Lec 10- CYBERLAW

In this chapter, we make a group and do some research about topic that he provides. Our topic is about "Communication and Multimedia (Technical Standards) Regulation 200)".

But in this post, i will not explain about malaysia regulation since i don't know about regulation in Malaysia. In this post, i will explain about CYBERLAW.

Cyberlaw is a term that encapsulates the legal issues related to use of communicative, transactional, and distributive aspects of networked information devices and technologies. It is less a distinct field of law in the way that property or contract are, as it is a domain covering many areas of law and regulation. Some leading topics include intellectual property, privacy, freedom of expression, and jurisdiction. (Resource).

Why computer crime is hard to define
1. Creating and changing laws are slow processes
2. Particular computer can be the subject, object or a medium of a crime. A computer can be attacked (attempted unauthorized access).

Digital Signature Act 1997
Why the Act exists
Transactions conducted via the Internet are increasing. As identities in cyberspace can be falsified and messages tampered with, there is a need for transacting parties to ascertain each other's identity and the integrity of the messages, thereby removing doubt and the possibility of fraud when conducting transactions online.

What the Act is about
The Act mainly provides for the licensing and regulation of Certification Authorities (CA). CAs issue Digital Signatures and will certify the identity (within certain limits) of a signor by issuing a certificate. The Act also makes a digital signature as legally valid and enforceable as a traditional signature. The Digital Signature Act was brought into force on 1st October 1998.

Computer Crime Act 1997
Why the Act exists:
As computing becomes more central to people's life and work, computers become both targets and tools of crime. This Act serves to ensure that misuse of computers is an offense.
What the Act is about
The Act makes it an offense to:

1. Enter or attempt to enter into computers and computer systems without authorization
2. Damage or alter data/information in computers or computer systems by planting viruses or other means
3. Aid people in doing items 1 & 2
4. Give passwords to people who are not authorized to receive it
The Computer Crimes Act was brought into force on 1st June 2000.

Telemedicine Act 1997
Why the Act exists
Healthcare systems and providers around the world are becoming interconnected. People and local healthcare providers can thus source quality healthcare advice and consultation from specialists from around the world, independent of geographical location. Conversely, interconnectivity also allows for non-quality healthcare advice and consultation from around the world. The Act serves to regulate the practice of teleconsultations in the medical profession.

What the Act is about
The Act provides that any registered doctor may practise "telemedicine" but other healthcare providers (such as a medical assistant, nurse or midwife) must first obtain a license to do so.

The Copyright (Amendment) Act 1997
Why the Act exists
Copyright serves to protect the expression of thoughts and ideas from unauthorized copying and/or alteration. With the convergence of Information and Communication Technologies (ICT), creative expression is now being captured and communicated in new forms (example: multimedia products, broadcast of movies over the Internet and cable TV). These new forms need protection.

What the Amendment Act is about
The Copyright (Amendment) Act amends the Copyright Act 1987 to extend copyright law to the new and converged multimedia environment. There is now clear protection accorded to multimedia works. The transmission of copyright works over the Internet now clearly amounts to infringement. Technological methods of ensuring works and authorship info are not altered or removed is also protected. The Copyright (Amendment) Act 1997 was brought into force on 1st April 1999.

The Communications and Multimedia Act 1998
Why the Act exists
Convergence of technologies is also resulting in the convergence of the following industries: telecommunications, broadcasting, computing and content. Previously, each of these industries was regulated by several different pieces of legislation (example: the Telecommunications Act 1950 and the Broadcasting Act 1988). The old regulatory framework cannot cope with convergence and inhibits the growth of the new converged industry.

What the Act is about
The CMA provides for a restructuring of the converged ICT industry. It creates a new system of licenses and defines the roles and responsibilities of those providing communication and multimedia services. Though intended to allow the converged ICT industry to be self-regulating, the Act also provides for the existence of the Communication and Multimedia Commission (the roles and powers of which are more clearly defined by the Communications and Multimedia Commission Act 1998) as a new regulatory authority to oversee the converged ICT industry. The Communications and Multimedia Act was brought into force on 1st April 1999.

