SECURITY IN THE INFORMATION AGE 7
Securityin the Information Age
Securityin the Information Age
Heartbleed vulnerability refers to a mistake written into OpenSSL that allows for the stealing of information that is normally protected by SSL/TLS encryption used in securing the internet. The heartbleed bug enables anybody in the internet to read the systems’ memory protected by OpenSSL’s vulnerable versions. This eventually compromises the secret keys that are used in identifying the service providers, as well as encrypting traffic, passwords, and names of users, as well as the actual content. This would enable attackers to listen in on communications, impersonate users and services, as well as steal data directly from the users and services.
Two of the most common types of biometric errors include FEE and FME.
Failureto Enroll Error (FEE) underlines the inability of a biometric systemto extract template information following successful capturing of adevice. In essence, this is an algorithm error that relates to thesteps of template processing, as well as extraction from the inputdevice. Of particular note is the fact that the strongly relies onhuman and device factors at the time of biometric capture.
FalseMatch Error (FME) refers to algorithm failure when it groups anactual imposter as genuine. The error relates to the templatesmatching steps in biometric algorithm and is dependent on thetemplate extraction step. It may also strongly rely on human anddevice factors at the time of biometric capture.
The use of chip, pin and smart cards would go a long way in preventing the occurrence of credit card fraud in the United States. It is well noted that smart cards incorporate powerful chips that enable for incorporation of advanced capabilities like generation of digital signatures and encryption. Microchips are considerably more difficult to counterfeit compared to the magnetic strips in the common credit cards.
As an application that runs on the internet, it goes without saying that the VoIP inherits numerous security issues that are prevalent in the internet. One of the security threats to VoIP is DoS (Denial of Service), where the device or network is attacked thereby denying it of connectivity or a service. In VoIP, DoS attacks may be accomplished by flooding the target with unnecessary SIP call-signaling messages, which eventually degrades the service and causes call not to be processed or to be dropped prematurely.
Inaddition, the VoIP systems can only be as secure as the predisposingnetwork security. In cases where the underlying network incorporatessecurity vulnerabilities, they may be exploited upon theimplementation of VoIP. It is recommended that an autonomous securityevaluation is carried out prior to the VoIP deployment so as toremedy issues pertaining to firewall configuration, periodic syslogreview, wireless security, patching procedures and gateway security.
Configuration management refers to the process of regulating changes in the configuration of devices in an IT environment. One of the ways for configuration management is status accounting where the state changes on a configuration item are recorded. This allows the CMDB to have an accurate representation of IT infrastructure. Further, the information is useful in problem management especially in the detection of devices that have high repair incidents or long repair periods.
Onthe same note, configuration management also involves identificationof the configuration item where the name and description of the itemis recorded alongside its owner, association with other items,versions, as well as unique identifiers.
Web application vulnerabilities include remote code execution, SQL injection, Cross Site Scripting, and username enumeration. Username enumeration refers to an attack in which the backend validation script informs the attacker if the supplied username is appropriate or not. The exploitation of this vulnerability assists the attacker in experimenting usernames as determine the correct one using the varied error messages.
Crosssite scripting uses malicious URLs crafted in a way that makes themappear legitimate. Once the user executes the URL, the attacker wouldeffectively execute a malicious item on the browser thereby hijackingthe user’s session and cookies.
Remotecode execution, on the other hand, allows attackers to run arbitrary,system level codes on the serves, thereby retrieving any informationcontained therein, while SQL injection allows attackers to retrieveimportant information from the database of the web server.
Snappchat application enables users to send each other pictures that are timed, and which are apparently deleted after the intended recipient opens them. Snapchapt makes use of two encryption keys for every other user, which the company keeps. It is worth noting that the personal information can be used by stalkers and internet trolls to harass individuals in real life while uncovering the privacy and anonymity that the application provides. Further, a malicious party may put little effort in stealing enormous amounts of data and sell it to private parties. Similarly, the application uses an extremely simple protocol apart from HTTP. These security measures are evidently not sufficient in protecting individual information. Indeed, research has shown that the deleted pictures can still be recovered even by third parties. To enhance its security, it is imperative that the application incorporates strong encryption and user-hosted keys, while the company should delete the photos even in their servers.
Security engineering refers to a specialized engineering field that concentrates on security elements in system design that require to deal robustly with potential disruptions including malicious acts and natural disasters. However, varied world changes have affected the field. This is especially with regard to advancement of technology, as well as increased interconnectivity among varied parts of the globe that make it more difficult to trace threats and neutralize them.
China carries out web censorship by putting in place laws and regulations that dictate the type of content that individuals can post in the internet. Further, the laws indicate that individuals cannot post any content anonymously. As much as the country does not have sufficient physical resources that would enable them to monitor all forums and chat rooms, the government threatens to shut them down if any politically sensitive content is posted there. This strategy is considerably effective as the internet content providers have been forced to higher internal staff that stop and eliminate forum comments that are politically sensitive.
a. Anonymous remailers- these are serves that receive messages that have embedded messages detailing where they should be sent next, and that allows the messages to be sent without disclosing their origin. While this technique may be effective, the software remains vulnerable to Trojan in compromised servers, misadministration of the server or even a compromised server operator.
b.Anonymous browsing (Tor) – Tor refers to free software, as well as anopen network that defends the communication of an individual fromtraffic analysis. Traffic analysis is a form of network surveillancethat is an immense threat to privacy and personal freedom, statesecurity, as well as confidential business relationships andactivities. It protects an individual by bouncing the communicationsaround distributed relays networks that are operated by volunteersacross the globe. However, this program may be compromised throughlifting the fingerprints that show connection to the network andfeeding them to XKeyscore database that collects immense internetmetadata and content from likely targets.
Throwawaycell phones – throw away cell phones are used to communicate acertain message after which they are discarded, thereby cutting anylink that trackers may have established with the victim. While thismay be an effective way of ensuring privacy, it is well noted thatthe location of an individual would still be known at least at thetime of communicating.
Skype-offers immense security in online communication as messages aresecured using end-to-end communication. While this may be the case,research has shown that varied links to previously undetected webpages through Skype are accessed by computers that had an IP addressbelonging to Microsoft.
d.PGP (Pretty Good Privacy) refers to data encryption and decryptioncomputer program that offes cryptographic authentication and privacyfor data communication. It is usually used in signing, encrypting, aswell as decrypting emails, files, texts and directories, as well asincreasing email communication security. This program is extremelyeffective as only the intended recipient would have the requiredcodes for opening and accessing the program. Indeed, there is no knowway of circumventing the PGP.
e.Steganography- underlines the practice or art of concealing an image,file or message within another image file or message. This techniquemay be effective as the intended message is unlikely to attractattention to itself as an item that necessitates more scrutiny. Suchfiles, however, may be detected through comparison with knownoriginals.