Friday, October 23, 2009

WEEK 11 (IT SECURITY)

LECTURE 11 

Last topic in my lecture is Cyberlaw. Cyberlaw is a term that encapsulates the legal issues related to use of communicative, transactional, and distributive aspects of networked information devices and technologies. It is less a distinct field of law in the way that property or contract are, as it is a domain covering many areas of law and regulation. Some leading topics include intellectual property, privacy, freedom of expression, and jurisdiction.

COMPUTERS CRIME ACT 1997 
As computing becomes more central to people’s life and work, computers become both targets and tools of crime. This Act offense everything that would harm the computer system.

COMMUNICATION AND MULTIMEDIA ACT 1998 
Convergence of technologies is driving convergence of telecommunications, broadcasting, computing and content. This art creates a new system of licenses and defines the roles and responsibilities of those providing communication and multimedia services and provides for the existence of the Communication and Multimedia Commission, the new regulatory authority

DIGITAL SIGNATURE ACT 1997 
Provides for the regulation of the public key infrastructure. The Act makes a digital signature as legally valid and enforceable as a traditional signature.

COPYRIGHT (Amendment) ACT 1997 
Copyright serves to protect the expression of thoughts and ideas from unauthorized copying and/or alteration. With convergence of Information and Communication Technology (ICT), creative expression is now being captured and communicated in new forms (example: multimedia products, broadcast of movies over the Internet and cable TV). These new forms need protection. Copy right act rules the new and converged multimedia environment.

TELEMEDICINE ACT 1997 
Healthcare systems and providers around the world are becoming interconnected. People and local healthcare providers can thus source quality healthcare advice and consultation from specialists from around the world, independent of geographical location. This act provide any registered doctor may practice telemedicine but healthcare providers must obtains the license to do so.


Thursday, October 22, 2009

WEEK 10 (IT SECURITY)

LECTURE 10

This lecture is about Legal and Ethical Issues in Computer Security. This lecture covers information security law and ethics.

LAW 
A rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority. Implies imposition by a sovereign authority and the obligation of obedience on the part of all subject to that authority

Category of law
Civil law: represents a wide variety of laws that govern a nation or state
Criminal law: addresses violations harmful to society and is actively enforced through prosecution by the state

The categories of laws that affect the individual in the workplace are private law and public law. 

Private law regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law. 
Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law

ETHICS 
A set of moral principles or values. The principles of conduct governing an individual or a group. An objectively defined standard of right and wrong 

Ethics Concept
Ethical Differences Across Cultures
-Cultural differences can make it difficult to determine what is and is not ethical especially when considering the use of computers.

Software License Infringement
-the individuals surveyed understood what software license infringement was but felt either that their use was not piracy, or that their society permitted this piracy in some way

Illicit Use
-The individuals studied unilaterally condemned viruses, hacking, and other forms of system abuse as unacceptable behavior

Misuse of Corporate Resources
-Individuals displayed a rather lenient view of personal use of company equipment.

Ethics and Education
-Differences in the ethics of computer use are not exclusively international.

Deterrence to Unethical and Illegal Behavior
-It is the responsibility of information security personnel to do everything in their power to deter these acts and to use policy, education and training, and technology to protect information and systems

Saturday, October 17, 2009

WEEK 9 (IT SECURITY)

LECTURE 9

In this lecture I learn about Wireless Security. Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.Wireless have quickly become part of today's corporate technology landscape. Yet the rapid pace of deployment has far outstripped the technology's suitability for a stable and secure network environment. Many information security specialists are on record saying that security protocols built into the early 802.11 standards are clearly inadequate for the task. Far worse, the security measures that are available often go unimplemented many times by non-technical employees who install Wi-Fi hardware without the expertise of network professionals. This opens major areas of vulnerability in corporate networks.

There were 3 basic security 
• Authentication – Provide security service to identify consumer identity communicate.
• Integrity – To be sure message unmodified during transaction between wifi clients and access point.
• Confidentiality – To provide privacy are achieved by a network wired.

802.1X authentication can help enhance security for 802.11 wireless networks and wired Ethernet networks. 802.1X uses an authentication server to validate users and provide network access. On wireless networks, 802.1X can work with Wired Equivalent Privacy (WEP) or Wi Fi Protected Access (WPA) keys. This type of authentication is typically used when connecting to a workplace network.

WPA encrypts information, and it also checks to make sure that the network security key has not been modified. WPA also authenticates users to help ensure that only authorized people can access the network. There are two types of WPA authentication: WPA and WPA2. WPA is designed to work with all wireless network adapters, but it might not work with older routers or access points. WPA2 is more secure than WPA, but it will not work with some older network adapters. WPA is designed to be used with an 802.1X authentication server, which distributes different keys to each user. This is referred to as WPA-Enterprise or WPA2-Enterprise. It can also be used in a pre-shared key (PSK) mode, where every user is given the same passphrase. This is referred to as WPA-Personal or WPA2-Personal.

Thursday, October 8, 2009

WEEK 8 (IT SECURITY)

LECTURE 8

This lecture is about security in application. It covers Electronic Mail Security and web security. What is e-mail? An e-mail is a message made up of a string of ASCII characters in a format specified by RFC 822. Email has two part, header and body. Header part used to state the sender and email recipient. Body part is content of the message or email. Security that provided in e-mail is confidentiality, data origin authentication, message integrity, non-repudiation of origin and key management. It have 2 main category of email security threat which is threats to the security of e-mail itself and threats to an organisation that are enabled by the use of e-mail.