Lec 9 - LEGAL AND ETHICAL ISSUES IN COMPUTER SECURITY

Legal & Ethical
*Law
*imply imposition by the obligation of obedience on the part of all subject to that authority
*Ethics
*a set of moral main beliefs or values

Categories of Law
*Tort law enables individuals to seek recourse against others in the event of physical, or financial injury.
*Civil law: represents a broad variety of laws that govern a nation or state
*Criminal law: addresses violations hurtful to society and is actively enforced through prosecution by the state

Differences between Laws and Ethics
LAW
*Interpreted by courts
*Enforceable by police and courts
ETHIC
*Personal choice
*Priority determined by individual if two principles conflict

Ethics Concept in Information Security
*Software License Infringement
*The lack of legal disincentives, the lack of punitive measures.
*criminal Use
*The low overall degree of tolerance for illicit system use may be a function of the easy association between the common crimes of breaking and entering of property to their computer-related counterparts.
*Three general categories of unethical and illegal behavior:
*Ignorance
*Accident
*Intent

Protecting Programs and Data
*Copyrights
*to cover works in the arts, literature and written scholarship
*Patents
*can protect a “new and useful process, machine, manufacture or composition of matter”
*Trade Secret
*must be kept a secret, trade secret protection can also vanish through reverse engineering

Open-source software affected by copyright protection. How?
*Subject to fair use
*Ease of filing

Information and The Law
*Legal Issues Related to Information
*electronic publishing
*Problem: How to ensure that the publisher receives fair compensation for the work?
*Database
*Problem: Difficult to determine that a set of data came from a particular database so that the database can claim compensation
*electronic commerce
*Problem: How to prove conditions of delivery

Rights of Employees and Employers
*ownership of a patent
* The person who owns under patent and copyright law is inventor (producer)
* ownership of a copyright
*Similar to ownership of a patent

Computer Crime
*A computer can be :
*Attacked, used as a means to commit crime
*Computer crime is hard to prosecute because:
*low computer literacy (lack of understanding), Lack of political impact

Ethical Issues in Computer Security
- Ethics & Religion
Distinguish ethics from religion, analyze a situation from an ethical perspective.
- Ethics is Not Universal
Ethics values is not universal, it varies by society within a society.
- Ethics Does Not Provide Answer
Ethical pluralism is recognizing that more than one position may be ethically justifiable.

Examining a Case for Ethical Issues
1. Understand the situation. Determine the issues involved.
2. Know several theories of ethical reasoning
3. List the ethical principles involved
4. Determine which principles outweigh others.

Lec 8 - Wireless LAN Security

WEP use to provide comparable confidentiality to a traditional wired network in particular it does not protect users of the network from each other. WEP was supported by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) We can use Aircrack to hack wirelss.Hence, Aircrack is a set of tools for auditing wireless networks.

Wireless LANs

* IEEE ratified 802.11 in 1997- Also known as Wi-Fi.
* Wireless LAN at 1 Mbps & 2 Mbps. -WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
* Now Wi-Fi Alliance 802.11 focuses on Layer 1 & Layer 2 of OSI model. -Physical layer Data link layer

802.11 Components

Two pieces of equipment defined:

* Wireless station A desktop or laptop PC or PDA with a wireless NIC.
* Access point A bridge between wireless and wired networks Composed of Radio Wired network interface (usually 802.3) Bridging software Aggregates access for multiple wireless stations to wired network.

802.11 modes

* Infrastructure mode
* Ad-hoc mode

There were 3 basic security for environment wifi :-

* Authentication – Provide security service to identify consumer identity communicate.
* Integrity – To be sure message unmodified during transaction between wifi clients and access point.
* Confidentiality – To provide privacy are achieved by a network wired.

WEP

* WEP stands for Wired Equivalent Privacy. This encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks.

WPA

* Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 80.211i security standard that was developed by the Wi-Fi Alliance to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AES-CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.

Lab 7 - SECURITY IN APPLICATIONS

Email has two part, header and body. Header part used to state the sender and email recipient. Body part is content of the message or email.

Security in email:

· Confidentiality

· Data origin authentication

· Message integrity

· Non-repudiation of origin

· Key management

MIME

Secure MIME is the new (proposed) Internet standard for secure email exchange, developed by RSA. It is not yet an official standard, but several vendors (including Netscape) already support S/MIME. It is probably the best long term solution, since it is an open Internet standard.

Typically is not necessary to make any modifications for S/MIME on the server. For instance with MS Exchange, it integrates into the exchange client via the MAPI interface.


Advantages:

1. It functions with both Eudora Pro 3.0 and Exchange (and can use the same certificates on the same machine).
2. No changes are required to the exchange server.
3. Certificates may either be self signed, or signed by a TTP such as

Disadvantages:

1. The user interface is not perfect, e.g. a user could easily unintentionally send an unencrypted email. The icons used to represent email don't seem to indicate if the received email was successfully decrypted and the signature checked. It is possible that these problems can be overcome by adding additional buttons to the toolbar, though this increases support costs.

2. When a signed message is received from someone for whom no certificate currently exists, the certificate is automatically added to the certificate database. Before this certificate can be used, it must be manually trusted. This procedure is a bit confusing for normal users, it should be handled by a nice pop-up box when the signed email is received.


PGP

PGP is a freeware and commercial email and file encryption utility. It is also discussed in the chapter "Security Mechanisms".
Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is a replacement for rlogin, rsh, rcp, and rdist.

SSH

SSH protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing. An attacker who has managed to take over a network can only force ssh to disconnect. He or she cannot play back the traffic or hijack the connection when encryption is enabled.

When using ssh's slogin (instead of rlogin) the entire login session, including transmission of password, is encrypted; therefore it is almost impossible for an outsider to collect passwords.

Biometric

How Does Biometric Encryption Work?

Encryption is a mathematical process that helps to disguise the information contained in messages that is either transmitted or stored in a database, and there are three main factors that determine the security of any crypto system; the complexity of the mathematical process or algorithm, the length of the encryption key used to disguise the message, and safe storage of the key, known as key management.

The complexity of the algorithm is important because it directly correlates to how easy the process is to reverse engineer. One would think that this is the area of encryption that is the easiest to break, however most crypto systems are extremely well constructed and these are the least of the three factors that are vulnerable to attack.

The length of the encryption key used to disguise the message is the next important piece of the encryption process. The shorter the encryption key length, the more vulnerable the data is to a "brute force" attack. This term refers to an individual trying to improperly access data by trying all combinations of possible passwords that would allow access to the account. In non-biometric encryption processes such as passwords or PIN numbers, depending on the length of the key, the information may be vulnerable to access by unauthorized users. For example, a key that is three characters long would be much more prone to attack than one that is ten characters long because the number of possible permutations that must be run to find the right key are much higher in the key that contains ten characters. With current computer power, it is estimated that it would take four hundred years to find the right access combination for a sixty-four character key. Biometric encryption makes standard character encryption obsolete by replacing or supplementing the normal key characters with a personal identifier of the user that there can only be one perfect match for. Without this biometric key the information is inaccessible.

Safe storage of the key is the most vulnerable area in the encryption process. What would seem to be the easiest to manage becomes the most difficult because passwords or PINs can be lost or stolen. Good encryption keys are much too long for normal individuals to remember easily so they are usually stored on paper, smart cards, or diskette which makes them accessible to non-authorized users. Biometric encryption systems allow the user to transport the access key around without the need to make it vulnerable to be lost or stolen.

There are two broad categories of encryption systems; single key (symmetric) sytems and two key (public) systems. Symmetric systems utilize a single key for both the sender and receiver for the purpose of coding and decoding data. In 1972, IBM developed DES (Data Encryption Standard) which was adopted worldwide by 1977 as the most common single key system in the banking and financial sectors. The process of transmitting this type of key over such networks as the Internet is one of the major failures due to the vunerability of a single key system to interception. Electronic commerce requires that transactions be conducted over open networks instead of dedicated networks and single key systems do not offer a high enough level of security for such transmissions. This issue of security is why public key systems have been developed. Two-key systems use a public key to encrypt the data and a private key to decrypt the data. The public key systems allows better encryption than single key systems, however certification of the recipient of messages becomes an issue, which causes a hierarchy of certification to be developed resulting in a much slower processing time. Biometrics can aid in this process due to the inherent nature of using a physical trait of the desired recipient to decipher the message. It is this issue that has caused biometric encryption techniques to be valued for electronic commerce.

Lec 6 - COMPUTER NETWORKS

A computer network is a group of computer that are connected to each other for the purpose of communication. Networks may be classified according to a wide variety of characteristics. This article provides a general overview of some types and categories and also presents the basic components of a network. (from: resource)

What is network can provide???
Basically, it is logical interface function. For example, sending message, receiving message, executing program, obtaining status information and other network users and their status.

And these are some terminology in networking that I'm sure, you guys that take IT for majoring in university already familiar of these: NODE, HOST, LINK, TOPOLOGY.

Network topologies

Tere are 4 thopology:

1. Bus Topology

To provide a single communication network on which any node can place information and from which any code can retrieve information. One attachment in bus terminology not impacts the other nodes.

2. Star topology

Has switch as a central. The central switch receives all messages, identifies the addresses, selects the link appropriate for that addresses and forwards the messages.

Image Hosted by UploadHouse.com

3. Ring Topology

To connect a sequence of nodes in a loop or ring. Can be implemented with minimum cabling.

4. Mesh Topology

Each node can conceptually be connected directly to each other node and routing logic can be used to select the most efficient route through multiple nodes.

Advantages in network computing

· Resource sharing is used to reduce maintenance and storage costs.

· Increased reliability means if one system fails users can shift to another.

· Distributing the workload means workload can be shifted from a heavily loaded system to an underutilized one.

· Expandability is system is easily expanded by adding new nodes.

Disadvantages in network computing

· Sharing, access controls for a single system may be inadequate.

· Complexity, a network may combine two or more systems with dissimilar operating systems with different mechanisms for interhost connection. Complexity of this nature makes the certification process extremely difficult.

· Unknown perimeter is one host may be a node on two or more different networks.

· Many points of attack, access controls on one machine preserves the secrecy of data on that processor. However, files stored in a remote network host may pass through many host machines to get to the user.

· Unknown path may be many paths from one host to another and users generally do not have control of how their messages are routed.

· Label formats differences is a problem which may occur in multilevel systems is that the access labels may have different formats since there is no standard

· Anonymity is attack can passed through many other hosts in an effort to disguise from where the attack originated

Lab 5 - Web Application

On this lab, we need to describe the flaw of web application and how it is exploited. Besides that, we also have to exploit the web vulnerabilities. After that, we need to list prevention method that can be taken to overcome web application vulnerabilities.

WHAT IS WEB APPLICATION SECURITY??

Web application or simply called webapp is an application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the machine. This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.

An increase in the usage of web applications is directly related to an increase in the number of security incidents for them. Even though the server is patch with the latest version of the software, the network are installed with the latest firewall system and Intrusion detection system is deployed to monitor the network, if the web application itself is lack of security features the vital information stored in its content is still expose to intrusion. A Web application system should be carefully and safely develop because it is the first line of defense, any fault or flaws in it development stage, the server configuration and even the scripting used in it development can bring a major loop hole that can be manipulated by intruder to be used as the backdoor to the entire network.

Web Application

Web application is an application that can be accessed using a web browser over a network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. We also can use software such as dreamweaver to create a web application. The script produced is then rendered by common web browser. User can access web application anywhere and at any time, but user need to connect to a network connection and there is a web browser installed on the machine. This ease of usage makes web application popular among

internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.

The Open Web Application Security Project (OWASP) is an open community that focuses on improving the security of application software. Anyone can join this community and contribute an idea for developing secure software. OWASP provide free material such as article on secure programming, security testing guide and much more but all of the material is under free software license.

WebGoat

WebGoat is simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application. WebGoat provide hints and code to fexploit the vulnerabilities. WebGoat will keep track on the progress of the user on every lesson they completed, user can see their level of competence in trying to solve every problem given in the lesson.The primary goal of the WebGoat project is simple, to create a de-facto interactive teaching environment for web application security.

WebScarab

WebScarab is another tool to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented. WebScarab can use in any platform because it developed use JAVA programming language. WebScarab can intercept HTTP and HTTPS communication.

WebGoat and WebScarab

WebGoat = Simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.

WebScarab = Tool for everyone who need to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented.

Web Application Hacking simulation using WebGoat and WebScarab


Step 1: Copy the WebGoat-OWASP_Standard-5.2.zip and extract it to the C:\ drive.

Step 2: Open the C:\ WebGoat-5.2 folder and open the webgoat.bat to start the apache tomcat J2EE.

Step 3:Open an IE 6.0 web browser or a firefox web browser and type http://localhost/WebGoat/attack.

Step 4: Login as User Name: guest Password: guest

Step 5: Open webscarab-selfcontained-20070504-1631.jar

Step 6: If the WebScarab does not open do install the JDK module (jdk-6u4-windows-i586-p.exe) to your computer.

Step 7: Once the WebScarab started

Step 8: Next Configure the Web browser proxy starting so that it listen to 127.0.0.1 (localhost) port 8008.

Step 9: Go to WebScarab and click on the intercept tab and enable the intercept request checkbox but disable the intercept response checkbox. This will enable the intercept features of the WebScarab in which it will intercept any request signal from the web browser.

Step 10: Close your previous web browser, open it again and type in http://localhost/WebGoat/attack.

Step 11: WebScarab will intercept your request to visit the website by prompting an Edit request window as depicted in figure 5.6. This prompted window shows the request data that you send to the web server.

Step12: The text field indicated by the arrow shows the text field containing the data you send to the web server and it can be modified.(in some of the following task you need to modified the content of the text field to help you solve the problem in lesson.

Step13: For this task do not changes the text field value just click the [Accept changes] button to view the WebGoat main page.

Step 14: Each time you click on a submit button or a link on the webpage, the Edit request window will always appear, so make sure you click on Accept changes button to view your request page display on the browser.


Getting started with WebGoat and WebScarab

Step 1: Click on [Start WebGoat]

Step 2: Click on the Introduction | How to work with WebGoat menu.

Step 3: Read and follow the instruction given in the WebGoat.


XSS Attack

Step 1: Click on the Cross Site Scripting (XSS) | Phising with XSS menu

Step 2: Apply the script below to the text field in order to create a false login page so that you can harvest the username and password keyed in by the user.

Step 3: Once you hit the Search button you will see a comment page containing a place for you to login. This login page is created using the java script above.

Step 4: Try login in with any username and password; if this is a real phishing website you would not get the prompted message on your screen but the value you supplied might be send across the world to a server that gather the login information.

Step 5: Next click on the Cross Site Scripting (XSS) | Reflected XSS Attacks menu.

Step 6: In this lesson some prevention mechanism has been build in the script, some field have a validation toward the character you supplied. It will reject any tag symbol you used, however there are still some that is not protected. By using the script below find which the text field that can be exploited using XSS attack?


Injection Flaws

Step 1: Click on the Injection Flaws | Numeric SQL Injection menu.

Step 2: From the combo list choose a weather station and click the [Go!] button, (Do not forget to click on the accept changes button of the edit request windows) you will get the information for the country you select.

Step 3: To apply the Injection flaws you need to choose a new country and click [Go!] button. Before clicking the [Accept changes] button on the edit request windows, in the [URLEncoded] tab, add the value station variable with


This is input is a numerical value

Step 4: Once the value is changed, click [Accept changes] button. The entire data is displayed on the screen. This shows that by manipulating the input field that is not properly design we can display the entire data in the database.

Step 5: Repeat this task on the Injection Flaws | String SQL Injection. Use the right input for this problem and compare the result. (Hint: The input should be a string).


Malicious File Execution

Step 1: Click on the Injection Flaws | Command Injection menu.

Step2: By choosing the lesson plan to view and clicking on [View] button, user will be shown the content of the lesson. This exercise will manipulate the input field by adding the input with a command line instruction.

Step 3: Select a new lesson and click [View]. Before clicking the [Accept changes] button add the following command to your HelpFile variable value


This command will display directory list and network configuration setup.

Step 4: Once you click the [Accept changes] button the following output will be displayed on the screen.

Lec 5 - Database Security

Databases need to have level of security in order to protect the database against both malicious and accidental threats. A threat is any type of situation that will adversely affect the database system. Some factors that drive the need for security are as follows:

- Theft and fraud
- Confidentiality
- Integrity
- Privacy
- Database availability

Threats to database security can come from many sources. People are a substantial source of database threats. Different types of people can pose different threats. Users can gain unauthorised access through the use of another person's account. Some users may act as hackers and/or create viruses to adversely affect the performance of the system. Programmers can also pose similar threats. The Database Administrator can also cause problems by not imposing an adequate security policy.

Some threats related to the hardware of the system are as follows:

- Equipment failure
- Deliberate equipment damage (e.g. arson, bombs)
- Accidental / unforeseen equipment damage (e.g. fire, flood)
- Power failure
- Equipment theft

Threats can exist over the communication networks that an organisation uses. Techniques such as wire tapping, cable disruption (cutting / disconnecting), and electronic interference can all be used to disrupt services or reveal private information.