Tuesday, December 29, 2009

Human factor security issues

Security of our valued information and system assets depends very much on the people that are responsible for handling the assets. Users who are responsible for managing, operating and administering these assets are responsible for their safety, security and survivability. Unfortunately, people are not perfect in handling information assets. Users cause harm to systems accidentally. For instance, omission of data backup may lead to accidental harm, likewise, accidental deletion of files or folders may leave a system unable to load useful system files or operating system files... as a result unable to operate within acceptable standards, acceptable performance, or may fail to start.

Human factor ranges from inadequate care provided to a system from those who are responsible for its protection, to accidental harm caused by those who are not 'directly' involved with its protection. For example, a casual staff (cleaner) who's asked to vacuum clean a network node may accidentally disconnect or damage a network cable.

Accidental harms can come from both expert users of the system and inexperienced users alike. For instance, an experienced network engineer could accidentally plug a network cable to a wrong port or propagate disparate routes to the global routing table causing the performance of the network to deteriorate.

Human factors can be mitigated by having several controls. Most of these controls are administrative and technical. For example, an enterprise should have a change control and advisory board that must assess all changes before they are implemented. This is control to minimise problems caused by people. Again, there should be a supervisor monitoring casual workers when they are working in areas of high technical demands, such as network nodes, cabinets etc.

An enterprise must have laid down policies and operating procedures which must be followed by all personnel in charged with the delivery of its services.

Finally, there are several controls that can be used by an organisation to minimise human factor issues, most of these controls centre around due care.

Friday, November 27, 2009

Security Awareness (SA003-09): File and Folder Encryption

Today, computer users (Home Users and Office Users) face many computer security risks. Most of these risks are intentional, and are caused by intruders and attackers. These attackers can be inside or outside your network. Outside attackers use the Internet as a connective medium to exploit, harm and compromise computer systems through computer viruses, worms, back-door Trojans, and system penetration tools to gather and steal valued and proprietary information assets. However, other risks happen ‘unintentionally’ from legitimate users of the system, such as accidental deletion of an important file or folder; or failure in the protection mechanism/control of the system.

Unfortunately, computer attacks do not only target enterprises or big networks but also target home users. In fact, the number of attacks targeting home users is in the increase. One in 20 home users has had her computer broken-in, or has lost some useful files or received computer viruses. One in 40 home users has had her credit card number compromised by engaging in online transactions.

Unfortunately computer attacks can not be completed stopped. What is feasible is for home user to protect their computer system properly so that the effects from these attacks can be reduced. One way to reducing the adverse effect of a computer incident is be having your hard disk encrypted so that even if an intruder penetrates your computer, your personal and confidential files may not be easily compromised or stolen. Personal and confidential documents such as credit card numbers, bank statements and confidential files must be protected by encrypting them whilst in-store or in-transit.

Benefits of file & folder encryption:
- You will be able to prevent an intruder from viewing files and folders in your computer. This is extremely useful, and especially important should you use shared home PC, where other people have legitimate user access to the same computer.
- File encryption prevents file and folder viewing, and password-protects files and folders and their contents.
- Even when your computer is penetrated, the contents of the files can not be easily understand or stolen.
- Files and folders can not be copied, although they can be moved, but their contents remain unreadable to the intruder.

How to encrypt computer files/folders:

- Use Windows XP Encrypting File System (EFS) - http://support.microsoft.com/kb/307877
- Use free third-party software, such as AxCrypt http://www.axantum.com/axCrypt/
- Use COTS – commercially of-the-shelf software, such as FineCrypt http://www.finecrypt.net/about.html
There are many file and folder encryption software out there. Please check and select the right one for you.

Friday, October 30, 2009

How secure is your home Wi-fi?

It is certainly true that most homes today have at least a wireless broadband connection or two. A broadband connection (wired or wireless) is a form of high-speed network connection that allows users get connected to the Internet. Wireless broadband connection is a broadband connection that does not require the user to plug network cables from her laptop or PC to the access point before it can be connected to the Internet. So that the user can use her laptop, PC or desktop in any apartment without much hassles of moving network cables around the home. The easy of using your desktop or laptop in any room of your convenient without clattered loose cables is beautiful and appealing. But, with this leisure comes a concern.

The concern is how many home Wi-fi's are secure? I want to believe that all home wi-fi's are secure, but unfortunately, most of these connections are not secure. Some of the connections have no security mechanisms, no authentication and no encryption either. There are countless home wi-fi connections that are open, allowing anyone to use the connection. And consequently, allowing home laptops, PCs or desktops to be easily hacked and compromised. Not only would these computers be compromised, the attacker can then use the home wi-fi to step up multiple attack points to invade and penetrate other computers, leaving the liability of any abuse to the home wi-fi owner.

Here are easy things to do to secure you wi-fi connection.
1) Ask your wireless broadband provider to assign a secureID to your connection, and provide you with the password. Once you've logged on for the first time, please change the password to a new password you can remember. Make sure not to write your password on a piece of paper or in a book or folder.
2) Setup your connection not to accept any incoming wireless connection without a password. That is, do not accept insecure communications.
3) Install a personal firewall on your desktop, laptop or PC, and ensure it's properly setup to monitor activities that go on in your computer. Also, the firewall must be configured to inspect your wireless connection. Always check firewall logs to ensure that you're aware of what may be going on behind the scene.
4) Ensure you change your wireless connection password regularly.
5) Ensure you have an intrusion detection system running on your computer or laptop. IDS help to alert you what maybe happening behind the scenes.

Thanks, and hope this will offer some assistance to some home users.

Tuesday, October 13, 2009

IEEE International Conference on Intelligence and Security Informatics (ISI 2010)

IEEE International Conference on Intelligence and Security Informatics (ISI 2010)

May 23-26, 2010
The Fairmont Waterfront Hotel, Vancouver, B.C., Canada

WEB: http://conferences.irmacs.sfu.ca/isi2010/
THEME: Public Safety and Security
HOST: The IRMACS Centre, Simon Fraser University, British Columbia, Canada


Intelligence and Security Informatics (ISI) research is an interdisciplinary research field involving academic researchers in information technologies, computer science, public policy, bioinformatics, medical informatics, and social and behavior studies as well as local, state, and federal law enforcement and intelligence experts, and information technology industry consultants and practitioners to support counterterrorism and homeland security missions of anticipation, interdiction, prevention, preparedness and response to terrorist acts. The annual IEEE International ISI Conference series (http://www.isiconference.org\) was started in 2003, and the first seven meetings were held in Tucson, AZ (twice); Atlanta,
GA; San Diego, CA; New Brunswick, NJ; Taipei, Taiwan; and Dallas, TX. Proceedings of these ISI meetings and workshops have been published by IEEE Press and in the Springer Lecture Notes in Computer Science (LNCS) series.

ISI 2010 will be organized in four main streams focusing on
- Information Sharing and Data/Text Mining,
- Infrastructure Protection and Emergency Responses,
- Terrorism Informatics, and
- Computational Criminology.

For detailed information on Topics, see the ISI 2010 website at
http://conferences.irmacs.sfu.ca/isi2010/. Instructions and template
information can soon be found on the Submissions page.

WORKSHOPS: In conjunction with ISI 2010, the National Center for Border Security and Immigration (BORDERS) at the University of Arizona will hold its Second Annual Workshop on "Challenges and Solutions at the Northern Border - 2010" on May 26. MITACS (Mathematics of Information Technology and Complex Systems) will hold a workshop on "Modeling Complex Adaptive Dynamic Social Systems" on May 23.

HOTEL AND LOCATION: Vancouver is a scenic destination, a dynamic and multicultural city set in a spectacular natural environment where the Coast Mountain range meets the Pacific Ocean. Majestic mountains, sparkling ocean and a cosmopolitan flair make it a perfect meeting and convention destination with exceptional cuisine, first-class hotels and outstanding facilities, consistently rated as one of the top 10
meeting and convention destinations year after year. Special room rates at The Fairmont Waterfront (for a limited number of rooms) will be available for participants of ISI 2010.

Program Co-Chairs:
Donald E. Brown (The Univ. of Virginia, USA)
Ke Wang (Simon Fraser Univ., Canada)
Christopher C. Yang (Drexel Univ., USA)
Daniel Zeng (The Univ. of Arizona & Chinese Academy of Sciences)
Workshop Co-Chairs:
Antonio Badia (Univ. of Louisville, USA)
Elyse Golob, DHS National Center for Border Security and Immigration, The Univ. of Arizona, USA
Jay F. Nunamaker, The Univ. of Arizona, USA
Publicity Co-Chairs
Bhavani Thuraisingham (The Univ. of Texas at Dallas, USA)
Sharad Mehrotra (The Univ. of California at Irvine, USA)
Finance and Registration Co-Chairs
Pam, Borghardt (The IRMACS Centre, Simon Fraser Univ., Canada)
Catherine Larson (The Univ. of Arizona, USA)

General Co-Chairs:
Patricia L. Brantingham (Simon Fraser Univ., Canada)
Hsinchun Chen (The Univ. of Arizona, USA)
Uwe Glässer (Simon Fraser Univ., Canada)

IMPORTANT DATES: The paper submission due date for the main ISI 2010
event is January 29, 2010. Notification of acceptance: March 12, 2010;
Camera ready copy due: March 30, 2010. The due date for Tutorial/
Workshop proposals is Feb. 10, 2010.

PAPER SUBMISSION: Submission file formats are PDF and Microsoft
Word. Required Word/LaTeX templates (IEEE two-column format) can be
found at the conference Web site. Long (6,000 words, 6 pages max.) and
short (3000 words, 3 pages max.) papers in English must be submitted
electronically via the conference Web site. The accepted papers from
ISI 2010 and its affiliated workshops will be published by the IEEE
Press in a formal Proceedings. IEEE ISI Proceedings are EI-indexed.

Authors who wish to present a poster and/or demo may submit a 1-page
extended abstract, which, if selected, will appear in
Proceedings. Proposals for tutorials and special-topic workshops in
any areas of Intelligence and Security Informatics research and
practice are welcome. Such events will be an integral part of the
ISI-2010 conference program. Proposals in PDF or Microsoft Word not
exceeding 3 pages should be emailed to the conference organizing
committee at zeng@email.arizona.edu by February 10, 2010 and contain
the following information.
- Title of tutorial/workshop
- Preferred duration
- Information about instructor(s)/organizer(s)
- Objectives to be achieved
- Scope of topics to be covered
- Target audience and evidence of interest (for tutorials)
- Target audience and the list of potential presenters/contributors (for workshops)

PROGRAM COMMITTEE

Wednesday, October 07, 2009

Using email to send sensitive information

Electronic mail (email) is the use of an application such (MS Outlook, MS Mail, Eudora, etc) to send online mail. Email is very fast and can be used to communicate to people far and wide. Hence, email has become an essential part of our everyday communications life.

We use email to send and share sensitive documents, photos, contracts, bank details, user credentials etc. Some of these documents may already be in the public domain, such as photos, which we may already have in some social networking site that are shared with friends and family. Unfortunately, some of the other documents we send via email may be sensitive, contractual or of competitive value. For example, marketing information that is still of competitive value, contracts that have been signed or accepted, bank login that can be used to transfer/withdraw funds from an account. It is pertinent to note that when any of this information gets to the wrong hands, our valued assets can be compromised leading to stealing of funds, marketing information or business contracts. Therefore, it is important that we protect our email communications, or the content of the email we send, as at when necessary.

Recommendations:
To share/send sensitive information of information or information of competitive value such as bank details, contracts, marketing information etc via email, the email content must be secure. Here are ways to send secure emails:

1) Use secure mail. Secure mail is an email client that uses digital keys for encrypting and signing of the email. For example, PGP (Pretty Good Privacy) is an email client that provides digital signature and encryption. Digital signature helps to proof that you’re the one who sent the email, but it does not protect the content from abuse of misuse. Encryption is used to protect the content of the email, by transforming the content into an unreadable form till when the message arrives to the intended recipient. Another secure email client is S/Mail for secure mail. Some of these secure email applications are not free, but free legitimate versions exist on the web. There is open source PGP available that one can download and install.

2) Use WINZIP. WINZIP is an application used to compress and decompress files/documents, but it also provides security through encryption. It is an improvise way of sharing sensitive information via email. First, you need to winzip the document you intend to send. While zipping the information, you go for the option of encrypt before zipping. This will allow you to use a key to encrypt the document before sending it across. When the recipient receives the email, he/she would require you to share the key with them. So you will need to send them the key either via text/phone call or a second email.

Tips:

1) If you can’t afford secure mail, and don’t want to use Winzip; then form the good habit of sending all sensitive documents in multiple parts emails. For example, send the first part of the document that does not contain the sensitive bits. After few minutes, send another part, and after several minutes send the remaining parts. What you achieve with this technique is reducing the possibility of anyone who intercepts the message to have the whole content intact; except the person who is the intended recipient. Note that this technique is not future-proof, because a motivated attacker may be able to intercept all the messages by continuously monitoring your communication-link until the attacker gets all the messages. But this chance is very remote unless the attacker is an insider who’s able to monitor communications path before they exit your default gateway into the big web.

Caveat: Some email message containing zip files may be trapped by firewalls and may never get to the recipient. Please check that your firewall or your recipient’s firewall does not trap zipped files.

Tuesday, September 22, 2009

Concepts in Numerical Methods now on Amazon!

Concepts in Numerical Methods is now available at most reputable offline and online bookstores including Amazon. Please do get a copy, it's worth a read!

Thursday, July 30, 2009

Concepts in Numerical Methods


I've no date in mind when this book will be in the market, but one thing is certain, it will be published and distributed before end of September 2009. Just a couple of months away ...

If you're in school and pursuing a degree in Mathematics, Physics or Engineering, I strongly recommend getting a copy of this useful resource material. It teaches many concepts in Numerical maths. It uses real-world examples, solved tutorials, algorithms and representational graphs to demonstrate usefulness and applicaation of each topic discussed. There are practice questions for the reader to solve at her study time. It's an excellent resource book for students and relevant to other readers as a refernce manual.