Information Security

SECURITY IN THE SKIES: USING BIOMETRICS TO OPTIMIZE AIRPORT SECURITY

by Zachary Birney

A New Perspective on the Achievement of Psychological Effects from Cyber-Warfare Payloads: The Analogy of Parasitic Manipulation of Host Behaviour

by Mils Hills

Journal of Law and Cyberwarfare, Volume 1, Issue 1, summer 2012 (forthcoming)

This paper represents a thinkpiece exploring early considerations of a new way of understanding and countering... more This paper represents a thinkpiece exploring early considerations of a new way of understanding and countering decision-making influence effected by Cyber-Warfare payloads (where ‘cyber’ implies the use of any technology between sender / recipient). The approach detailed uses a form of Analogical Research (AR) to extract value from a biological model, in this case the effects that parasites exercise on their hosts. There is a lot to learn from parasites and the response of infected organisms - and the analogy has (as it were) legs.

A Curriculum for Curiosity: What is wrong with Michael Gove's prescription for the ICT curriculum

by Mike Cushman

Adults Learning, 23 (3) pp. 32-33 Spring 2012

A Formally Verified Device Authentication Protocol Using Casper/FDR

by Mahdi Aiash

TrustCom 2012- International Symposium on Advances in Trusted and Secure Information Systems (TSIS)

For communication in Next Generation Networks,
highly-developed mobile devices will enable users to store andmore For communication in Next Generation Networks,
highly-developed mobile devices will enable users to store and
manage a lot of credentials on their terminals. Furthermore,
these terminals will represent and act on behalf of users when
accessing different networks and connecting to a wide variety
of services. In this situation, it is essential for users to trust
their terminals and for all transactions using them to be
secure. This paper analyses a number of the Authentication
and Key Agreement protocols between the users and mobile
terminals, then proposes a novel device authentication protocol.
The proposed protocol is analysed and verified using a formal
methods approach based on Casper/FDR compiler.

Security Requirements in Judicial Information Systems: Experience from a European Project for Judicial Cross-Border Collaboration

by Konstantinos Rousis

Special Issue on Information Assurance and Data Security, Journal of Information Assurance and Security (JIAS) 4(6)

The increased Internet penetration and the demand for more transparent, efficient, effective, and less bureaucratic... more The increased Internet penetration and the demand for more transparent, efficient, effective, and less bureaucratic services are the main motivation behind European Commission's (EC) commitment to the modernization of governments and their transition from paper-based to electronic solutions. One of the most sensitive aspects every government should consider in the context of such a modernization is the field of Justice. Although most of the current procedures are highly inefficient they are proven to work and there is a very high risk involved in tampering with these or the data they deal with. This paper identifies the most common security objectives being set in ICT enabled solutions for judicial environments as found in several ongoing and finished projects co-funded by the European Union (EU).

A View on the Role of Information Security on ICT-enabled Judicial Systems

by Konstantinos Rousis

Proceedings of the 1st International Conference on ICT Solutions for Justice (ICT4Justice '08)

The increased Internet penetration and the demand for more transparent, efficient, effective and less bureaucratic... more The increased Internet penetration and the demand for more transparent, efficient, effective and less bureaucratic services are only few of the reasons that led European Commission (EC) to commit to a modernisation of governments and their transition from paper-based to electronic solutions. One of the most sensitive aspects every government should consider in the context of such a modernisation is the field of Justice. Although most of the procedures are highly inefficient they are proven to work and there is a very high risk involved in tampering with these or the data they deal with. The most prominent issue is guaranteeing that any information flowing within judicial electronic systems are treated securely. This paper identifies the most common security objectives being set in ICT enabled solutions for judicial environments; as found in several on-going and finished projects co-funded by the European Union (EU). These objectives are discussed within the context of Justice and the state-of-the-art of Information Security is presented as possible solutions. Finally, a number of security initiatives and organizations which try to standardise solutions and approaches to common challenges are discussed.

A New Approach to International Judicial Cooperation through Secure ICT Platforms

by Konstantinos Rousis

Proceedings of the 1st International Conference on ICT Solutions for Justice (ICT4Justice '08)

Cooperation between judicial systems is a key element for sustainable development and one of the key priorities for... more Cooperation between judicial systems is a key element for sustainable development and one of the key priorities for EU. Due to cross-border crimes rise, the EU is working on the development of judicial cooperation between Member States. Increase of illegal immigration, trafficking of drugs, weapons and human beings, and the advent of terrorism, made necessary a stronger judicial collaboration between States. Judicial cooperation includes mutual recognition of judicial decisions, cooperation in investigation phase, and approximation of penal legislation of involved states. During the investigations an exchange of information on criminal offenses and administrative infringements takes place between judges and investigators belonging to different countries, actually based mostly on paper support. The paper presents an overview of judicial cooperation in cross-border
investigations, describing how ICT infrastructures and computer supported cooperative work (CSCW), coped with security technologies, can support judicial cooperation of magistrates’ activities during cross-border investigations on criminal matters in a process still paper based.

Inside and out? The Information Security Threat From Insiders

by Robert Rowlingson

From desktop to mobile: Examining the security experience

by Reinhardt A. Botha

with Steve Furnell and Nathan Clarke, Computers & Security, 2009, pp. 130 - 137

The use of mobile devices is becoming more commonplace, with data regularly able to make the transition from desktop... more The use of mobile devices is becoming more commonplace, with data regularly able to make the transition from desktop systems to pocket and handheld devices such as smartphones and PDAs. However, although these devices may consequently contain or manipulate the same data, their security capabilities are not as mature as those offered in fully-fledged desktop operating systems. This paper explores the availability of security mechanisms from the perspective of a user who is security-aware in the desktop environment and wishes to consider utilising similar protection in a mobile context. Key issues of concern are whether analogous functionality can be found, and if so, whether it is offered in a manner that parallels the desktop experience (i.e. to ensure understanding and usability). The discussion is supported by an examination of the Windows XP and Windows Mobile environments, with specific consideration given to the facilities available for user authentication, secure connectivity, and content protection on the devices. It is concluded that although security aspects receive some attention, the provided means generally suffer from usability issues or limitations that would prevent a user from achieving the same level of protection that they might enjoy in the desktop environment.

Separation of Duty Administration

by Reinhardt A. Botha

with S Perelson and JHP Eloff, in SACJ, 27, 2000, pp. 64 - 69

Access control administration is a huge task. Administration
tools should assist the administrator in ensuring... more Access control administration is a huge task. Administration
tools should assist the administrator in ensuring that the access control requirements are met. One example of an access control requirement is Separation of Duty (SoD). SoD requirements specify that no single person may have sufficient authority to complete a business process unilaterally.
The SoDA prototype administration tool has been developed to assist administrators with the administration of SoD requirements. It demonstrates how the specification of both Static and Dynamic SoD requirements can be done based on the “conflicting entities” paradigm. Static SoD requirements must be enforced in the administration environment. The SoDA prototype,
therefore, enforces the specified static SoD requirements.

Information security in a client server environment

by Reinhardt A. Botha

Unpublished Masters dissertation, Faculty of Science, Rand Afrikaans University, 1997

Client/Server computing is currently one of the buzzwords in the computer industry. The client/server environment can... more Client/Server computing is currently one of the buzzwords in the computer industry. The client/server environment can be defined as an open systems environment. This openness of the client/server environment makes it a very popular environment to operate in. As information are exceedingly accessed in a client/server manner certain security issues arise.
In order to address this definite need for a secure client/server environment it is necessary to firstly define the client/server environment. This is accomplished through defining three possible ways to partition programs within the client/server environment.
Security, or secure systems, have a different meaning for different people. This dissertation defines six attributes of information that should be maintained in order to have secure information. For certain environments some of these attributes may be unnecessary or of lesser importance.
Different security techniques and measures are discussed and classified in terms of the client/server partitions and the security attributes that are maintained by them. This is presented in the form of a matrix and provides an easy reference to decide on security measures in the client/server environment in order to protect a specific aspect of the information.
The importance of a security policy and more specifically the influence of the client/server environment on such a policy are discussed and it is demonstrated that the framework can assist in drawing up a security policy for a client/server environment.
This dissertation furthermore defines an electronic document management system as a case study. It is shown that the client/server environment is a suitable environment for such a system. The security needs and problems are identified and classified in terms of the security attributes. Solutions to the
problems are discussed in order to provide a reasonably secure electronic document management system environment.

Intrusion Detection in Database Systems

by Mina Sohrabi

Javidi, M. M., Sohrabi, M., & Kuchaki Rafsanjani, M., "Intrusion Detection in Database Systems", In Proc. of FGCN 2010, Part II, CCIS 120 (Springer), 2010, (pp. 93-101).

Data represent today a valuable asset for organizations and companies and must be protected. Ensuring the security and... more Data represent today a valuable asset for organizations and companies and must be protected. Ensuring the security and privacy of data assets is a crucial and very difficult problem in our modern networked world. Despite the necessity of protecting information stored in database systems (DBS), existing security models are insufficient to prevent misuse, especially insider abuse by legitimate users. One mechanism to safeguard the information in these databases is to use an Intrusion Detection System (IDS). The purpose of intrusion detection in database systems is to detect transactions that access data without permission. In this paper several database intrusion detection approaches are evaluated.

Managing Sarbanes-Oxley Section 404 Compliance in ERP Systems Using Information Security Control Reports

by Robert E. Davis

Information security challenges of social media for companies

by Karin Väyrynen

co-authored with Riitta Hekkala and Timo Wiander. To be published at the European Conference on Information Systems (ECIS), 2012

For companies and their employees, social media allows new ways to communicate with customers and colleagues. Vast... more For companies and their employees, social media allows new ways to communicate with customers and colleagues. Vast amounts of information are being exchanged in social media. Information is a highly valuable asset, and therefore questions concerning information security become more and more important. Companies are becoming increasingly worried about information security in social media, but so far, this issue has not been studied. The present research closes this gap by studying the information security challenges social media represents for organizations. The research was conducted as a qualitative multiple case study for which information security managers from eleven public and private companies in one European country were interviewed. The study has three main findings. First, challenges arising from employees’ actions or unawareness in social media (especially reputation damage) seem to represent bigger threats to information security than threats caused by outside attacks. Second, the confusion of private and professional roles in social media represents an information security risk, and distinguishing between these roles becomes more difficult the higher an employee’s position in the company. Third, communication with employees and colleagues represents an information security challenge especially when communication is not steered by the company. Implications for research and practice are discussed.

A survey on solutions and main free tools for privacy enhancing Web communications

by Antonio Ruiz-Martínez

Concern for privacy when users are surfing on the Web has increased recently. Nowadays, many users are aware that when... more Concern for privacy when users are surfing on the Web has increased recently. Nowadays, many users are aware that when they are accessing Web sites, these Web sites can track them and create profiles on the elements they access, the advertisements they see, the different links they visit, from which Web sites they come from and to which sites they exit, and so on. In order to maintain user privacy, several techniques, methods and solutions have appeared. In this paper we present an analysis of both these solutions and the main tools that are freely distributed or can be used freely and that implement some of these techniques and methods to preserve privacy when users and surfing on the Internet. This work, unlike previous reviews, shows in a comprehensive way, all the different risks when a user navigates on the Web, the different solutions proposed that finally have being implemented and being used to achieve Web privacy goal. Thus, users can decide which tools to use when they want navigate privately and what kind of risks they are assuming.

How Secure Your Applications Are?: Analysis of Web Developers Awareness to Application Security

by Achmad Nizar

Achmad Nizar Hidayanto, Rinaldi, Putu Wuri Handayani, Samuel Louvan
Accepted for publication in International Journal of Innovation and Learning (IJIL), Inderscience Publisher.

The web-based applications are getting popular due to the ease of development and access that enables users to use... more The web-based applications are getting popular due to the ease of development and access that enables users to use them without any limitation of time and place. However the web environment faces variety of risks, particularly to those that exploit applications and systems vulnerabilities. Unfortunately, most of web developers only focus their attentions to the application functionality and user interface. This study develops a framework to measure the level of web developers awareness to security. We also apply the framework to measure the security awareness level of web developers in Indonesia. Our survey results show that their security awareness are in the medium level, thus some aspects need to be improved

Information Security Behavior among Nurses in an Academic Hospital

by IOMC Conference

Ahmed I. Albarrak
Chair of Health Informatics, Medical Informatics Unit, College of Medicine, King Saud University, Riyadh, Saudi Arabia
Associate Professor of Health Informatics
Chairman, Medical Informatics, College of Medicine
Email: albarrak@ksu.edu.sa, ksuahmed@yahoo.com

RCBlog v1.03 Authentication Bypass Vulnerability

by Danny Moules

EDB-ID: 18518

The Uploader 2.0.4 (Eng/Ita) Remote File Upload

by Danny Moules

CVE-2011-2944; EDB-ID: 18518

This [Metasploit] module exploits various flaws in The Uploader to upload a PHP payload to target system. When run... more This [Metasploit] module exploits various flaws in The Uploader to upload a PHP payload to target system. When run with defaults it will search possible URIs for the application and exploit it automatically. Works against both English and Italian language versions. Notably it disables pre-emptive email warnings before uploading the payload, though it leaves log cleanup as a post-exploitation task.

A formally verified AKA protocol for vertical handover in heterogeneous environments using Casper/FDR

by Mahdi Aiash

Mahdi Aiash, Glenford Mapp, Aboubaker Lasebae, Raphael Phan, Jonathan Loo

EURASIP Journal on Wireless Communications and Networking.

Next generation networks will comprise di®erent wireless networks including cellular technologies, WLAN and indoor... more Next generation networks will comprise di®erent wireless networks including cellular technologies, WLAN and indoor technologies. To support these heterogeneous environments, there is a need to consider a new design of the network infrastructure. Furthermore, this heterogeneous environment implies that future devices will need to roam between di®erent networks using vertical handover techniques. When a mobile user moves into a new foreign network, data con¯dentiality and mutual authentication between the user and the network are vital issues in this heterogeneous environment. This article deals with these issues by ¯rst examining the implication of moving towards an open architecture, and then looking at how current approaches such as the 3GPP, HOKEY and mobile ethernet respond to the new environment while trying to address the security issue. The results indicate that a new authentication and key agreement protocol is required to secure handover in this environment. Casper/FDR, is used in the analysis and development of the protocol. The proposed protocol has been proven to be successful in this heterogeneous environment. Keywords: authentication and key agreement protocol; secure vertical handover; heterogeneous environments; Casper/FDR.