Multipurpose Internet Mail Extensions (MIME)

Extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.

Web Security include security of server, security of client and network traffic security between a browser and a server.

SSL/TLS
Like most modern security protocols, is based on cryptography. When an SSL session is established, the server begins by announcing a public key to the client. No encryption is in use initially, so both parties (and any eavesdropper) can read this key, but the client can now transmit information to the server in a way that no one else could decode. The client generates 46 bytes of random data, forms them into a single very large number according to PKCS#1, encrypts them with the server's public key, and sends the result to the server. Only the server, with its private key, can decode the information to determine the 46 original bytes. This shared secret is now used to generate a set of conventional RC4 cipher keys to encrypt the rest of the session. 

SSH (Secure Shell)
A network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.

SET 
An open encryption and security specification designed to protect credit card transactions on the internet


Wednesday, September 2, 2009

WEEK 7 (IT SECURITY)

LECTURE 7

The topic in this lecture is securiy in network. A computer network is a group of computers that are connected to each other for the purpose of communication. Networks may be classified according to a wide variety of characteristics. This article provides a general overview of some types and categories and also presents the basic components of a network.

One way to categorize the different types of computer network designs is by their scope or scale. For historical reasons, the networking industry refers to nearly every type of design as some kind of area network. Common examples of area network types are: 
• LAN - Local Area Network 
• WLAN - Wireless Local Area Network 
• WAN - Wide Area Network 
• MAN - Metropolitan Area Network 
• SAN - Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network 


1. Bus - Both ends of the network must be terminated with a terminator. A barrel connector can be used to extend it. 
2. Star - All devices revolve around a central hub, which is what controls the network communications, and can communicate with other hubs. Range limits are about 100 meters from the hub. 
3. Ring - Devices are connected from one to another, as in a ring. A data token is used to grant permission for each computer to communicate.

Advantages of network
Speed-Sharing and transferring files within Networks are very rapid. Thus saving time, while maintaining the integrity of the file.
Cost-Individually licensed copies of many popular software programs can be costly. Networkable versions are available at considerable savings. Shared programs, on a network allows for easier upgrading of the program on one single file server, instead of upgrading individual workstations.  
Security-Sensitive files and programs on a network are passwords protected (established for specific directories to restrict access to authorized users) or designated as "copy inhibit," so that you do not have to worry about illegal copying of programs.
Centralized Software Management-Software can be loaded on one computer (the file server) eliminating that need to spend time and energy installing updates and tracking files on independent computers throughout the building.  
Resource Sharing-Resources such as, printers, fax machines and modems can be shared.  
Electronic Mail-E-mail aids in personal and professional communication. Electronic mail on a LAN can enable staff to communicate within the building having tot to leave their desk.  
Flexible Access-Access their files from computers throughout the firm.  
Workgroup Computing-Workgroup software (such as Microsoft BackOffice) allows many users to work on a document or project concurrently.

Disadvantages of network
• Server faults stop applications being available 
• Network faults can cause loss of data. 
• Network fault could lead to loss of resources 
• User work dependent upon network 
• System open to hackers 
• Decisions tend to become centralised 
• Could become inefFicient 
• Could degrade in performance 
• Resources could be located too far from users 
• Network management can become dif 


Saturday, August 22, 2009

WEEK 6 (IT SECURITY)

LECTURE 6

In this lecture I learn about Database Security. Database security is the system, processes, and procedures that protect a database from unintended activity. Unintended activity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. Database security is also a specialty within the broader discipline of computer security. Database security become important because information is critical resource in enterprise, securing become billion dollar industry, and people want to protect their confidential information.

Characteristic of good database security

• Data independence
• Shared access
• Minimal redundancy
• Data consistency
• Data integrity


Level of database security
• Physical security – protection of personnel, hardware, programs, networks, and data from physical circumstances
• Operating system security – use of an access control matrix, capability and accessor list
• DBMS security – protection mechanisms and query modification
• Data encryption – such as RSA scheme and data encryption standard

Advantages of using database
• Shared access
• Minimal redundancy
• Data consistency
• Data integrity
• Controlled access

LAB 6

This lab i learn about database security. Below are step how to install MySQL server.

Sunday, August 16, 2009

WEEK 5 (IT SECURITY)

LECTURE 5 (10 August 2009)

In this lecture I learn about Operating System Security. This lecture cover level of protection, method that use for memory protection, how to threats that damage the authentication process and encrypted password file. In operating system we use Segmentation as a security method.

There are level of protection
• No protection
• Isolation
• Share all or share nothing
• Share via access limitation
• Share by capabilities
• Limit use of an object
• Granularity of protection

Method use for memory protection
• Fence
• Relocation
• Base / bound register
• Tagged architecture
• Segmentation
• Paging
• Paging combined with segmentation

Threat that damage the authentication process
• Spoofing
• Eavesdropping
• Modification
• Masquerading

Encrypted password file
• Conventional encryption
• One way cipher
• Salted password (UNIX)


LAB 5 (11 August 2009)

Topic of this lab is Web Application Security. In this lab, I must know to describe the flaw of web application and how it is exploited. Besides that, I also have to exploit the web vulnerabilities. After that, I need to list prevention method that can be taken to overcome web application vulnerabilities.

Web application

An application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the machine.

This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.
WebGoat
Simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.
WebScarab
Tool for everyone who need to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented.