Friday, October 23, 2009

WEEK 11 (IT SECURITY)

LECTURE 11 

Last topic in my lecture is Cyberlaw. Cyberlaw is a term that encapsulates the legal issues related to use of communicative, transactional, and distributive aspects of networked information devices and technologies. It is less a distinct field of law in the way that property or contract are, as it is a domain covering many areas of law and regulation. Some leading topics include intellectual property, privacy, freedom of expression, and jurisdiction.

COMPUTERS CRIME ACT 1997 
As computing becomes more central to people’s life and work, computers become both targets and tools of crime. This Act offense everything that would harm the computer system.

COMMUNICATION AND MULTIMEDIA ACT 1998 
Convergence of technologies is driving convergence of telecommunications, broadcasting, computing and content. This art creates a new system of licenses and defines the roles and responsibilities of those providing communication and multimedia services and provides for the existence of the Communication and Multimedia Commission, the new regulatory authority

DIGITAL SIGNATURE ACT 1997 
Provides for the regulation of the public key infrastructure. The Act makes a digital signature as legally valid and enforceable as a traditional signature.

COPYRIGHT (Amendment) ACT 1997 
Copyright serves to protect the expression of thoughts and ideas from unauthorized copying and/or alteration. With convergence of Information and Communication Technology (ICT), creative expression is now being captured and communicated in new forms (example: multimedia products, broadcast of movies over the Internet and cable TV). These new forms need protection. Copy right act rules the new and converged multimedia environment.

TELEMEDICINE ACT 1997 
Healthcare systems and providers around the world are becoming interconnected. People and local healthcare providers can thus source quality healthcare advice and consultation from specialists from around the world, independent of geographical location. This act provide any registered doctor may practice telemedicine but healthcare providers must obtains the license to do so.


Thursday, October 22, 2009

WEEK 10 (IT SECURITY)

LECTURE 10

This lecture is about Legal and Ethical Issues in Computer Security. This lecture covers information security law and ethics.

LAW 
A rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority. Implies imposition by a sovereign authority and the obligation of obedience on the part of all subject to that authority

Category of law
Civil law: represents a wide variety of laws that govern a nation or state
Criminal law: addresses violations harmful to society and is actively enforced through prosecution by the state

The categories of laws that affect the individual in the workplace are private law and public law. 

Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. 
Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law

ETHICS 
A set of moral principles or values. The principles of conduct governing an individual or a group. An objectively defined standard of right and wrong 

Ethics Concept
Ethical Differences Across Cultures
-Cultural differences can make it difficult to determine what is and is not ethical especially when considering the use of computers.

Software License Infringement
-the individuals surveyed understood what software license infringement was but felt either that their use was not piracy, or that their society permitted this piracy in some way

Illicit Use
-The individuals studied unilaterally condemned viruses, hacking, and other forms of system abuse as unacceptable behavior

Misuse of Corporate Resources
-Individuals displayed a rather lenient view of personal use of company equipment.

Ethics and Education
-Differences in the ethics of computer use are not exclusively international.

Deterrence to Unethical and Illegal Behavior
-It is the responsibility of information security personnel to do everything in their power to deter these acts and to use policy, education and training, and technology to protect information and systems

Saturday, October 17, 2009

WEEK 9 (IT SECURITY)

LECTURE 9

In this lecture I learn about Wireless Security. Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.Wireless have quickly become part of today's corporate technology landscape. Yet the rapid pace of deployment has far outstripped the technology's suitability for a stable and secure network environment. Many information security specialists are on record saying that security protocols built into the early 802.11 standards are clearly inadequate for the task. Far worse, the security measures that are available often go unimplemented many times by non-technical employees who install Wi-Fi hardware without the expertise of network professionals. This opens major areas of vulnerability in corporate networks.

There were 3 basic security 
• Authentication – Provide security service to identify consumer identity communicate.
• Integrity – To be sure message unmodified during transaction between wifi clients and access point.
• Confidentiality – To provide privacy are achieved by a network wired.

802.1X authentication can help enhance security for 802.11 wireless networks and wired Ethernet networks. 802.1X uses an authentication server to validate users and provide network access. On wireless networks, 802.1X can work with Wired Equivalent Privacy (WEP) or Wi Fi Protected Access (WPA) keys. This type of authentication is typically used when connecting to a workplace network.

WPA encrypts information, and it also checks to make sure that the network security key has not been modified. WPA also authenticates users to help ensure that only authorized people can access the network. There are two types of WPA authentication: WPA and WPA2. WPA is designed to work with all wireless network adapters, but it might not work with older routers or access points. WPA2 is more secure than WPA, but it will not work with some older network adapters. WPA is designed to be used with an 802.1X authentication server, which distributes different keys to each user. This is referred to as WPA-Enterprise or WPA2-Enterprise. It can also be used in a pre-shared key (PSK) mode, where every user is given the same passphrase. This is referred to as WPA-Personal or WPA2-Personal.

Thursday, October 8, 2009

WEEK 8 (IT SECURITY)

LECTURE 8

This lecture is about security in application. It covers Electronic Mail Security and web security. What is e-mail? An e-mail is a message made up of a string of ASCII characters in a format specified by RFC 822. Email has two part, header and body. Header part used to state the sender and email recipient. Body part is content of the message or email. Security that provided in e-mail is confidentiality, data origin authentication, message integrity, non-repudiation of origin and key management. It have 2 main category of email security threat which is threats to the security of e-mail itself and threats to an organisation that are enabled by the use of e-mail.

Multipurpose Internet Mail Extensions (MIME)

Extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.

Web Security include security of server, security of client and network traffic security between a browser and a server.

SSL/TLS
Like most modern security protocols, is based on cryptography. When an SSL session is established, the server begins by announcing a public key to the client. No encryption is in use initially, so both parties (and any eavesdropper) can read this key, but the client can now transmit information to the server in a way that no one else could decode. The client generates 46 bytes of random data, forms them into a single very large number according to PKCS#1, encrypts them with the server's public key, and sends the result to the server. Only the server, with its private key, can decode the information to determine the 46 original bytes. This shared secret is now used to generate a set of conventional RC4 cipher keys to encrypt the rest of the session. 

SSH (Secure Shell)
A network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.

SET 
An open encryption and security specification designed to protect credit card transactions on the internet


Wednesday, September 2, 2009

WEEK 7 (IT SECURITY)

LECTURE 7

The topic in this lecture is securiy in network. A computer network is a group of computers that are connected to each other for the purpose of communication. Networks may be classified according to a wide variety of characteristics. This article provides a general overview of some types and categories and also presents the basic components of a network.

One way to categorize the different types of computer network designs is by their scope or scale. For historical reasons, the networking industry refers to nearly every type of design as some kind of area network. Common examples of area network types are: 
• LAN - Local Area Network 
• WLAN - Wireless Local Area Network 
• WAN - Wide Area Network 
• MAN - Metropolitan Area Network 
• SAN - Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network 


1. Bus - Both ends of the network must be terminated with a terminator. A barrel connector can be used to extend it. 
2. Star - All devices revolve around a central hub, which is what controls the network communications, and can communicate with other hubs. Range limits are about 100 meters from the hub. 
3. Ring - Devices are connected from one to another, as in a ring. A data token is used to grant permission for each computer to communicate.

Advantages of network
Speed-Sharing and transferring files within Networks are very rapid. Thus saving time, while maintaining the integrity of the file.
Cost-Individually licensed copies of many popular software programs can be costly. Networkable versions are available at considerable savings. Shared programs, on a network allows for easier upgrading of the program on one single file server, instead of upgrading individual workstations.  
Security-Sensitive files and programs on a network are passwords protected (established for specific directories to restrict access to authorized users) or designated as "copy inhibit," so that you do not have to worry about illegal copying of programs.
Centralized Software Management-Software can be loaded on one computer (the file server) eliminating that need to spend time and energy installing updates and tracking files on independent computers throughout the building.  
Resource Sharing-Resources such as, printers, fax machines and modems can be shared.  
Electronic Mail-E-mail aids in personal and professional communication. Electronic mail on a LAN can enable staff to communicate within the building having tot to leave their desk.  
Flexible Access-Access their files from computers throughout the firm.  
Workgroup Computing-Workgroup software (such as Microsoft BackOffice) allows many users to work on a document or project concurrently.

Disadvantages of network
• Server faults stop applications being available 
• Network faults can cause loss of data. 
• Network fault could lead to loss of resources 
• User work dependent upon network 
• System open to hackers 
• Decisions tend to become centralised 
• Could become inefFicient 
• Could degrade in performance 
• Resources could be located too far from users 
• Network management can become dif 


Saturday, August 22, 2009

WEEK 6 (IT SECURITY)

LECTURE 6

In this lecture I learn about Database Security. Database security is the system, processes, and procedures that protect a database from unintended activity. Unintended activity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. Database security is also a specialty within the broader discipline of computer security. Database security become important because information is critical resource in enterprise, securing become billion dollar industry, and people want to protect their confidential information.

Characteristic of good database security

• Data independence
• Shared access
• Minimal redundancy
• Data consistency
• Data integrity


Level of database security
• Physical security – protection of personnel, hardware, programs, networks, and data from physical circumstances
• Operating system security – use of an access control matrix, capability and accessor list
• DBMS security – protection mechanisms and query modification
• Data encryption – such as RSA scheme and data encryption standard

Advantages of using database
• Shared access
• Minimal redundancy
• Data consistency
• Data integrity
• Controlled access

LAB 6

This lab i learn about database security. Below are step how to install MySQL server.

Sunday, August 16, 2009

WEEK 5 (IT SECURITY)

LECTURE 5 (10 August 2009)

In this lecture I learn about Operating System Security. This lecture cover level of protection, method that use for memory protection, how to threats that damage the authentication process and encrypted password file. In operating system we use Segmentation as a security method.

There are level of protection
• No protection
• Isolation
• Share all or share nothing
• Share via access limitation
• Share by capabilities
• Limit use of an object
• Granularity of protection

Method use for memory protection
• Fence
• Relocation
• Base / bound register
• Tagged architecture
• Segmentation
• Paging
• Paging combined with segmentation

Threat that damage the authentication process
• Spoofing
• Eavesdropping
• Modification
• Masquerading

Encrypted password file
• Conventional encryption
• One way cipher
• Salted password (UNIX)


LAB 5 (11 August 2009)

Topic of this lab is Web Application Security. In this lab, I must know to describe the flaw of web application and how it is exploited. Besides that, I also have to exploit the web vulnerabilities. After that, I need to list prevention method that can be taken to overcome web application vulnerabilities.

Web application

An application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the machine.

This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.
WebGoat
Simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.
WebScarab
Tool for everyone who need to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented.

Saturday, August 8, 2009

WEEK 4 (IT SECURITY)

LECTURE 4 (3 August 2009)

In this lecture I learn about Program Security. This topic covers about vulnerabilities, Safeguard to Program threat and Pillar to Software Security. In vulnerabilities cover about Secure Program, Malicious Code and Top 10 Web application vulnerabilities.

Secure Program - An assessment of security can also be influenced by someone’s general perspective on software quality

Malicious Code - Malicious Code is a new kind of threat which cannot be blocked by anti-virus software alone. In contrast to viruses (which require a user to execute a program in order to cause damage), malicious code is an auto-executable application. It can take the form of Java Applets, ActiveX controls, plug-ins, pushed content, scripting languages, or a number of new programming languages designed to enhance Web pages and email.

Top 10 Web application vulnerabilities
(1)Cross site scripting
(2) Injection flaws
(3)Malicious file execution
(4)Insecure direct object reference
(5)Cross site request forgery
(6)Information leakage and improper error handling
(7)Broken authentication and session management
(8)Insecure crypto storage
(9)Insecure communication
(10)Failure to restrict URL access


LAB 4 (4 August 2009)

In this lab I learn about Cryptography Extended. I must know what is Symmetric and
Asymmetric Cryptography. Also know about Caesar Cipher and Vigeneré Cipher for
Symmetric Cryptography. And lastly RSA algorithm for Asymmetric Cryptography.

Symmetric Cryptography
Symmetric cryptography is a an outgrowth of classical cryptography.All classical cryptosystem are secret key systems.Most of them can be seen as block ciphers, if not, stream ciphers.

Caesar Cipher
Also known as a Caesar shift cipher or shift cipher, is one of the simplest methods of encryption, although it can be easily broken. It is a substitution cipher in which each letter in the plaintext is replaced by the letter some fixed number of positions further down the alphabet

Vigeneré Cipher


Asymmetric Cryptography
Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipient's public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to.


Friday, July 31, 2009

WEEK 3 (IT SECURITY)

LECTURE 3 (27 July 2009)

This week I learn about Cryptography Concept. Before that I must know what is Cryptography. Cryptography is the art and science of keeping data secure. Cryptographic services help ensure data privacy, maintain data integrity, authenticate communicating parties, and prevent repudiation (when a party refutes having sent a message).

Basic encryption allows you to store information or to communicate with other parties while preventing non-involved parties from understanding the stored information or understanding the communication. Encryption transforms understandable text (plaintext) into an unintelligible piece of data (ciphertext). Decryption restores the understandable text from the unintelligible data. Both functions involve a mathematical formula (the algorithm) and secret data (the key).

Cryptographic algorithms

There are two types of cryptographic algorithms:

1. With a secret or symmetric key algorithm, the key is a shared secret between two communicating parties. Encryption and decryption both use the same key. The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are examples of symmetric key algorithms.

There are two types of symmetric key algorithms:

Block ciphers In a block cipher, the actual encryption code works on a fixed-size block of data. Normally, the user's interface to the encrypt/decrypt operation will handle data longer than the block size by repeatedly calling the low-level encryption function. If the length of data is not on a block size boundary, it must be padded.

Stream ciphers Stream ciphers do not work on a block basis, but convert 1 bit (or 1 byte) of data at a time.

2. With a public key (PKA) or asymmetric key algorithm, a pair of keys is used. One of the keys, the private key, is kept secret and not shared with anyone. The other key, the public key, is not secret and can be shared with anyone. When data is encrypted by one of the keys, it can only be decrypted and recovered by using the other key. The two keys are mathematically related, but it is virtually impossible to derive the private key from the public key. The RSA algorithm is an example of a public key algorithm.

Public key algorithms are slower than symmetric key algorithms. Applications typically use public key algorithms to encrypt symmetric keys (for key distribution) and to encrypt hashes (in digital signature generation).

Together, the key and the cryptographic algorithm transform the data. All of the supported algorithms are in the public domain. Therefore it is the key that controls access to the data. You must safeguard the keys to protect the data.


LAB 3 (28 July 2009)

The topic of this lab is Authentication and Basic Cryptography. End of this section I must know what is Authentication and Cryptography, know to implementing Data encryption. Also know to implementing Local password policy on windows 2003 and to implementing Asymmetric cryptography by using Pretty Good Privacy (PGP).

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords.

Cryptography is the art and science of keeping data secure. Cryptographic services help ensure data privacy, maintain data integrity, authenticate communicating parties, and prevent repudiation (when a party refutes having sent a message). Within the context of any application-to-application communication, there are some specific security requirements, including:
• Authentication: The process of proving one's identity. (The primary forms of host-to-host authentication on the Internet today are name-based or address-based, both of which are notoriously weak.)
• Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.
• Integrity: Assuring the receiver that the received message has not been altered in any way from the original.
• Non-repudiation: A mechanism to prove that the sender really sent this message.

Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a code, can be employed to keep the enemy from obtaining the contents of transmissions.

Encryption and Decryption operation.

Wednesday, July 29, 2009

WEEK 2 (IT SECURITY)

LECTURE 2 (20 July 2009)

The topic of this lecture is Authentication and Basic Cryptography. This week I only learn about Authentication. Authentication is related to identity verification. Identity verification is classifications by something known (password), by something possessed (smart card), by physical characteristics (biometrics) like finger print and by a result of involuntary action like signature. Authentication also is a process for identifying and verifying who is sending a request. This is a general process of authentication.
(1) The sender obtains the necessary credential.
(2) The sender sends a request with the credential to the recipient.
(3) The recipient uses the credential to verify the sender truly sent the request.
(4) If yes, the recipient processes the request. If no, the recipient rejects the request and responds accordingly

In this topic I also learn how to choosing a good password and techniques for guessing passwords. Criteria to choose password is the password must hard to guess but easy o remember. The characteristics of good password are not shorter than six characters and mix all of the character. There are many techniques for guessing passwords which is you try default password, you also can all short words, 1 to 3 characters long, you also can collect all information about the user like date of birth, hobbies, family name, plat number and so on. You also can use a Trojan horse to guessing passwords.


LAB 2 (21 July 2009)

The topic of this lab is The Goal of Information Technology Security. End of this section i must know what is information tecnology security goals. I also must know how to determine if partition is NTFS or FAT32. I must implementing confidentiality, integrity and availability in Windows Server 2003.

Information technology security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The goals of information technology security are Confidentiality, Integrity and Availability. Confidentiality provides protection to computer related assets from being used by unauthorized user. Integrity ensures data can be modified by authorized parties and by authorized mechanism only. Availability makes sure authorized user can access information at any time without any failure.

The relationship between the three goals.

Monday, July 20, 2009

WEEK 1 (IT SECURITY)

LECTURE 1 (13 July 2009)

In this lecture i learn about the introduction to information security. This lecture cover about what is the information security, security area, the architecture of security, security principle, security policy, security attacks/threats, methods of defense, security services and about security mechanisms.


As we know information security is the protection of data against unauthorized access. Programs and data can be secured by issuing passwords and digital certificates to authorized users. That has three security areas which is detection (tool that use such as internet scanner), prevention (tool that use for example proxy or firewall) and recovery (tool that use is cryptography techniques). I also learn about principles of security. Four principle of security are confidentiality, integrity, availability and non repudiation. In security attacks/threats that have two type of attacks which is passive attacks and active attacks. A passive attack means it just can monitor and can’t change any data. An active attack means it involve some modification of the data.


In the security services that has five categories and 14 specific services that provided. The five categories are authentication, access control, data confidentiality, data integrity and non-repudiation. In last part of this lecture i learn about the security mechanisms. Security mechanisms divided into two classes which is specific security mechanisms and pervasive security mechanisms. As the conclusion of this lecture information security is very important for our computer sake.


LAB 1 (14 July 2009)

This lab cover about VMware means virtual machine software. The name given to various programming language interpreters. VMware allows multiple copies of the same operating system or several different operating systems to run in the same x86-based machine. Each virtual machine is like a "machine within the machine" and functions as if it owned the entire computer. All virtual machines run simultaneously.


VMware is program which runs under Linux (or NT) and emulates the hardware of a standard PC to provide one or more virtual machines. Many operating systems can be installed on these virtual machines so that it is possible to run, for example, Windows 95 inside a standard X Window under Linux. It is even possible to run a complete Linux installation (maybe a different version) inside another window, at the same time.


It is some of the advantages of using VMware which is a normal installation of a Microsoft operating system require a long manual process to configure the system to the specific hardware of the machine. This means that the same installation cannot be used for another machine which usually has different hardware. Since VMware emulates the same set of virtual devices on any machine, a single operating system image can be used.