken eradicate this threat, but the damage was done.  The Internet, and those machines connected to it, was vulnerable and now everyone knew it.

Since the 1988, the worm has continued to evolve, as well as the methods to combat it.  We will discuss the various methods available to reduce risk of worm infection.  But first, let’s talk about what the Worm is.

 A worm is a program that can run by itself and can propagate a fully working version of itself to other machines. It is derived from the word tapeworm, a parasitic organism that lives inside a host and saps its resources to maintain itself [1].

A worm differs from a virus in that it is capable of running itself, while a virus requires a host process to activate it.  The original worm, despite shutting down a number of machines and disrupting Internet connectivity, was not particularly malicious.  However, more recent evolutions of the internet worm have produced devastatingly harmful payloads.    Common worm attacks have been known to cause crypto-file extortions and backdoor access to allow the creation a zombie computer under the control of the Worm’s author [2].

There are means available to protect your systems from a worm attack.  I have listed them below for your benefit.

1. Ensure appropriately restrictive properties for critical files, such as configuration and command files.

Targeted by the original worm, steps to prevent modification of configuration, command, and host files can hinder propagation the worm in an infected system.

2.  Stay up to date on patches and security fixes for all our public computers desktop and server.

Since the original worm attack in 1988, considerable mental and physical resources have been spent in closing security gaps in programs and system in order to prevent worm infection.  Of course, you must keep them up to date in order to be effective.

3.  Use high quality firewalls

Worms use networks as their mode of transportation.  A well designed firewall can block their spread.

4.  Utilize high quality and up-to-date anti-virus and anti-malware software.

These tools can be effective in identifying and eliminating worm intrusions.  Be advised, they are not fool proof.

5.  In conjunction with the anti-virus/anti-malware, ensure periodic disk scans.

See earlier advisement.  Users may inadvertently allow infected files pass through.  Infected email is a common culprit here.

6.  Utilize spam filters in your email applications

As I mentioned above, email is a potential entry point for worm infections.

Since the first worm spawned in 1988, the Internet and the “Internet of things” have grown exponentially.  Malicious attacks over the Internet have paced this growth.  For every additional user on the network, you have an additional opportunity for infection.  Following the steps above will help protect systems from these attacks.

[1] Spafford, Eugene H. “The Internet Worm Program: An Analysis.” Technical Report, Department of Computer Science, Perdue University, West Layfayette, 1988.

[2] http://en.wikipedia.org/wiki/Computer_worm

[3] http://security.widyani.com/virus-security/computer-worm-definition-and-how-to-prevent-it.html

[4] http://networking.answers.com/firewall/preventing-worms-from-attacking-your-computer

Fostering Trust through Ethical and Moral Leadership December 17, 2013

Posted by 8237mcraew in Security.
add a comment

In front of an audience, in acceptance of a Turing Award, UNIX creator Ken Thompson preceded to provide a brief tutorial on how to insert a Trojan Horse into a system [1].  Thompson did this to drive home a significant point, “You can’t trust code that you did not totally create yourself.”  This is an extremely valuable point, especially in light of the fact that such an intrusion could be caused just as easily by a compiler bug (i.e. unintentional) as by a deliberate attack.  Unfortunately the typical user will never lay eyes on application code.  If you’re using proprietary software, even as an information technology professional, you will not have access to code.  So, how are we then able to apply Thompson’s message to our organization?

The answer is fostering a software development environment of self and peer regulation based on a comprehensive set of moral guidelines.  The Association of Computing Machinery (ACM) produced a Code of Ethics to act as these guidelines.  The ACM Code of Ethics is comprehensive of a set of general moral imperatives, specific professional responsibilities, organizational imperatives, as well as two directives on compliance with the Code [2].  This discussion will focus specifically on general moral imperatives as well as the specific professional responsibilities of computing professionals. This Code is a reflection of the ACMs commitment to the ethical professionalism of every member, to include voting, associate, and student members.

The General Moral Imperatives of the ACM Code of Ethics details eight principles that encompass more than technical parameters.

1. Contribute to society and human well-being.

2. Avoid harm to others.

3. Be honest and trustworthy.

4. Be fair and take action not to discriminate.

5. Honor property rights including copyrights and patent.

6. Give proper credit for intellectual property.

7. Respect the privacy of others.

8. Honor confidentiality.

In addition the Code of Ethics outlined eight principles of Specific Professional Responsibilities.

1.  Strive to achieve the highest quality, effectiveness and dignity in both the process and products of professional work.

2.  Acquire and maintain professional competence.

3. Know and respect existing laws pertaining to professional work.

4. Accept and provide appropriate professional review.

5. Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.

6. Honor contracts, agreements, and assigned responsibilities.

7.  Improve public understanding of computing and its consequences.

8.  Access computing and communication resources only when authorized to do so.

These principles, as outlined by the ACM, present a framework that governs both the social, moral, legal, and technical aspects of computing.  Conversely, members of the ACM are expected to police non-members in accordance with these same principles.   Adhering to these principles ensures a safe environment for users of computational resources and foster trust in the information technology community.

[1] http://cm.bell-labs.com/who/ken/trust.html

[2] http://www.acm.org/about/code-of-ethics/#sect4

Mobile biometric authentication December 16, 2013

Posted by 8237mcraew in Security.
add a comment

Biometric authentication is a rapidly emerging technology that has become widespread. Efficiency of algorithms, mobile computing power, and persistent connectivity have governments and private industry turning to mobile biometrics to speed up processing of people and goods in law enforcement, military, public transportation, border control, healthcare and commercial shipping.  These mobile biometrics range anywhere from fingerprints (see Apple iPhone 5s and finger print scanner) to voice recognition, and everywhere in between.  There are two fascinating developments in mobile biometric authentication that I would like to share with you.

First up is a unique shopping experience, or should I say Uniqul shopping experience.   Uniqul is facial recognition payment system developed in Finland.  Uniqul utilizes military grade algorithms to quickly and securely process and match facial identification points [1].  This allows participants to authenticate and pay by simply walking up to a Uniqul terminal and pressing okay.  The point of sale facial capture is checked against your account biometric data, linking credit cards you have added to your account to the purchase.   Account creation consists of going to a QPoint, complete with tablet and camera [1].  Enjoy the demo video below.

The second biometric mobile device I would like to share with you is Nymi, the wearable biometric device.  In my opinion it is a sleek integration of technology and ingenuity.  Nymi allows the user to maintain persistent identity on their person.  Nymi incorporates a more recent biometric identifier in utilizing electrocardiogram (ECG) waves for identification and authentication.  The Nymi itself is a wristband containing an ECG sensor along with a six-axis motion sensor [2].  Enrollment and authentication is setup through a separate authorized authentication device (AAD).  Development includes support for iOS and Android devices, as well as Mac and Windows personal computers.  The user establishes their biometric template through an application on their AAD.  The Nymi records ECG wave data and transmits encrypted information through a Bluetooth signal.  Once account has been created, the Nymi device will match a live ECG sample against the template.  The ECG sensor on the Nymi will continue to record ECG data until a match has been made.  Once a match has been made, the device becomes active and is able to transmit to Nymi Enabled Devices (NEDs) [2].  Taking the device off at any point clears any authentication.  An interesting aspect of the Nymi is its 3 Factor Authentication.  In order for the authentication to occur, the user must be in physical contact with Nymi device, match an ECG template (which has been proven to be reliably unique [3]), and be in the presence of their AAD [2].  This robust authentication method make Nymi authentication extremely resistant to fraud.  Please enjoy the demo video.

These two products are fascinating to me due to their creative use of biometric technology.  Of the two Uniqul is active in certain parts of the world, while Nymi is still in the development phase.  While Uniqul is effective in employing facial recognition technology, I do have concerns of privacy with it.  Uniqul is a passive identifier that records, or at the very least captures, biometric facial data from everyone that steps in front of the camera.  There is potential for abuse with this, from both the private and government sectors.  Nymi’s authentication process is extremely robust; however its use of Bluetooth technology concerns me as a point of vulnerability, even if it’s only a susceptible to intentional or unintentional interference.   I leave you with the following question:  The use of unique personal traits make biometrics an attractive choice for authentication, do you foresee a future where passwords are eliminated and replaced with biometric authentication in all aspects of life?  A more pointed question; is there a condition in which you believe biometric authentication will never gain a foothold?

[1] http://uniqul.com/

[2] http://bionym.com/resources/NymiWhitePaper.pdf

[3] Agrafioti, F., Hatzinakos, D. “ECG biometric analysis in cardiac irregularity conditions”. In Signal, Image and Video Processing. 2009.

Information Security: The more things change the more they stay the same December 16, 2013

Posted by 8237mcraew in Security.
add a comment

A review of Saltzer and Schroeder’s paper The Protection of Information in Computer Systems

Summary and comments

Written in 1974, this paper presents a focused view on information protection in the context of technical trends of the late ‘60s and early 70’s.  In this time frame, user-to-computer interaction typically centered on terminal access to mainframe computers.  The majority of “mini-computers” were the size of refrigerators.  One of the first personal computers, the Xerox Alto, came out just prior to the publishing of this paper.  The Alto carried a whopping 128 KBs of main memory with a mass storage capability of 2.5MBs [1].  In addition, application of computing resources was limited to large institutions.  Fast forward nearly 40 years and we have computing devices with multi-cores, GBs of RAM, and expandable disk space of up to 32 GBs that can fit in our pockets.  These devices are globally connected and have a user base that numbers in the billions [2].  However, despite the vast disparities in computing resources and user scope, great value can be assessed to the information protection functions and design principles described in this paper.

The intent of this paper, which is delivered effectively, is to explain the system architecture needed to support robust information protection.  The authors, in an attempt to avoid confusion, offer definitions to two terms of great relevance to the topic of information protection, privacy and security.   Privacy, as defined by the authors, “denotes a socially defined ability of an individual (or organization) to determine whether, when, and to whom personal (or organizational) information is to be released” [3].  In contrast, security is defined as the “techniques that control who may use or modify the computer or the information contained in it” [3].  With these definitions in mind the authors spell the three categories of information security violations [3]:

1.  Unauthorized information release

2.  Unauthorized modification of information

3.  Unauthorized denial of use

The use of the term unauthorized is key here, and can be defined as contrary to the desire of the person who controls information and/or contrary to the usage constraints imposed on the computing resource.  This idea of authorization, or lack thereof, can be cross-referenced across the multiple functional categories of information protection.  These functional areas are affected by both computing platform and user demographics.  First we have the unprotected system.  With this function there are no built in mechanisms to prevent any user to access all information.  In the time period of this paper, these were less common and were somewhat protected by lack of physical access.  Currently, billions of mobile and personal computing devices present an unprotected system, unless specific steps are taken by the user to restrict access.

Secondly, the paper mentions the all or nothing system which is predicated on the isolation of users.  In some cases this includes access to a Public Library mechanism with some level of security.  A contemporary example of this is personal workstations configured by organizations for individual users.

The third function, as described by the authors, refers to the controlled sharing of resources through a list of authorized users and the varying authority a user has in relation to each file and/or application.  This function, along with the fourth function of user programmed sharing controls, is a common use case in professional organizations.   The case of user programmed sharing controls, where access is restricted by time, data aggregation, data partitions, and modification criteria describes accurately the information lifecycle in a data warehouse/Business Intelligence.

The final function is “putting strings on information”.  Putting strings on information is the process of maintaining control of information after release.  Across all of these functions is the challenge of dynamics of use.  The dynamics of use refers to establishing and changing user access parameters.  This, along with putting strings on information, are the most difficult to address.  The increasing use of personal computing devices at home and in a business setting can make strict adherence to information protection policies difficult to enforce.

With these functions in consideration Saltzer and Schroeder recommend the following design principles [3]:

1. Economy of mechanism: the KISS principle applies to information protection as well.  Even with more complex system today, it is important to design a mechanism that is easily implementable and verified.

2. Fail-safe defaults: Base access decisions on permission rather than exclusion.   This was a good policy then, and remains so today.  As mentioned in the paper, security failures are difficult to identify.

3. Complete mediation: Every access to every object must be checked for authority.  The challenge of today that pertains to this principle is the pervasiveness of mobile devices.  Comprehensive information security policies must also take into account BYOD rules.

4.  Open design: The mechanisms of security should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords.   This sounds scary, but is spot on.  Determined malicious users will locate the design no matter what.  Having transparency, along with the simplicity described in the first principle, also help to ensure unintended access paths are not created by confused authorized users.

5. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.

6. Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.   The challenge comes from the integration of many and varying applications with many users.  This can create a situation where the dynamics of use must be managed carefully.

7. Least common mechanism: Of all the principles listed, this one has the greatest risk of being deprecated.  The increasing use of collaborative and crowd sourcing mechanisms challenge the relevance of this principle.  However, the appropriate and controlled use of collaborative mechanisms is a necessity.

8. Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.  Users faced with overly clumsy interfaces will inevitably seek means to circumvent.

9. Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker. The resources of attackers have grown exponentially since this paper was published, something that needs to be planned for.

10. Compromise recording: It is sometimes suggested that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss.   Intrusion detection programs began development in the mid to late 80’s, and are currently commonplace.  Logging is a key aspect of intrusion detection [4].

Conclusion

Despite vast differences in technological capabilities, Saltzer and Schroeder’s focused view of information protection provides an excellent backdrop to current information security topics.  Designing your information protection policy around the above principles may not answer all of your security needs; however it provides a functional baseline that identifies persistent concerns that need monitoring.  In closing, I pose the following question:  Is it possible to maintain a balance between information “lock-down” and value added sharing and collaboration in today’s mobile communication environment, or must you sacrifice one for the other?

Works Cited

[1] “History of Computing Hardware (1960s–present).” Wikipedia. Wikimedia Foundation, 28 Nov. 2013. Web. 16 Dec. 2013.

[2] “List of Countries by Number of Mobile Phones in Use.” Wikipedia. Wikimedia Foundation, 13 Dec. 2013. Web. 16 Dec. 2013.

[3] Saltzer, J.H., and M.D. Schroeder. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63.9 (1975): 1278-308. Print.

[4] Scarfone, Karen; Mell, Peter (February 2007). “Guide to Intrusion Detection and Prevention Systems (IDPS)”

Mobile Technology Risks and Solutions December 15, 2013

Posted by kristinamensch in Security.
add a comment

There are over 6 billion mobile subscribers worldwide [3]. Mobile technology and smartphones are changing the way that people communicate and consume data. Cisco estimates that by the end of 2013 the number of connected mobile devices will exceed the total world population [2], and with a current smartphone user population of over 1 billion people [3] and growing, mobile security and privacy vulnerabilities need to be addresses.

The biggest threat to mobile security and privacy is malware. Malware is usually introduced to the mobile system when users download or update malicious apps or click on infected URLs. Malware is currently more prevalent in the Android OS mobile ecosystem due to its open nature and lack of developer and app verification and testing before it is made available in the Google Play market place and its larger portion of the marketplace. Both the Apple and Windows Phone 8 ecosystems have more stringent centralized testing before apps can be published in their respective store. This testing can eliminate much of the malware, but not all. It is important for users to understand that their smartphone devices are more than just telephones; they are small computers and need to be protected just like their laptop and/or desktop. This includes adding a third party security application. Another solution to the risk of malware is to only download apps from trusted places and update the device when security updates are released.

Another threat to the security and privacy of smartphone data is defined by their mobile nature. The mobility of these devices means that they are constant passing in and out of different networks – both public and private. Mobile users utilize their smartphones for many tasks including email, private personal data in banking or shopping apps, and perhaps even healthcare. This data is stored on the device or in the cloud being accessed by the device over an Internet connection. It is important for users to protect their data by enabling encryption and user authentication in their devices. Smartphone users should also be sure to use a secure browser connection when transmitting sensitive data over a network. Mobile app designers should also be sure to encrypt any data that their application is transmitting to and from the application servers. This will add a layer of protection for the user and their data. Another possible solution is for the application to create a VPN connection with the server for secure data transfer.

Finally, and perhaps most obviously, is the threat of actual device theft. Smartphone users must be sure to maintain physical control of their device at all times to ensure security and privacy. If this fails and a device is lost or stolen the user should take the following precautions to keep their data safe and secure. Users should implement the available device locking (screen lock) mechanism secured with a strong password. They should make sure to enable, either via device registration (iPhone and Windows Phone 8) or third party applications (Android), remote device location and memory wiping services. This will allow the user to locate their device and remove all private and secure data before anyone has a chance to access the data.

With these vulnerabilities in mind enterprise IT policy makers and managers must carefully consider when and how they will allow employee mobile devices to connect to their corporate networks and what data they will have access to. The article 10 Best Practices for Mobile Device Security [1] outlines how enterprise IT departments can mitigate the inherent risks associated with mobile devices. Companies should:

  • Specify what mobile devices employees can use to connect to the organizational network based on the security and control that they allow IT administrators – even if it means that employees may not be able to have the most popular devices.
  • Enable encryption to allow data to flow across a secure connection while the device is being used.
  • Require authentication and password protection to provide basic data security in the event a device is lost or stolen.
  • Set up and use remote locking and data wiping capabilities
  • Provide employees a ‘lost phone hotline’ to quickly protect data in the event the device is lost or stolen.
  • Control the 3rd party applications that can be installed on company mobile devices to reduce the risk to corporate data stored on the device and the corporate network.
  • Set firewall policies to limit the data and applications that networked mobile devices ‘reasonably’ need access too.
  • Install intrusion detection software and monitor mobile network access.
  •  ‘Keep an open mind’ about adding mobile anti-virus software to enterprise devices.
  • Shut down the always-on Bluetooth connection broadcasting unless it is being used.

These mobile security suggestions can be successfully implemented by enterprise IT departments by providing clear policies that have solid support across the organization.

References

[1] Chickowski, Ericka. “10 Best Practices for Mobile Security.” Baseline. February 26, 2009. http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/ (accessed December 10, 2013).

[2]  Cisco. “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2012–2017.” Cisco. February 6, 2013. http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-520862.html (accessed December 15, 2013).

[3]  mobiThinking. “Global mobile statistics 2013 Part A: Mobile subscribers; handset market share; mobile operators.” mobiThinking. March 2013. http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers (accessed December 15, 2013).

Difficulties of Mobile Security December 14, 2013

Posted by bkrugman in Security.
add a comment

Throughout the semester we have looked at a variety of security issues that exist out in the wild.  I think that the article from Ericka Chickowski [1] sheds some light on the fact that no matter what the potential security flaw is, it exists in not only a corporate infrastructure but also a mobile one.  Applying concepts to secure mobile devices against malware, worms, and other malicious code is fast becoming a main focus for businesses rather than a second thought.  As mobile devices become more integrated within corporate culture, with some people using a thin mobile client to perform their daily work rather than sitting in front of a desktop all day, the decisions about what devices should be allowed, who controls the devices and how to manage the devices becomes a larger discussion point.

Like the Chickowski article mentions, if a company is going to embrace mobility through smaller devices they need to look at not only what devices they want to allow, but what type of impact that will put on the current infrastructure.  The assessment of what devices to allow should not be a one-sided decision with the business making the end all be all decision or the Information Technology department making that decision.  The company as a whole needs to decide what they are going to allow and strongly enforce it.  If one person is allowed to use a less secure device then the rest of the company that one person becomes a large target for someone who might have malicious goals.

In my opinion I am not a big fan of the current bring your own device (BYOD) concepts.  This is because by allowing employees to use personal devices to access the corporate infrastructure, the security aspect is partially removed from the business’s hands and put on the employee.  While this is a great concept the largest security flaw in almost every infrastructure is the user.  While they might not purposefully do something malicious, they can often open up security holes that can allow information to flow out or access granted without them actually knowing what is occurring.

Overall, I think that mobility within a company is a good and beneficial path to potentially increase productivity.  However, it needs to start to become a larger focus of companies that are thinking about allowing it.  If they do not put a strong emphasis on ensuring that the corporate infrastructure and data is protected from all forms of security breaches.  The company could end up costing themselves a lot more then the cost of doing things correctly.

References

[1] 10 Best Practices for Mobile Device Security,  Ericka Chickowski, 2/26/2009, [Online] http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/

Protect your mobile device December 13, 2013

Posted by brltkd in Security.
add a comment

Mobile devices are the fastest growing type of device used to access the Internet. They are extremely powerful while being simple to use, and they allow access to information from nearly anywhere. However, there are a number of thing to consider so information remains secure when they are used to access sensitive information.

One of the primary considerations is controlling access to the device. Mobile devices are primarily designed for a single user. Applications such as email programs often save the user name and password so the user does not need to enter it each time they check their email. However, if there is no restriction on who can access the device, anyone that picks up the device can immediately access your email, read personal information, and impersonate you without restriction. The small form factor of mobile devices compounds this risk. It is easy to forget where you left it or unknowingly drop it somewhere. In just a 6-month period, more than 31,000 people left phones behind in New York City taxicabs [1]. Simply enabling an authentication method for your device, such as a password or PIN, or even a fingerprint or facial recognition requirement to access the phone would significantly mitigate the risk of unauthorized users.

It is also important to protect the information on your device. Even if you enable an authentication mechanism, it is generally possible to connect the device to a computer through the USB port and easily access all the information. Therefore, you should enable encryption on your mobile devices. Most devices have native capabilities to encrypt accounts, settings, applications, and their associated data. This is usually possible for both the internal memory as well as external SD cards installed. Encryption makes is significantly more difficult for someone to access your information even if they physically possess the device.

Even if you have enabled authentication and encrypted your device, it is still an uncomfortable feeling when your device is missing because there is still a risk an unknown person may have access to your personal information. A number of software packages are available to help locate missing devices by activating their GPS or delete personal information from the device remotely [2]. Some applications allow the remotely take a picture with the devices camera which could help you find the device or identify a person that stole it [3].

Mobile devices have tremendous capabilities and can simplify communication. However, these conveniences come at the expense of exposing your personal and sensitive information to the risk of being lost or stolen. Enabling the security features like authentication and encryption, which are built into most devices, will help reduce the risk with a minor impact to functionality. Additionally, many third party software packages will help recover missing devices or erase the data if necessary. Using these features are important steps that everyone should take to protect themselves.

 

[1] E. Chickowski, “10 Best Practices for Mobile Device Security,” Baseline, 26 February 2009. [Online]. Available: http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/.
[2] TopTenREVIEWS, “Mobile Security Software Review,” TopTenREVIEWS, 2013. [Online]. Available: http://mobile-security-software-review.toptenreviews.com/.
[3] L. Mearian, “Carbonite app enables remote activation of Android cell phone cameras,” ComputerWorld, 11 December 2012. [Online]. Available: http://www.computerworld.com/s/article/9234593/Carbonite_app_enables_remote_activation_of_Android_cell_phone_cameras.
[4] E. Chickowski, “10 Mobile Security Best Practices,” Baseline, 26 February 2009. [Online]. Available: http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Mobile-Security-Best-Practices/.

 

Design with Security in Mind December 13, 2013

Posted by brltkd in Security.
add a comment

People are using computers and the Internet for exchanging increasingly sensitive data. Many people are conducting financial transactions, such as banking and investment transactions, online. Additionally, there are government mandates to implement electronic medical record systems with the ability to exchange information between them electronically. It is important to address data protection and security considerations during the development of these types of systems.

Addressing potential security issues during system development is important because it easier to implement them during the initial design as opposed to trying to integrate them after development. Additionally, it they will generally be more effective when they are part of the initial design because they can be implemented at a core level of the system. For example, it is difficult to change underlying data structures to incorporate security requirements after application development is completed.

Another reason to incorporate security concerns into the development process is that most technological breaches come from simple failures in the software design [1]. Security personnel should be involved in the design process to help determine where risks may arise. They may see things other than technical aspects that must be considered. For example, changing an address may seem benign to the developers, but a security professional may point out that this could be used to redirect correspondence of potentially sensitive information [2]. Processing of this action may occur differently in light of that consideration.

Authentication and authorization are the two aspects that are commonly considered when designing a system. However, there is a concern that has appropriate access and is authorized to perform certain functions could perform actions maliciously. I work in the healthcare industry and I appropriately have the ability to view patient’s medical records. However, while I am able to, it is against company policy for me to view records that do not pertain to my work. Depending on the situation, this may also be a violation of state and federal laws. Therefore, it is important to have a mechanism in the system to audit user actions so it can be determined if their access was used inappropriately.

Designing and building the audit functionality is a core aspect of the system and needs to occur during the initial system design. Besides simply capturing the audit information, it necessary to consider where the information is stored. It would not be very effective if I were able to modify the audit information directly to remove traces of inappropriate activity. These types of factors must be considered and addresses during system design to create a secure system.

[1] A. Hern, “‘Most cyberattacks come through simple failures’ – security specialist,” The Guardian, 6 November 2013. [Online]. Available: http://www.theguardian.com/technology/2013/nov/06/most-cyberattacks-come-through-simple-failures-security-specialist.
[2] R. J. Anderson, “Why Cryptosystems Fail,” Communications of the ACM, vol. 37, no. 11, pp. 32-40, November 1994.

Data Security within Application Design December 12, 2013

Posted by bkrugman in Security.
add a comment

If you look at a lot of Web Sites that currently exist within the Internet some of them need to have certain levels of security while others do not.  Web Sites that contain credit card information like Amazon, Best Buy, or any other online retailer needs to put a lot of focus customers’ data security and how their system protects the data.  If you look at Mr. Anderson’s article “Why Cryptosystems Fail” [1], you will see that the majority of the security risks do not come from complex attacks, but rather focus on development, implementation or other flaws that were introduced during the design and maintenance.

These are the flaws that while they can be extremely hard to fight, can prove extremely beneficial if some thought is put into the security structure while an application or infrastructure is being designed.  The reason: if you put some focus on implementing security within a design it will be more transparent to the users and can provide some simpler implementations.  If someone designs software, no matter how good it is, if they did not think about any level of data security whether it is how the data is accessed, what data needs to be encrypted, or who can see the data the software will always be partially hindered.  By trying to attach security to an unsecured software design it tends to cause developers and architects to build solutions that have complexity stacked on top of more complexity, making it not only more difficult to develop and test, but also difficult to maintain.  Another point is that when you build something extremely complex there tends to be holes and other areas that can be exploited to reach an end.

Mr. Anderson’s article focused more on Automatic Teller Machines (ATM), but the same train of thought can also be applied to software development.  As he mentioned, there is no silver bullet to the problem of data security, in the case of the article cryptology.  But by designing data security into an application from the start, the development team is better able to ensure that the potential breaches of data are not as accessible as they would be if they build a package and then attached security after the fact.

References

[1] Why cryptosystems fail, by Ross J. Anderson, November 1994, Communications of the ACM, Volume 37, Issue 11.

Mobile Security Practices and Software December 12, 2013

Posted by markwhylie in Security.
add a comment

Mobile security is actually a very interesting and one of my favorite security topics. Primarily because I believe it will be one of the most important aspects of the “Internet of Things” as we move into the future. These days we find that there is a transition from standalone desktops to mobile computing as in the case of Apple “I” series devices, Samsung Galaxy series mobile phone and tablets and various other options from Microsoft. With that said, I think that it is important that we do not treat this new rush of technology with the same respect as we would treat desktop and distributed computing systems. If we do, we have the potential of essentially re-introducing problems such as the famous buffer overflow hacking techniques in the emergence of the UNIX system and the C programming language.

Some best practices that I believe will be essential as an end-user of mobile computing involves being educated and using common sense, being aware of what network your device is communicating with and through, placing passwords around critical applications, and also utilizing remote wipe capabilities just to name a few.

In these days, especially with the influx of older senior citizens transitioning to iPads and Android devices, we see that many tend to use these devices to store and access important financial information. While this seems to be good, it also has its downfall. If a user is uneducated and falls in a trap where someone easily steals their financial information, ignorance cannot be used to mend the broken wounds. It is important that we educate people on the security threats to using mobile computing especially when it is connected to a wireless network. We should educate people on the importance of communicating over an encrypted connection, placing passwords around accessing the device and even around certain applications such as banking apps. It is also important to ensure that we educate individuals on the importance of having the capability of remotely wiping data from a device in the case that it is lost or stolen.

 

Preventing worms December 12, 2013

Posted by brltkd in Security.
add a comment

Malicious software, or malware, is a term used to describe software that causes damage or performs unwanted actions on a computer system [1]. While the term virus is often generically applied to malware, there are many different types of malware. Worms are a specific type of malware that can run by itself and can propagate a fully working version of itself to other machines [2]. This often occurs over network connection like the Internet. User behavior is a significant factor in the spread of worms and responsible user behavior can help stop the spread of worms.

Keeping your operating system up to date with the current security patches is essential to preventing the spread of worms. Worms often exploit weaknesses and flaws that create security vulnerabilities. Companies that develop operating systems regularly release updates to patch these holes as they are discovered. Installing these patches will close the security hole on your system so worms are unable to infect it.

Users also need to use strong passwords to secure their computers. One of the methods worms often use to access other computers is by guessing their password. For example, both the original Internet worm (Morris worm) and, more recently, the Conflicker worm used a list of commonly chosen poor passwords to attempt access [2] [3]. Using strong passwords, which generally consist of mixed-case letters and numbers that are not repeated or common words, will make it more difficult for a worm to crack the password.

File sharing is an important aspect of computer networking. This allows people to share files and other information with others. Any shared folders or other resources must be secured so only authorized users can access them. It is tempting to create a shared folder so other users can access your music collection or pictures, for example, with unrestricted access. However, this also creates an opening for worms to access your computer. Make sure the permissions are set on shares to only allow access for specific authenticated users.

Even with the best efforts to keep your system updated and secured, new security exploits are discovered every day. Antivirus software is an important line of defense for your computer. You should have a current version of antivirus software installed. This software actively monitors your computer for patterns indicating malicious activity and will often prevent and notify you of the activity. Additionally, if  your system is compromised, it will often aid in the removal of the threat. You should also enable automatic updating to make sure it stays up to date with current virus definitions to help keep your computer protected from the newest threats.

Worms have the potential to cause serious problems on your computer and to compromise your information. However, it is possible to keep your system secure and help stop their spread. Implementing these few basic steps will make your computer less vulnerable to worms.

 

[1] TechTerms.com, “Malware,” 2013. [Online]. Available: http://www.techterms.com/definition/malware.
[2] E. H. Spafford, “The Internet Worm Program: An Analysis,” Perdue University, West Layfayette, 1988.
[3] G. Cluley, “Passwords used by the Conflicker worm,” SOPHOS, 16 January 2009. [Online]. Available: http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/.

 

Creating Secure Software December 8, 2013

Posted by kristinamensch in Security.
add a comment

In the 1994 article Why Cryptosystems Fail Ross Anderson discusses the prevalence of ATM fraud across Europe caused by security holes in the ATM software and regulatory oversight.[1] According to Anderson the majority of these attacks were not sophisticated technological attacks on cryptographic security, but simple attacks that exploited ‘errors in the design and operation of the ATM system itself’. [1] Shedding light on the actual failures of cryptographic systems can lead to better software in the future but many companies are unwilling to submit software security breeches to the industry for investigation, research, and learning. It is not surprising that companies do not want their name attached to the security holes that have led to the many cases of ATM fraud, theft, and system failure across Europe, but how will we ever learn to design and produce better, more secure software without this knowledge?

The point of today’s blog is to reflect on how security concerns can and should be incorporated into the process of software development. In my opinion security concerns should be identified and detailed during the initial requirements gathering phase. Software systems should then be designed, coded, and tested in such a way to ensure that these security needs are met. If security features are not considered at every step of the development process it may be difficult or impossible to achieve adequate security during deployment.

There is much talk in software development circles about the necessity of building quality into products and I believe that security should be viewed in much the same way. There are a number of software and hardware development companies that have each developed a software development methodology with security in mind. Microsoft[4], CISCO[2], and McAfee[3] all detail what they call a Security Development Life Cycle that outlines how to incorporate security into traditional and agile[5] development processes. These methodologies roughly apply the following steps.

  • Training
  • Requirements Gathering / Story Writing
  • System Design
  • System Implementation (Coding)
  • System Testing / Quality Assurance
  • Product Release
  • Security Response and Accountability

One of the most important components of these methodologies, in my opinion, deals with the training of business analysts, managers, developers, and testers in security concerns and current security best practices. In my studies of computer science I have taken numerous courses in systems analysis and software design and have learned about and participated in requirement gathering for projects in both traditional waterfall and agile methodologies, but system security concerns were almost completely missing from any educational project. System security and security implementations have been left to on the job training. That is why I believe it is very important to train all people who touch the software development life cycle in security concerns appropriate to their job duties. Business analysts should know how to extract the security needs for a new system from stakeholders, architects and designers should be able to translate these needs into the system design, developers should understand the requirements and be able to code to and unit test these security requirements, and quality assurance teams need to be able to validate that the software meets all of the functional and nonfunctional project requirements.

With proper training in and understanding of security needs at every step of the development process a truly secure product can be built.

References

[1] Anderson, Ross J. “Why Cryptosystems Fail.” Communications of the ACM, November 1994: 32 – 40.

[2] Cisco Systems. Cisco Secure Development Life Cycle (CSDL) . 2013. http://www.cisco.com/web/about/security/cspo/csdl/index.html (accessed December 8, 2013).

[3] Foundstone. “http://www.mcafee.com/us/resources/data-sheets/foundstone/ds-secure-software-dev-life-cycle.pdf.” McAfee. 2008. http://www.mcafee.com/us/resources/data-sheets/foundstone/ds-secure-software-dev-life-cycle.pdf (accessed December 4, 2013).

[4] Microsoft. “Microsoft Security Development Lifecycle.” Microsoft. 2013. http://www.microsoft.com/security/sdl/default.aspx (accessed December 5, 2013).

[5] —. “Security Development Lifecycle for Agile Development.” Microsoft MSDN. 2012. http://msdn.microsoft.com/en-us/library/windows/desktop/ee790621.aspx (accessed December 5, 2013).

Small, Devastating Devices December 8, 2013

Posted by Jiaqi Wu in Security.
add a comment

One of my colleagues told me a story. He said he hates the iPhone.

“But why?” I ask. “Imagine how much easier your life has become because of the iPhone.”

“Let me tell you. We used to submit reports in the evenings right before we went home. Some nights I would be up late writing up a report and submit it by around midnight. Then my boss would get around to reading it and give me feedback after lunch the next day. That gave me some breathing room to relax in the morning and get into work a little later since I was burning the midnight oil the night before. However in 2007 when the iPhone came out, that’s when everything changed! I would wake up and see replies from my boss at 9am with the little ‘Sent from my iPhone’ signature. That means I have to go to work immediately to fix my assignments. I hate the iPhone!” he explained.

Imagine in all the companies in the world how many people view sensitive emails on their iPhones in the morning right after they wake up, in a car ride, or on public transportation. It is incredibly easy lose a device especially since phones keep getting thinner. Basic security features need to be available on all corporate phones. It is without question that passcode protection is the bare minimum. Such a basic piece of security will prevent a large percentage of people from being able to discover sensitive information.

The other methods for protecting a corporations assets include

  • limiting company services accessible via mobile
  • limiting apps available on the device
  • bluetooth management
  • lost phone hotline
  • antivirus software

Although these methods can be effective, they can also cause severe annoyance to the employee. One that especially interferes with the comfort of the user is limiting apps available. I was given an iPhone 5 for work and it is mostly unrestricted. There are some security profiles enabled which force the use of a passcode however most of the features on the phone still function. If some of the security policies above are implemented, my appreciation of the device would be greatly reduced.

Many of the subjects that we have covered in this seminar are different from the subjects of mobile security. In the articles listed for this week, the subjects have mostly been about process oriented techniques to ensure secure computing. The subjects we covered in class the last semester have been around many highly technical subjects such as buffer overflow which do not necessarily pertain to the mobile security domain quite as prominently.

Mobile Security Practices December 8, 2013

Posted by lorenmurphy2 in Security.
add a comment

In the article, “10 Best Practices for Mobile Device Security,” Tom Cross, security researcher for IBM, discussed tips for keeping mobile devices safe. One best practice that Cross suggested was devices should require authentication. According to the article, within a six month period, more than 31,000 New Yorkers left behind their mobile devices in a cab. If these phones did not have a password lock, then unauthorized users could have access to valuable information. Authentication has been a topic of debate throughout the semester. Normally authentication has been discussed when dealing with computer systems. Having computer systems give authentication to only a select set of users depending on their function, having passwords with a strong strength, and not storing passwords in a file on the computer have all been tips for protecting the system from hackers. With mobile devices becoming increasingly complex, companies will have to think about how to keep them secure. One way to provide protection is by having company phones so employees separate their personal and work life. By having all work emails and calls on one device, there is a better paper trail for audits and custom firewalls can be installed on the device. Installing firewalls and controlling third party applications was another best practice suggested by Cross in the article. In the future, companies will have to consider anti-virus protection software for mobile devices because the number of people connecting to the Internet via these devices is exponentially increasing. This creates a perfect market for hackers because these devices will start storing valuable information.

Another best practice that was suggested in the article is for companies to utilize remote wiping capability. The idea behind this practice is that if an employee loses their phone, then they could contact the IT department (using a specific procedure) and have their phone wiped clean. That way, if an unauthorized user was to find the phone, then all valuable information would be gone. Personally, I’m skeptical about this best practice. If the procedure to wipe a phone is done via an online document or website, a hacker could pose as a user and have a phone wiped clean. If the phone’s actual owner did not backup their data, then lots of valuable information could be lost and greatly affect the company.  The success of this practice is dependent upon how well the company defines and secures a procedure. In fact, according to Cross, mobile security risks could be mitigated by having consistent policy development and enforcement instead of having a special security technology.

Resources:

Chickowski, Ericka. “10 Best Practices for Mobile Device Securuty.” Baseline. 2009

Preventing Computer Worms December 7, 2013

Posted by kristinamensch in Security.
add a comment

In early November 1988 the first Internet worm was released collecting information about its host and propagating itself to other machines using an operating system flaw. The worm caused systems to become overrun with processes that they could not perform their duties and causing some to systems to completely fail. Written slightly over a month after the worm began, The Internet Worm Program: An Analysis outlines the events of that evening, the ensuing days, and the worm program itself.[1] The author states that ‘what we learn from this about securing our systems will help to determine if this is the only such incident we will ever need to analyze’. Unfortunately for the computing world, this was not the last worm that computer users have had to face. The last 25 years have brought exponential growth in the internet and in malicious programs that try to infect it.

A computer worm is a program ‘that can run by itself and propagate a fully working version of itself to other machines’. The self-replicating programs are still a problem for internet users today. Today’s computer worms still infect a host computer, replicate themselves, and send the new copies the contacts that are store in the newly infected user’s email program or put copies onto the local network the user is connected to. Many of these worm programs open a back door for other malicious code to be downloaded to the infected system.[2] Most worms are delivered to users through emailed links, and online software or content downloads. The prognosis may sound bleak, but there are a few simple things that users can do to limit their exposure to and risk from computer worms.[3]

  1. Enable automatic updates for your operating system: The company that creates and maintains your operating system software continuously updates the source code to fix bugs and patch newly discovered security holes. Keeping your operating system up to date will eliminate any currently known vulnerabilities.
  2. Install a reputable anti-virus program, turn on email scanning, and enable automatic updates: Much like the operating system the anti-virus software company is always improving their product, adding new virus and worm definitions, and making them available to their users.
  3. Use a firewall: Prevents unauthorized users and malicious code from gaining access to your computer system.
  4. DO NOT click any suspicious email links: Clicking email links infects many systems. Be on the lookout for suspicious emails – even emails from trusted contacts and businesses. It is always safest to manually type any links into the browser window directly. Also watch out for suspicious links in an instant message or social media message.
  5. Download software from TRUSTED sites: If you are unsure whether to trust an online program take the time to Google the program name and location in order to investigate the legitimacy and safety of the program.
  6. Browse the internet as a ‘restricted’ user: Browsing as a restricted user will place restrictions on the downloading and installation of software from the internet.

In the 25 years since the first internet worm was created and deployed the number of internet nodes and users has grown at an unbelievable rate. People are conducting much of their lives online and much of their personal information is stored on personal and mobile computing devices. With more information being stored and accessed via the internet these days it is to see why malicious computer software is still being developed and deployed. Computer users can take the few simple precautions outlined above to help secure their systems and information from computer worms.

Bibliography

[1] Spafford, Eugene H. “The Internet Worm Program: An Analysis.” Technical Report, Department of Computer Science, Perdue University, West Layfayette, 1988.

[2] Barwise, Mark. BBC – Webwise – What is an Internet Worm. September 10, 2010. http://www.bbc.co.uk/webwise/guides/internet-worms (accessed December 1, 2013).

[3] Microsoft. How to Remove and Avoid Computer Viruses. 2013. http://www.microsoft.com/security/pc-security/antivirus.aspx (accessed December 1, 2013).

Weak Mobile Security December 7, 2013

Posted by patrickcallan2013 in Security.
add a comment

The increasing use, power and capabilities of smartphones should make mobile security a top priority in every organization. The common practice of allowing, and in many cases encouraging, employees to use personal cell phones to conduct business, creates a complex and difficult environment for IT to maintain computer system security. Mobile represents a significant security risk that many organizations currently ignore as Chickowski comments “… many organizations these days not only do not manage their mobile security risks, they don’t even manage mobile devices. Organizations need better control over the devices that connect to their networks if they want to keep a tight reign over corporate data …” [1] As Chickowski notes there are a variety of steps that could be taken to enhance security including selecting a standard secure cell phone model, using encryption and authentication, etc., but many organizations do not apply these available security measures.

Many organizations have a variety of internal policies such as mandatory log off when an employee is not in front of the computer and this policy is reinforced in human resource evaluations and recorded reprimands that could lead to dismissal. Despite stringent internal policies accompanied by enforcement to protect the corporate network and data resources, a non-existent or extremely lax mobile phone policy exists with minimal oversight. Organizations need to balance these contradictory approaches to security as ultimately overall system security depends on attending to all network access points in a reasonable manner. Strong security internally is compromised by very weak mobile phone security externally. Security requires assessing all security risks and implementing policies, processes and technologies that mitigate the most likely risks.

Security depends upon people using computing resources, and mobile devices that access those resources, in a responsible and secure manner. People determine system security as they know how to defeat system security features or evade well intentioned security policies by leaving networked devices always logged on, using simple passwords or not encrypting data for convenience. The people aspect of security is often overlooked as organizations focus efforts on applying security technologies and modifying processes to improve security.

Security experts with decades of experience emphasize that security involves people not just technology and processes. [2] Spafford states “The Worm was caused by a breakdown of ethics as well as lapses in security – a purely technological attempt at prevention will not address the full problem, and may just cause new difficulties.” [3] In a 2011 MIT Killian Faculty Achievement Award Lecture, Rivest commented that prime factoring, the basis of RSA encryption, “… could turn out to be easy,” Rivest said. So it remains possible, he told the audience, that “maybe someone here will find the method” that renders the RSA encryption system vulnerable …” [4] Another article, “Reflections on Trusting Trust Revisited”, states “Given our nearly unbroken track record of failed security technologies, we should view claims regarding a system’s trustworthiness with skepticism … [and] can rest assured that the war for total control of computing devices cannot be won.” [5]

Mobile security appears extremely weak given the neglect of all three aspects of system security, people, processes and technology. Given the current extremely lax mobile security measures in place, system security is easily compromised in most organizations via mobile devices. Maintaining security using mobile devices will be very challenging but necessary to protect the organizations’ information systems and data.

sources

[1] Chickowski, Erika. “10 Best Practices for Mobile Device Security”. Baseline 2009-02-26. Accessed on 12/5/2013 at http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/ .

[2] Wolff, Jeremy. “Smartphones: Business Risk or Opportunity?”. Information Management. October 28, 2013. Accessed on 10/28/2013 at http://www.information-management.com/news/smartphones-business-risk-or-opportunity-10024998-1.html#Login .

[3] Spafford, Eugene H.. “The Internet Worm Program: An Analysis”. SIGCOMM Computer Communication Review Volume 19 Issue 1. January 1989.

[4] Accessed on 11/13/2013 at http://phys.org/news/2011-02-rivest-cryptography-future.html .

[5] Spinellis, Diomidis. “Reflections on Trusting Trust Revisited.” Communications of the ACM Volume 46 Number 6. June 2003.

Smart, not invincible December 7, 2013

Posted by mtv in Security.
add a comment

The claim that 5 or 10 years from now there will be more smartphones than PCs on the internet is a very real possibility, and raises obvious security concerns calling for increased attention to mobile antivirus software.  I foresee a resistance to the necessity of antivirus software on mobile phones reminiscent of a myth that still persists today: “but I don’t need antivirus, I have a Mac.”  The best response to that familiar comment is, “really, why?”  Don’t hold your breath for an answer, or at least an unbiased one.

I won’t delve into the “Macs don’t need antivirus software” debate as plenty out there already have, but suffice it to say there are valid points on each side from a software design standpoint, as well as market share standpoint, but above all the verdict is negligible in my mind.  The fact is that claims like these feed public perception and, as a result, become true, and from a security standpoint it is irresponsible and dangerous to assure people that security is not a concern.  Let’s also be honest and admit this is a byproduct of the OS wars, plenty of haters on each side.  In case anyone has noticed, software tends to change, and has evolved drastically since these beliefs were born.  Windows has gotten more secure, while historically weaker; Macs have gained more of a market share, while historically weaker.  Together, these shifts have transformed the playing field and yet the argument lives on.

Whether applied to av security for Macs vs. Windows or future debates surrounding mobile OS platforms, my advice to counter common, often unsubstantiated claims like these is to avoid the technical details and just urge people to think about it from a common sense perspective.  There is no such thing as a free lunch; there is no “get out of jail free” card in real life; there will never be a computing platform that is simply superior and thus doesn’t need to be protected.  So back up to an objective level, put preferences aside, and think about it like this: sure, I’ll concede that your device is 20 nanometers more secure than mine, but you use the internet on it, right?  That’s what we have to protect nowadays, ourselves–our own identities, our corporate data–not so much our devices.  It’d be like claiming your house keys are specially designed to be harder to duplicate, plus they’re almost always in your pocket, so therefore they’re safe.  That argument doesn’t do much good after you’ve used that jump drive on your keychain at some random computer kiosk and managed to lose track of them.  When you use the internet, you are effectively travelling around the globe plugging your house keys into strangers’ computers.  You might want to pay attention.

Smartphone Security Concerns December 7, 2013

Posted by louloizides in Security.
add a comment

I recently entered into a common iPhone vs. Android debate with a friend of mine. He had broken his Android phone’s screen but was able to get into his phone and back up his data by using SSH (SSH provides access to a shell remotely – such as the admin account on the phone). This is possible because with Android, unlike with iOS, Google makes it very easy for an Android user to obtain root access and enable this feature.

My opinion was that enabling SSH on any device can be risky and shouldn’t be allowed on a phone. Brute force SSH based attacks are common on any internet connected device. And if a vulnerability in an OS is found SSH will likely be the pathway that allows an attacker to enter, steal data and/or use the device for a malicious reason.

Being an avid iOS user and developer, my feeling on the matter was that most smartphone users don’t understand the security risks of the devices they’re carrying. Making it easy for a person to gain root access to their phone also meant that vulnerabilities had to have been exposed that would allow an attacker to do the same. His pro-Android argument was that if it’s your phone you should be able to do what you want with it.

While I respect the pro-Android argument, I believe smartphones represent a greater security concern than PCs and should be more locked down for two reasons. First, a smartphone is a phone. If you brick your phone (make it inoperable due to a bug or software error) you lose your method of communication. This can be very bad when traveling or during an emergency. It has actually happened to me while traveling when I had a jailbroken iPhone with some malicious software installed.

The other is that while smartphones are computers, common users don’t treat them as such. Google Play and Apple’s App Store have created the illusion of trusted apps. The software from these sources, however, is only statically analyzed and there’s no reason malicious code couldn’t be created dynamically. Java on Android provides some protection against this since the apps are run on a virtual machine (whereas iOS apps are native code). But Java is common across all Android devices. So if someone finds a Java exploit, which seems to happen frequently nowadays, the exploit can be used to attack any device.

Even riskier, Android allows a user to download unsigned apps from non-Google Play sources. These apps are not analyzed at all and can contain virtually any kind of malicious code. Yet users routinely enable it and are completely oblivious to the risks. Smartphones apps today are a little bit like computer programs a couple of decades ago. The smartphone app eco systems are relatively new and there’s a of a false sense of security around the potential risks. This will likely change as more and more people start to find exploits for malicious purposes.

Mobile Security December 7, 2013

Posted by farchie82 in Security.
add a comment

After reading the article, “10 Best Practices for Mobile Device Security,” [1] I am reassured that my constant attempts at securing my iPhone are not in vain. Astonishingly, “31,000 New Yorkers left behind mobile devices in a taxicab [and] most enterprise users don’t use the password function on their devices. I am constantly telling everyone from my fiancé’, to my co-workers, family, and friends to utilize the password function on their smartphones to protect not only the investment, but also their personal information. Phones are replacing the once needed computer for checking email and banking accounts, to watching video surveillance of your home. Choosing devices carefully, turning on encryption, requiring authentication, utilizing remote wipe capabilities, setting up a lost phone hotline, controlling third party apps, setting unique firewall policies, using intrusion prevention software, keeping an open mind about AV, and shoring up Bluetooth devices are the ten recommendations in the article for smartphone users. Even though I am persistent in my encouragement to others of locking their devices, I was shocked to find out that, “the ability to set a pin number to lock the device [with] a simple pass code won’t protect your phone from viruses or knowledgeable hackers.” [2] I was clueless to the fact that hackers can access your phone’s camera, contacts, SMS text messaging options and much more, so it is almost imperative to protect smartphones, whether for personal or business use, and other mobile devices. The problem of security seems to be a never-ending cat and mouse chase, and it is important that users stay on top of self-education. Simply updating software for a phone doesn’t seem to be enough anymore. Knowing what the latest trends are in spy and malware are very important as well. Users cannot simply rely on developers for PSA’s; personal accountability is key. Hackers are attacking devices from many angles, leaving phishing attacks, buffer overflows, and stack smashing no longer limited to computers. Investing in AV software for smart devices also seems to be imperative. The thing that I don’t understand, however, is why isn’t this new epidemic being talked about? I watch the news on different networks as well as various talk shows, and yet, I have yet to hear of this. I will be purchasing AV for my iPhone this week and also spreading the word.

[1] “10 Best Practices for Mobile Device Security”. By Ericka Chickowski. Posted 2009-02-26
http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/#sthash.vzXqjIkI.dpuf

[2] “Why Mobile Security Software?” http://d2l.mu.edu/d2l/le/content/225135/viewContent/1286425/View

Mobile Security Practices December 6, 2013

Posted by karlkaluzny in Security.
add a comment

The use of mobile technology is becoming more and more common among businesses today.  This necessarily will create a great deal of new security risks.  Ericka Chickowski wrote an article discussing the ten best mobile security practices for Baseline.com. [1]  The ten best practices that were outlined are listed below.

–          Choose devices carefully

–          Turn on encryption

–          Require authentication

–          Utilize remote wipe capabilities

–          Run a lost phone hotline

–          Control third-party apps

–          Set unique firewall policies

–          Use intrusion prevention software

–          Keep an open mind about AV

–          Use Bluetooth carefully

Upon reflection of these ten practices, I think that there are a couple of interesting observations to be made.  First, several of these practices are very simple steps which can be taken by the user (turn on encryption, require authentication, use Bluetooth carefully).  If these are not used by the user, then it is almost only due to laziness.  This means that phones can be fairly secure with little to no effort and extra cost.

A second observation is that there will inevitably be a battle between security and freedom with mobile devices made for work.  Most people have a preference for which type of mobile device they would like to use.  However, it is in the best interest of an organization to mandate which type of mobile device that employees are allowed to use because maintaining one type of device rather than several is the easiest.  Additionally, organization will want to monitor the activity of the phone, and install AV software or firewalls which could hurt the device’s performance, which will also be not liked by users.

The use of mobile devices at my organization is still quite rare.  It is possible to like work email to phones, by to my knowledge that is the extent of the capabilities currently.  If email is linked to a phone, then it is required that several steps be taken to secure the phone, such as using a password.  I do not imagine mobile devices becoming very common or useful at my job in particular as it is mostly software development with little interaction with a customer.

References

[1] Chickowski, Ericka. 10 Mobile Security Best Practices. Baseline. Posted February 26, 2009. http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Mobile-Security-Best-Practices/

Cryptology Fails December 6, 2013

Posted by farchie82 in Security.
add a comment

Before I became knowledgeable on the subject, I must admit that I had no idea how important incorporating security concerns into the system development process was.  Implementing successful security measures seems to be an issue that is hard to tackle, but after reading about banking cryptology errors in the article, “Why Cryptosystems Fail,” [1] by Ross J. Anderson, this problem seems a bit more clear. Merriam Webster dictionary defines cryptology as the scientific study of cryptograghy or the process of writing or reading secret messages or codes. [2] Government agencies and the banking industry both use cryptology in order to protect private information, unfortunately, the exchange of information is not always secure. This problem persists mainly because the topic of security will forever be a cat and mouse game.  However, incorporating security measures in programming from the beginning could help to prevent fraud from taking place. Also, staying on top of the latest schemes by hackers would help as well, but as the article hinted, most times  times the security failures are not made public. That, in turn, aides in hindering successful (or at least as close to successful one can get) system operation.

 

[1 ] “Why Cryptosystems Fail”,  by Ross J. Anderson, November 1994, Communications of the ACM, Volume 37, Issue 11.

[2] Merriam Webster Dictionary. http://www.merriam-webster.com/dictionary/cryptography?show=0&t=1386317998

Mobile Security December 4, 2013

Posted by Marybeth in Security.
add a comment

The article “10 Best Practices for Mobile Device Security”, by Ericka Chickowski, offers some excellent advice on mobile security. Taking the initiative to oversee mobile devices would be a great benefit to an organization. With so much sensitive information at stake, why would an organization want to be at ease when it comes to handling mobile security? Complacency just invites the hackers and thieves into the organization.
Purchasing a uniform set of devices within the enterprise is a great start to managing mobile security risks. It is important for organizations to develop a consistent policy to handle mobile security and to make sure that the policy is strictly enforced. Encryption is an absolute must, even though it is a bit of a bother to turn it on. I am sure I am not the only one who has ever lost a mobile device due to carelessness. This is why authentication is so important. If a phone is ever lost or stolen, authentication would make it difficult for an unauthorized user to access information.
Third-party applications represent a significant threat to security and should be strictly limited. Firewalls need to have a policy set in place to handle the mobile device traffic, too. Stricter settings should be used to limit who has access to the data, blocking the users who have no need to employ it. Bluetooth is vulnerable in a number of different ways. It should be disabled when it is not in use. Using an anti-virus and intrusion prevention software for mobile devices is also excellent advice from the article.

Ethics and Trust in Open Source Software December 3, 2013

Posted by kristinamensch in Security.
add a comment

In his 1984 Turing Award acceptance remarks Ken Thompson, after describing a way in which to write a self-replicating program that exploits the C compiler, moralizes that ‘you can’t trust code that you did not totally create yourself’. [4] While the sentiment is surely true, realizing this in today’s technological landscape is all but impossible. No single business or technology user today can be limited to simply using software that they have created completely. From business systems to smartphones to automobiles businesses and consumers put their trust into the software architects, designers, developers, managers, and software testers that create the products that they purchase, use, and depend on in their daily lives. As software developers and engineers we have an obligation to work hard to deserve that level of trust.

Adopted in 1992 the ACM Code of Ethics and Professional Conduct can provide helpful guidance for those involved in the creation of software products. [1] There are eight ‘General Moral Imperatives’ for ACM members to follow.  Imperatives 1.5 and 1.6 state respectively that the ACM professional will ‘honor property rights including copyrights and patents’ and ‘give proper credit for intellectual property’. I am particularly interested in how these imperatives are considered and upheld by developers with respect to the incorporation of open source software into their custom applications. Open source software can save design and development time, increase functionality that can be built into an application in a set amount of time, and lower development costs. Because of these benefits open source software is becoming an increasing attractive solution for software developers. Quality open source software is easily available online – developers just need to download and add it to their project. Some developers may feel that because the software and its source code are available for all to see online that it falls into the public domain and can be used in any way, but this is not the case. Most open source software has a usage license that the user agrees to by clicking a check box or simply downloading the software.

There are two general types of open source licenses: copyleft licenses and permissive licenses.[2] Copyleft licenses, like GNU GPL and AGPL, require any derivative works to be licensed with the same license – meaning that any source code produced with the open source software be open source and made available to users downstream. This license tries to prevent the downstream monetization of the original open source software. Permissive open source licenses, like BSD, MIT, and Apache, place fewer restrictions on any downstream products than copyleft licenses allowing users to create proprietary derivative software.[3] It is very important for software developers considering the integration of an open source software product into their application code to read and understand the licenses and restrictions that they are agreeing to by using the software. Businesses need to create and follow a process for open source software integration that includes reading and understanding the license, compliance, and maintenance. If any confusion arises around licensing and restriction in the use of an open source software product businesses should seek legal advice on how to comply with the licensing agreement. Software developers should also give proper credit to the open source software by maintaining the open source software copyright as outlined by the license.

As software developers we have an expanding array of open source tools that we can use to create a better software product for our customers, but we have to remember that our responsibility is not only to create the best product for our customers – it is to do so legally and while respecting the intellectual property and rights of our fellow developers by abiding by the terms of their licensing agreements.

Works Cited

[1] Association for Computing Machinery. “Code of Ethics — Association for Computing Machinery.” Association for Computing Machinery. October 16, 1992. http://www.acm.org/about/code-of-ethics (accessed November 15, 2013).

[2] Bledsoe, Mark J. “Open Source Software Issues in Commercial Transactions, Contributed by Mark J. Bledsoe, Bradley Arant Boult and Cummings LLP – Bloomberg Law.” Bloomberg Law. 2011. http://about.bloomberglaw.com/practitioner-contributions/open-source-software-issues/ (accessed December 2, 2013).

[3] Open Source Initiative. Frequently Answered Questions | Open Source Initiative. December 3, 2013. http://opensource.org/osd (accessed December 3, 2013).

[4] Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACM (ACM) 27, no. 8 (August 1984): 761-763.

Risk in Mobile Security December 2, 2013

Posted by cgreigmu06 in Security.
add a comment

With the introduction of mobility in our everyday lives, the data that we provide has become increasingly easier to access across all levels of technology. Smartphones have provided another layer of access to this data, but with this technology, the level of risk to cause harm to our data has increased [1]. With mobile devices, we as users have a higher likely hood of having our mobile devices lost, stolen, hacked, and infected with unwanted security threats. According to resent information more than 1.6 million people have had their smartphone either lost or stolen in 2012, with a total loss of over $30 billion [2].  We will go through some of the safe guards that individual users and corporations can apply. As in any device that is connected to the internet/intranet, we all put ourselves at some level of security risk [3]. In order to help combatant risk we must follow steps that will help minimize any threats that may affect us individually or the corporations that we work for [4].  There are many security protection applications out there today, from basic anti-virus application to security-encrypted application that encrypted information once secure information has been identified. These applications are designed to help the user prevent unwanted information being either downloaded or sent that is unsecured.

 There are many different types of risk that individuals and corporations face when dealing with personal or private data [5].  Type of risk can be anything from as small as personal email between mother and daughter to a documentation listing all of the employees a corporation is looking to layoff.  In the research we will look at Personal Risk, Business Risk and Unknown Risk [6]. All of these risk are further complicated by the different types of attacks sometimes called social engineering [7] are now used to gather secure data. Phishing is a way of trying to gather usernames, passwords and credit card details for unknowing victims. Smishing is a form of phishing but using messaging systems to gain or gather data information. Baiting is a form of using external divers so that victims mistakenly install or added harmful programs to various devices. There are many more ways of trying to gather unwanted data, but these are some of the main tools.

  • Personal Risk deals with the types of risk that is important to an individual’s online safety. Having access to someone’s online self can be very easy to obtain and at the same time hard to remove once the data has been uncovered.  Identify thief is one of the growing forms of crime that is committed on the internet.
  • Business Risk deals with the type of risk that is associated with a business environment.  Businesses have a fiduciary responsibility to its customers and employees. Data that could be incorrectly released could affect the overall business goals. Security risk could potentially lead to a downfall with in the corporation and outside of the corporation. Maintaining or preventing security risks is vital to a reliable and substantial corporation for everyone’s long term goals.
  • Unknown Risk deals with future risk where individual and corporations need to be open to with the ever changing security environment dealing with risk. Hopefully staying one step ahead of the technical tools criminals are trying to use to obtain your data and cause harm. Forward-thinking should be the thinking of all smartphone users.

Security prevention should be handled by the individual for personal use and the corporation for work place use [8]. Each area plays a role in helping to prevent security breaches. The biggest rule is to always have an idea of your surroundings and a smartphone should be treated the same as any other electrical device that holds valuable data. Have common sense, if you don’t trust a site, an email or applications don’t download. Here are a few things that individuals or corporations can do to help provided security preventions in mobile computing smartphones.

Individual smartphone holders play a key role in limiting security risk [9].  Most of us do not realize that the data we are providing through a smartphone can contain vital data that if someone had access to could cause either financial harm or physical stress on the loss of security. Below we will go through some ways to help keep security number one in the minds of individuals and corporations.

  • Configure. When not using your smartphone make sure that the lock feature is turn on to your specific operating system (OS) manufacture. With today’s smartphones there are many different options to choose from to help lock your phone.  You can provide a four-digit personal identification number (PIN) that can be used to lock or unlock a phone. There is the option to provide a password. There is also the ability to create a custom pattern that you must follow on the screen in order to unlock the phone. Each way has its pluses and minus. A four digit pin is easily cracked due to a limited number of characters.  A password is no different than a PIN but with many more characters. The custom pattern is interesting, but there have been studies that are able to track your finger prints to unlock the pattern.
  • WiFi and Bluetooth. Make sure when connecting to WiFi that you are connecting to a secured network that you trust.  Stay away from unknown network connections and hotspots, which could provide harmful material. Turn off Bluetooth when not in use, data can be pulled without your knowledge. Also, Bluetooth can cause unwanted drain on your battery leaving you with having to charge your phone in a potentially unsafe place.
  • Anti-Virus Programs. Install anti-virus programs on your smartphone, there are many free and pay for applications available. Each anti-virus application provides a different level of protection, with many of the top antivirus companies providing a mobile version of their software.  Know that a paid service will not always provide the user with the best level of service.  It really depends on how the user is going to use the smartphone. With corporation provided smartphones the antivirus protections may already be available depending on the company’s security agreement and should follow what has been provided by the IT department.
  • Be Smart. Keep your smartphone with you at all times; if not make sure it is secure and hidden from view. Remember a smartphone is more than just a phone it hold valuable information and should be treated as such. Clearing data is another good practice is to make sure you avoid using anything that remembers saved responses:  names, passwords, searches, etc. This information can be used to gather harmful information about the individual of the smartphone.

 Corporation that provide smartphones also play a key role in limiting security risk. Corporations have a finical responsibility to provide security measures for their employees and for their customers. Unsafe security messages can lead to dissatisfaction with customers, which can lead to loss of revenue for the corporation.

  • Networks. Provide safe and reliable networks so users are able to secure locations that are safeguarded against any risk treats. Websites should be securing available and a virtual private network (VPN) connection is a must in a secure corporation. 
  • Education. Corporation need to say up-to-date with the current technologies, and empowering their employees by providing yearly compliance training to make sure employees know current smartphone best practices. Having educated employees will help lessen the chance of a security breach of data [10]. 
  • Encryption. Smartphones should have some level of encryption when dealing with customer data.  Data should be stored in a secure location and only available through the smartphone with a secure sign in and location. Restrict access if the connection is not desirable for the server.

Overall, protecting one’s personal data and private information is a major responsibility for everyone to follow.  Users need to be aware of the different security features that are built into most mobile devices and choose to use instead of ignoring them. Security features are not meant to be bothersome to the user, but provide a level of protection against unwanted risk treats that could be harmful long term.  Users need to be smart with how the data is being used and also try to stay up to date with the changing environment.  Having an understanding of the type of risks involved will hopefully lead to a more secure environment for all.

 

References

[1]  Palenchar, Joseph, Smartphones Continue Upward Spiral, TWICE, vol. 26, no. 4 (Feb 7, 2011), p. 6-7

[2] ABC News [Online]. Stern, Joanna, Available at:  http://abcnews.go.com/blogs/technology/2013/06/feds-push-apple-google-to-combat-smartphone-thefts/

[3] Robert Regis Hyle, Mobile, Cloud Computing Issues Challenge Risk Managers, Property & Casualty 360, (Feb 16, 2011), p. n/a.

[4]  Scitech Book News, Risk assessment and management in pervasive computing; operational, legal, ethical, and financial perspectives, vol. 33, no. 1 (Mar 2009), p. n/a

[5] Tiganoaia, Bogdan, Comparative Study Regarding The Methods Used For Security Risk Management. Buletin Stiintific, Dec 01, 2012; Vol. 17, No. 2, p. 149-155 

[6]  Castelnovo, Walter. Social Computing Tools for Inter-Organizational Risk Management, European Conference on Information Management and Evaluation, (Sep 2011), p. 92-100

[7]  Wikipeida. [Online]. Available at:  http://en. wikipedia.org/wiki/Social_engineering_%28security%29

[8]  McKinnon, Roddy. Promoting the concept of prevention in social security: issues and challenges for the International Social Security Association. International Journal of Social Welfare, Oct 01, 2010; Vol. 19, No. 4, p. 455-462

[9]  J Brooks, David. Security risk management: A psychometric map of expert knowledge structure. Risk Management, vol. 13, no. 1-2 (Feb/Apr 2011), p. 17-41

[10]  Pluta, Paul L; Fields, Timothy J; Smith, Alan J. Compliance Case Study #3-Manual Processes, Performance

Mobile Security December 2, 2013

Posted by 7832johnsob in Security.
add a comment

In the articles 10 Best Practices for Mobile Device Security, 10 Mobile Security Best Practices, Mobile Security Software Review, the vulnerabilities of mobile devices in terms of ways to protect data on a mobile device are discussed. Some of the vulnerbilities of mobile devices were highlighted in the Mobile Security Software Review article as follows: “Not only can a virus disable functions on your phone, but other forms of malware may also send infected files to your contacts, send mass messages without your permission, make expensive calls resulting in unwarranted billing, and turn your mobile device into a recorder or even a camera, taking pictures wherever you go and displaying them online.”[3]. These vulnerabilities can be mitigated by using authentication, encryption and network security, and by being careful of what you click on in an email (to prevent phishing) and what you install on your device (to prevent malware).

From a business IT perspective, there are several measures a company can take in order to better control devices that connect to a company intranet using VPN. Some suggestions include “choosing devices carefully, turning on encryption, requiring authentication, utilizing remote wipe capabilities, setting up a lost phone hotline, controlling third party apps, setting unique firewall policies, using intrusion prevention software, utilizing antivirus software, and turning off Bluetooth when not in use” [1]. By implementing the aforementioned suggestions, IT can ensure that devices with operating system security flaws like ones that can allow buffer overflow attacks  will not be able to transfer malicious information to the company intranet. IT can also minimize the amount of data stolen due to lost or hacked devices by taking an extra step of protection through prevention and contigency plans.

Overall, the security issues faced with mobile devices are similar in nature to classic security problems on the PC. However, due to the sheer amount of devices that can connect and the accessibility to apps, networks, and emails makes the risk more likely if proper precautions are not taken. I personally think that one of the biggest risks of mobile devices is the loss of personal data. This usually happens if there is no authentication mechanism to enter the phone and if the user stays logged in to applications that don’t provide an auto timeout functionality. This makes is extremely easy for an intruder to take the device and perform actions under as the phone owner. Though constantly typing in a 4 digit pin or logging in and out of an application may be annoying when the phone is in constant use, I think it is important to do. One great workaround to manually logging in and out of mobile applications is the auto timeout used by many banking applications.

While it is easy to say “be careful about the applications you install on your mobile devices”, sometimes it is not so easy to detect an application with malicious intent until after it is installed and doing damage. For example, it is possible to install an application that only becomes malicious upon the nth time it is opened. What are some educated ways for users to identify malicious applications prior to installation? If some malicious applications are not identifiable, what is the best way to discover their malicious activities?

Bibliography

 

[1] E. Chickowski, “10 Best Practices for Mobile Device Security,” Baseline, 2009.
[2] E. Chickowski, “10 Mobile Security Best Practices,” Baseline, 2009.
[3] “Mobile Security Software Review,” TopTenReviews, 2013.

 

 

 

Trusting software December 1, 2013

Posted by brltkd in Security.
add a comment

Trust is the belief that someone or something is reliable, good, and honest [1]. We all have people in our lives that we trust; people like our family, friends, and coworkers. Additionally we have trust in things like your car starting or the elevator stopping at the correct floor. With the pervasiveness of computers in society, people have also placed a lot of trust in the software they run. However, many people do not know how most software is written, or where and how the information is stored, yet they trust it with sensitive personal and financial information. Why do people trust software?

Computer software is nothing more than a set of rules and conditions that control and execute a set of operations in a computer. It is written by people and it is only as trustworthy as the people that wrote the software. In the majority of cases, this is not an issue. Many software developers are members of the Association for Computing Machinery (ACM) and follow their code of ethics and professional conduct. Some of the major points of this code are to be honest, respect the privacy of others, avoid harm to others, and to contribute to society [2]. While these are requirements for members of ACM, they are not unique to the computing industry. These are general tenets that the majority of people follow in their daily lives, regardless of their occupation or social standing. So, in general, people tend have trust in something unless it violates one of those precepts.

The reputation of a company relies on the quality of the product it produces. If they are not producing a quality product, consumers will find a replacement and that companies reputation will suffer. While this has always applied to businesses in the real world, it is exasperated on the Internet. Jeff Bezos, CEO of Amazon, has stated that “if you make customers unhappy in the real world, they might tell 6 friends. If you make customers unhappy on the Internet, they can each tell 6,000 friends.” [3] The ability to spread customer experiences in this magnitude gives most online and computing businesses a great incentive to ensure their software is reliable which builds trust among their customer base.

Yet, online it is easy for someone to misrepresent themselves, and design websites or send emails that exploit the trust that a company has established. It is in the interest of both consumers and businesses to aggressively target individuals perpetrating these schemes. Businesses often put measures in place to reduce the risk of someone misrepresenting them. This may include technological options such as using encrypted communication and registering with third party organizations like the Better Business Bureau. Consumers need to be proactive to ensure they are communicating with the actual business they intended. This may involve validating the businesses membership and standing with a third party organization or simply calling the phone number listed on their website and talking to someone.

Engaging in business and communicating with people online is no different that performing these actions in person. You need to be aware of the true identity of the other party. This is often more difficult online because you lose the face to face interaction. However, there are resources available to that can help establish that trust which is the foundation of any relationship. Make sure to use them.

[1]

Merriam-Webster, “Trust,” 2013. [Online]. Available: http://www.merriam-webster.com/dictionary/trust.

[2]

Association for Computing Machinery, “ACM Code of Ethics and Professional Conduct,” 16 October 1992. [Online]. Available: http://www.acm.org/about/code-of-ethics.

[3]

C. Voss, “Lessons in Customer Service for Tech Startups and Empire Avenue Fail,” Chris Voss Show, 2011. [Online]. Available: http://thechrisvossshow.com/lessons-in-customer-service-for-tech-startups-and-empires-avenue/.

[4]

K. Thompson, “Reflections on trusting trust,” Communications of the ACM, vol. 27, no. 8, pp. 761-763, August 1984.

[5]

Microsoft, “When to trust a website,” Microsoft, 2013. [Online]. Available: http://windows.microsoft.com/en-us/windows7/when-to-trust-a-website-ie9.

Security Concerns December 1, 2013

Posted by markwhylie in Security.
add a comment

 

Throughout the system development process, it is important for security concerns to be a integral step. I can reflect back on a summer job that I held a few years ago installing various networked computer systems in public library’s and school library’s. Our company was contracted to essentially remove old deprecated computers and networking devices and upgrade to newer hardware. I can reflect on a particular job where we were asked to introduce a wireless network which would allow for guests to access the library’s internal catalog. The library’s IT department selected some wireless hardware strictly with cost in mind and completely neglected the importance of maintaining the same level of security as it existed before introducing wireless. In short, what ended up occurring was that the wireless hardware lacked support for any secured wireless protocol and it allowed unauthorized personnel into the internal library network where anyone could modify catalog entries, access billing information etc.  If these secuirity concerns were considered throughout the system development process, then we may have been able to mitigate some of these concerns.

Computer System Requirements to Address Security November 30, 2013

Posted by 7832johnsob in Security.
add a comment

The article Why Cryptosystems Fail [1] discusses the failed application of cryptosystems in several commercial areas including banking ATMs. While the overall software gave the impression of security based on seemingly complex mechanisms, often times these systems could be cracked using prior knowledge, keen observation, and a little bit of logic. The author states “Indeed, there is a sense in which there are no ‘secure’ systems at all; there are merely computer systems whole goals include beating foreign armies, preventing fraud, or winning lawsuits. If these goals are not made explicit, they are unlikely to be achieved” [1]. With this quote, the author is suggesting that the failure of these systems was due to a lack of understanding of security threats to the system being built and the lack of clarity of overall security as a requirement.

In order to understand all security threats to a system, a FMEA mechanism can be used to identify and prioritize risks to a system. Not only will this analysis help engineers brainstorm the possible risks, but prioritizing them will show which risks are the most important in preventing. This would help when deciding which security requirements are critical for the system. After this analysis has been complete, system requirements can be created to explicitly address the potential security risks. Since security would be included in the acceptance criteria for development of the system, the development team will be able to give full focus to the requirement because security importance has been directly integrated into the development process. Integrating security into the requirements of a system is vital from a security standpoint because it provides a clear and direct system need which can then be properly addressed during development.

When writing security requirements for a computer system with many possible security risks, is it feasible to attempt to address all of them? What elements must the prioritization in the FMEA use to identify which risks are high and which are low?

Bibliography

[1] R. J. Anderson, “Why Cryptosystems Fail,” Communications of the ACM, 1994.

Security Concerns November 25, 2013

Posted by lorenmurphy2 in Security.
add a comment

Security concerns should be an integral part of the system development process. In the article “Why Cryptosystems Fail,” Anderson discusses the common failures of computer security systems and how computer failures differ publicly than other industry failures such as airline crashes. Growing up, adults often teach children that the best way to learn is from their mistakes. This ideology continues when we are adults and has been adopted by many companies and schools oftentimes via case studies. In the article, Anderson highlights that various industries, such as airlines, also follow this philosophy when a plane crashes. This is because an investigation takes place and includes various functions/departments (manufacturer, pilots, suppliers etc.) in order to get their understanding of what went wrong. However, when it comes to computer security system failures, no such investigation takes place which results in companies being unable to learn from their mistakes to prevent history from repeating. The consequences of this has been seen for years and even dates back to WWII when Norway fell because its codes had the same loop holes as the German’s code in the previous war. As a result, the Germans were able to crack the code using the same techniques that had been used against them.

If security concerns were shared during the development process, systems would be more secure because experts would have a clear understanding about what issues need to be solved. In the article, Anderson discussed that the main cause of security system failures was due to implementation. Since computer security managers do not have specialized knowledge about security integration and management, the validation process for these security systems are not adequate and result in failures. Instead of ensuring that the correct parts of the system are protected, the managers rely on 3rd party vendors to tell them what software to buy and how to validate the system. In a survey, both the US Air forces and National Security Agency both admitted that their main security issue was poor implementation. If these two departments communicated with each other and shared their security concerns when it comes to implementation, both of them could work on a combined solution to correct the issue. The benefit of having a collaborative solution was seen in 1993 when three papers were published by independent authors that proposed a robust solution. Separately, the papers’ solution were not effective, however, when the ideas were combined it created a viable solution for simple protocols.

There is no perfect computer system because each of them is built in order to fulfill a specific purpose. However, by knowing the purpose of the system, security concerns directly related to that issue can be addressed and inputs from other areas can be given and/or received because everyone has a clear understanding of the end goal. This idea was stated at the end of the article when Anderson states, “Indeed there is a sense in which there are no “secure” systems at all; there are merely computer systems whose goals include beating foreign armies, preventing fraud, or winning lawsuits. If these goals are not made explicit, they are unlikely to be achieved.”

References

[1] Why cryptosystems fail, by Ross J. Anderson, November 1994, Communications of the ACM, Volume 37, Issue 11.

Using security standards November 24, 2013

Posted by Jiaqi Wu in Security.
add a comment

The reason why most cryptosystems fail is because of people and not the technology. In my industry experience and watching the news, all of the largest vulnerabilities are a result of somebody not securing a system and not because of a fault in the technology they chose. One of the largest examples I have seen is in one of the enterprise software platforms I have been a part of developing.

Enterprise applications in every business have numerous components which require similar functionality because they belong to the same company. By creating common platforms, a large business can speed up application development significantly through component and service reuse. Of course there are many subjects inside of the platform, such as security, that applications developers lack expertise. It is therefore the responsibility of the platform team to abstract these concepts to a simpler interface such that applications developers do not have to worry about them. However it is one thing to provide the services in the platform and another to ensure that the applications developers are using the services.

In security there are a set of standards for securing web applications. The enterprise application platform example I mentioned above has integrated several of these and abstracted them to make them easier for a developer to use. They include several key layers:

  • HTTPS capability is provided to secure network transfer of data
  • SAML token based authentication for identity verification
  • XACML based authorization to determine role based access to resources
  • Interfaces to commonly used identity stores such as Apache DS and WSO2 identity server

Although these components are all provided at the platform level, it is not necessarily mandatory to use them. They are also inherently complex subjects and therefore knowledge of these subjects are limited to only the more senior developers. As a result many solutions that are developed using this platform did not implement security correctly which could result in numerous vulnerabilities. For example there are always cases where a basic database such as MySQL or Oracle was used as an identity store instead of a proper server such as an LDAP server. This results in the application logic gaining access to credentials because these databases do not have the ability to verify credentials internally. Other cases include not using token based authentication and instead validating authentication only once though client side logic. This kind of mistake can allow anybody to access system resources without verifying access.

Even outside of my case, there are other cases where vulnerabilities occur because of programmer mistakes. Sony’s Playstation Network was compromised several years back because of simple SQL injection vulnerabilities, something that most web application platforms protect against [1].

All of these vulnerabilities have a fundamental root cause: The applications developer was given a choice. In the enterprise application platform example, developers are provided with the capability to use the security available, but can choose to not use it. In the Sony example, web developers are given the tools to prevent SQL injection but did not use it. As a vast generalization, most engineers prefer to have choice in the way they implement something. However often times these choices can be made without having comprehensive education of the options available. At the platform level, removing choice to enforce practices could be a more valuable approach to platform engineering. This could make security integral to a system instead of just existing as a set of tools available to developers. We are seeing trends of this coming such as the HTTP 2.0 standard where HTTPS will be mandatory [2]. This will completely eliminate many of the mistakes that developers make in securing their login screens.

Platform level mandated security can make security a much more integral part of a system. It is similar conceptually to using autopilot on commercial airplanes. As a result of autopilot technology, commercial airline accidents have been reduced to nearly zero. This operates on the concept of removing choice from people thereby removing the possibility of mistakes. Our software platforms need to operate the same way. If there is a standard in a particular domain, the platform should enforce the standard, not just provide the capability. It will always require more transitional time but in the end solutions will be more secure.

 

[1] Anthony, Sebastian. “How the PlayStation Network was Hacked”. ExtremeTech. April 27, 2011. Accessed on Nov. 24, 2013. http://www.extremetech.com/gaming/84218-how-the-playstation-network-was-hacked

[2] Chacos, Brad. “Next-gen HTTP 2.0 protocol will require HTTPS encryption (most of the time)”. PCWorld. Nov 13, 2013. Accessed on Nov 24. 2013. http://www.pcworld.com/article/2061189/next-gen-http-2-0-protocol-will-require-https-encryption-most-of-the-time-.html

Integrating Security into System Development November 23, 2013

Posted by cgreigmu06 in Security.
add a comment

When developing a new system, security should be one of the main concerns though out the life of the design.  Systems succeed and fail on how security is implemented.  Systems that are designed with security in mind will have a higher chance of succeeding than systems that ignore this step in the design process.  The more and more thought that is put into security for a system the design will be both helpful and useful.  The following points should be taken when designing security into your new system design [1].

  • Planning early will not only save you time but most importantly money.
  • Having security already built in will make it easier to upgrade to new regulations.
  • Laws need to be taken into consideration (Computer Security Act of 1987) when designing.
  • A sound plan will make implementing security helpful in the overall design.
  • A system without security will be vulnerable to unwanted threats.
  • Protecting your system is vital to the overall success of the system.

Overall, without some type of security integrated into your system the system will be at a competitive disadvantaged against the competition.  Security should not be a step that is taken lightly.  The data that a system holds is very important not only to the user, but also the company’s bottom line.  A design flaw of the actual system though bad is not as critical as a design flaw in the security of a system [2].  The data in the system should be protected as safely and correctly as possible.  Bad PR due to leaking of private data will have a much greater impact on a system then an incorrect system feature.  Security is a key aspect of a systems design life cycle.

References

[1] Guttman, Barbara and Edward Roback, “Special Publication 800-12: An Introduction to Computer Security: The NIST Handbook”, NIST, Chapter 8, available online at:  http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter8.html

[2] “IBM Security: Intelligence, Integration, Expertise”, IBM Software, June 2012, available online at:  http://public.dhe.ibm.com/software/in/events/softwareuniverse/resources/IBM_Security_Intelligence_Integration_Expertise.pdf

Making Security an Explicit Goal November 22, 2013

Posted by patrickcallan2013 in Security.
add a comment

Ross Anderson’s article, “Why Cryptosystems Fail”, discusses multiple points at which computer system security can fail. [1] The article reveals the complex interactions of people, processes and technology that if not dealt with properly will compromise system security. The author provides examples demonstrating security extends beyond implementing only technology to address the problem. The people aspect was demonstrated in the author’s example of a bank publishing a widely distributed “branch operations manual” containing a test ATM transaction key sequence that causes ATMs to dispense 10 bank notes and a bank employee providing a customer with an ATM card PIN without requiring personal identification documents. [p. 35 in [1]] Process problems were shown by an example in which a bank did not have procedures implemented to use registered mail for secure delivery of ATM cards. [1] Technology related security problems can arise when staff lack security knowledge to implement complex technology; “Given most managers and staff cannot be assumed to have any specialized knowledge at all, security products should only be certified if they are simple enough for ordinary technical staff use.” [ p. 37 in [1]] Security requires coordination in all areas – people, processes and technology. Failing to address all areas often weakens or compromises security as these examples demonstrated.

Many organizations have a false sense of security because technology has been implemented to provide security. Anderson notes “Any security technology can be defeated by gross negligence” and “… trusting technology too much can be dangerous.” [ p. 36 in [1]] Anderson’s research found “… organizational problems of building and managing secure systems are so severe that they will frustrate any purely technical solution.” [ p. 36 in [1]] Technology alone will not establish security. There are many ways to compromise system security so efforts should be focused upon implementing an overall security strategy that includes careful evaluation of people, processes and technology.

A central point Anderson stressed was explicit consideration of security goals as part of the system design and software engineering processes. If security is not explicitly considered, it is unrealistic to expect the finished system or software to achieve that goal. Anderson identifies this problem stating “…there is a sense in which there are no ‘secure’ systems at all; there are merely computer systems whose goals include beating foreign armies, preventing fraud, or winning lawsuits. If these goals are not made explicit, they are unlikely to be achieved.” [ p. 40 in [1]] Security should be an explicit and routine part of any process, system development or software engineering project to insure the resulting process, system or software does not compromise the organization’s security. Maintaining security is difficult with multiple factors capable of undermining the goal. Consequently, the security implications of the people, process and technology facets of information systems should be proactively considered when systems or software are being designed and implemented rather than reacting to security problems after the fact.

source
[1] Anderson, Ross J.. “Why Cryptosystems Fail”. Communications of the ACM Volume 37 Number 11. November 1994.

System Development and Security Concerns November 22, 2013

Posted by Marybeth in Security.
add a comment

         The system development process is an evolution of steps performed for a given purpose. It includes a set of actions performed to develop, maintain, and distribute a secure software system. Security should be an integral part of this process because of the consequences which could occur if security is not taken into account. The system will benefit from the use of stronger security because it reduces the probability and/or impact of breaches in security. Decisions relating to system boundaries, interfaces, and architecture are often made early in the development process. These decisions must include an assessment of the security risks, threats and vulnerabilities because the aftermath of these decisions will have a significant effect on the system’s security. Integrating security into the development process will be much easier than trying to add security after the development process is completed.

Stop the Spread of Worms November 21, 2013

Posted by Jiaqi Wu in Security.
add a comment

In the computing world, malicious software is prevalent. This is only the case because there are people who prey upon weaknesses in a vast system. Unfortunately as technology complexity increases, vulnerability will also increase. It is up to system implementers to reduce possible vulnerabilities in order to maintain the security of a system.

A worm is defined as a self executing and propagating piece of malicious software. It is different from a virus in that it does not need a host program to be activated. It is designed to take advantage of vulnerabilities in a system just like all malicious attacks. There are numerous ways to reduce vulnerabilities however. The unfortunate part is that many engineers and developers are aware of the techniques but often fail to use them. In the article “The Internet Worm Program: An Analysis” several vulnerabilities are described.

Insecure C library routines:

The C standard library has numerous routines which are exploitable. Many of the array copying routines for example are inherently dangerous as they do not perform bounds checking. strcat and strcpy are examples of this. When these routines are used, a malicious program can copy binary from one array into another array that is too small. This causes stack overflow which results in potential malicious code being executed. The alternative is to use the safe versions of these routines strncat and strncpy

Common User ID for Services

In some servers a common user ID owns all the services. This results in an exploitation of one service gaining access to all services on a system. UNIX based systems can provide each service with an individual user such that a service only has access to itself and its own resources.

Password Storage

The system in the article stored encrypted passwords in a publicly readable file. A worm was able to obtain the password by encrypting password attempts and comparing them with the plain text file. The mistake here is making this file publicly readable. Once the password list is loaded into the program, it can execute brute force attacks very quickly. Shadow password files are the solution to this. These files are only readable by system administrators and enforce a time delay between subsequent reads. This makes brute force attacks unreasonable because of the amount of time it would take to complete.

There are numerous ways to protect against worms and every effort counts. Malicious software always takes advantage of the minute details that engineers miss. In every complex system, most of the vulnerabilities are covered up but a few always slip through the cracks. This is the importance of ensuring that the software at the platform level is secure. Software is only as secure as its weakest link.

 

[1] Eugene H. Spafford. 1989. The internet worm program: an analysis.SIGCOMM Comput. Commun. Rev. 19, 1 (January 1989), 17-57. DOI=10.1145/66093.66095 http://doi.acm.org/10.1145/66093.66095

Security in the Development Process November 21, 2013

Posted by karlkaluzny in Security.
add a comment

I think that most people can agree that in this day and age, security is becoming more and more important with respect to software development.  If we assume that this is true, the question then becomes how can and should security be implemented into the system development process today.

The overall best way to include security into system design is to integrate it into the business culture.  A business culture is “…the values and practices shared by the members of the group…” or “…the shared values and practices of the company’s employees.” [1]  Security should be one of the shared values and practices that is shared by the employees of a company.  By doing this, it should always be on the back of the mind of each employee.  This should in turn reduce the blunders made by employees (i.e. being careless with security activities) which typically lead to security breaches.  I think that having a culture focused on security along with innovation is the best combination.  This has the greatest potential to lead to innovative new ideas for promoting security.  Additionally, if security is part of the business culture, then there is a much better chance that security activities will be integrated into software development activities.

I have limited experience with security in my job.  The article titled “Why Cryptosystems Fail” by Ross J. Anderson [2] highlights an important distinction between having a centralized security team or not.  The company at which I work does not have a centralized security team.  Security is a small part of the culture as well.  Security is mostly addressed; however, as part of the development process.  There is always a set of specific security requirements which follows the same process as any other functional requirement.  The problem with this approach to security is that it is handled by software developers who either don’t enjoy security tasks, or aren’t skilled in carrying out security tasks, or both.  For this reason I think that it would be beneficial to have a centralized security team.  However, the downside to this would be that there is yet another team within the organization that has a role in the development process and will necessarily add more overhead to the project development time.

References

[1] Reh, F. John, Company Culture: What it is and how to Change it. http://management.about.com/cs/generalmanagement/a/companyculture.htm

[2] Anderson, Ross J.  Why Cryptosystems Fail, November 1994, Communications of the ACM, Volume 37, Issue 11.

Worms November 20, 2013

Posted by farchie82 in Security.
add a comment

In the case of the infamous worm of 1998, the internet world, and the public eye were all taken by storm by what was later found out to be mediocre code.  On November 2, 1998, the internet was infected with a worm program, which was malicious in its efforts.  “There were many bugs and mistakes in the code that would not be made by a careful, competent programmer.” [1] (p.21) However, the fact that the code had many errors was not a factor in the damage that it did cause, and because of the virus’ success, there is much wisdom users should extract from the event so that the spread of a possible future worm can be prevented.

There are two key things that users could do to help combat future worm attacks, with the first being a better plan in place for emergencies.  When the attack of 1998 happened, it took quite a while to spread the word, so “…we need a better mechanism in place to coordinate information about security flaws and attacks [and] we need to develop better information methods outside the network before the next crisis.” [1] (p.27) The second thing that could help in preventing future worm outbreaks is publishing malicious code.  Making such information publicly available could help computer programmers and software engineers develop a greater defense when they are creating programs and software.  “It is vital that we educate system administrators and make bug fixes available to them in some way that does not compromise their security.” [1] (p.27-28)

Both of these things will help, if consistently and thoroughly practiced, to combat worm attacks.  It’s better to be prepared in case such an event should happen in the future because being able to access the internet nowadays is vital.

[1] Spafford, Eugene H., “The Internet Worm Program: An Analysis” (1988).Computer Science Technical Reports.Paper 702. http://docs.lib.purdue.edu/cstech/702

 

 

Protection Against Worms November 18, 2013

Posted by lorenmurphy2 in Security.
add a comment

In the article “The Internet Worm Program: An Analysis,” Sapfford discusses the internet worm of 1988 which infected thousands of machines and caused Internet activities and connectivity to slow down for many days. Unlike a virus, a worm is a program that can run by itself and does not need to be activated by a “host” program. There are numerous ways that users can help stop the spread of worms. One way is by checking the source code of their finger program to ensure that the daemon’s input buffer does not have an overflow. This overflow can be caused by the gets function because it does not perform any bounds checking. To correct this problem, users should add boundary conditions to any get function or other function which does not have boundary checks.

Another way users can protect themselves from worms is by changing the user id and/or password for a system’s configuration and command file. Instead of having the same user id for all system services, make each service have a different id. That way, if the worm gains access to one service, it will not automatically have the information for another service. In addition, if a service requires a password, do not list each user’s encrypted password in one publicly readable file. This will prevent the worm from decoding the passwords by trying different combinations of letters and numbers. To solve this issue, have a shadow password file which is only accessible by the system’s administrator. Also, a user’s password should not be easy to guess but instead have a medium or high strength.

A last resort to stopping or slowing down the spread of a worm is to disconnect highly connected users from the system. This quarantine approach was performed during the 1988 attack on the Internet. However, this approach can be harmful because it prevents the disconnected users from having access to a solution to the worm. This was seen during the internet attack when researchers were trying to communicate their finding on how to stop the worm to users but was unsuccessful because many were disconnected.

References:

Spafford, Eugene. “The Internet Worm Program: An Analysis.” Purdue Technical Report. 1988

A Culture of Poor Cryptography November 16, 2013

Posted by louloizides in Security.
add a comment

I’m taking a trip to over Thanksgiving. So just before reading “Why Cryptosystems Fail” by Anderson [1] I moved some money into a rarely used online checking account to have a backup while traveling. Truthfully, I’ve never trusted any bank completely with my savings. I spread it between multiple banks as a result. But it was very unnerving having just logged into my bank and then reading about how much complacency banks have had when implementing poor, broken cryptographic systems.

Anderson lives in Europe and describes many European banks in his article. But Europe learned it’s lesson the hard way. ATM fraud in Europe has been far more common than ATM fraud in the US, and as a result banks have improved ATM security through the use of smart cards [2]. Many of the ATMs I’ll find in my trip (I’m traveling to Europe) won’t even accept my outdated magnetic strip card. On a smart card the chip on the card can contain more advanced measures to protect against cloning and cryptography attacks than a magnetic stripe can.

Smart card technology has been around for decades now [3], so why hasn’t the US caught onto this? Until the amount of ATM fraud in the US is high enough, very few banks will be willing to replace their ATMs and improve their systems – it makes more sense to just take the economic hit. This exposes a fundamental problem. In a capitalist society like the US we’d assume that this could potentially change if consumers decide they want their money in more secure financial institutions, providing a motivation for businesses to improve. But in the case of broken cryptographic systems almost all consumers have no idea of the risk. And they won’t understand the risk until something actually happens.

In contrast, I work for an FDA regulated medical imaging device company. And while the FDA regulation can be a pain to deal with, I’d rather go to a hospital knowing that a doctor won’t schedule me for unnecessary surgery because the image showed a false artifact. But I understand this risk and the need for regulation – most people don’t. So in these cases someone who does understand the risk needs to step in and set rules. I have to wonder if cryptographic systems such as ones in banking, therefore, need to be subject to similar regulations. At the least can we subject financial institutions for a fine if their systems are broken so that an economic motivation exists to improve them?

I would love to write a blog post suggesting things like having experts come in and audit a system, or hiring white hat hackers to try and break it. But unless either an economic or regulatory motivation exists to change the broken cultural mentality of implementing bad systems I don’t see why any of those other suggestions would ever be followed.

——

On a side note, Anderson’s personal homepage [http://www.cl.cam.ac.uk/~rja14/] contains links to most of his papers. Some of them are extremely interesting, particularly his paper on stealing smart phone pin numbers. And he’s now finding significant vulnerabilities with smart chips as well.

1. Anderson, Ross, “Why Cryptosystems Fail“, Nov 1994, Communications of the ACM, http://www.cl.cam.ac.uk/~rja14/Papers/wcf.pdf, Retrieved on 16 Nov 2013

2. Emspak, Jesse, “Why Your Credit Card Won’t Work In Europe”, Apr 2012, http://news.discovery.com/tech/gear-and-gadgets/smart-card-europe-120406.htm, Retrieved on 16 Nov 2013

3. “Smart Card Tutorial Part 1”, Sept 1992, http://www.smartcard.co.uk/tutorials/sct-itsc.pdf, Retrieved on 16 Nov 2013

Protecting from worms and other malicious code November 14, 2013

Posted by bkrugman in Security.
add a comment

As with most security issues I think that end user training is one of the best ways to safeguard and help build a level of protection for a company’s infrastructure.  This however is not a complete fix, but it can help to add some protection.  I am going to go over four ways that I think company’s can help to add some additional safeguards to protect them from not only code like a worm, but also to protect them from a variety of different malicious code.

The first way that I think a company can help to safeguard themselves is to enforce strong password procedures.  Requiring things like special characters, numeric values and a capital alpha-numeric value can help to make the passwords more complex and time-consuming to crack.  This will not prevent a password from being compromised, but it will make it require more effort to crack it.  Having companies require these types of passwords does make things a little more difficult for end users, because they need to remember more complex passwords.  In this case the benefits far exceed the costs.

The next two methods that I think can help safeguard an environment they work hand in hand.  They are to provide the minimum level of access possible to a user on their machine and also to network resources.  A normal end user should not need or have system admin access on their machine.  By preventing the ability for an end user to execute registry changes and other system administration functions a company can help to add another level of safety to a computer and network.  Setting up users with the minimal security access on network files also makes sense, because that way you can ensure that if a file is being modified it is by someone who has access.  By doing this a company is also setting up additional security against malicious code like crypto locker.  If a user only has access to a few files it is easier to restore a few files rather than having to restore an entire file system.

Finally as a way to make maintaining user security easier for the Information Technology (IT) department.  Within a corporate structure there should be security groups setup to grant access to network files and even desktops.  By managing all of the user profiles within security groups it allows for the IT department to provide tighter security protocol and hopefully secure internal corporate resources.

Overall, there is really no way to ensure that you are 100% secure from malicious code and attack.  However, by implementing some very simple security protocols a company is able to make things more difficult for malicious code like worms or viruses to compromise their systems and cause a lot of problems and potential loss of money.