NIST SP 800 / ISO17799 / PCI Credit Card Standard

Image via Wikipedia

NIST SP 800:

• The National Institute of Standards and Technology – a unit of the United States Department of Commerce – has published a Special Publications set on Information Technology computer security policies, procedures, and guidelines known as the ‘800′ series.
• “The publications cover all NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities and for implementing security measures to minimize the risk of adverse events… The publications can be useful as guidelines for enforcement of security rules and as legal references in case of litigation involving security issues.” (See http://whatis.techtarget.com/definition/0,,sid9_gci1189451,00.html)
• The SP 800 series is provided free of charge and is generally used in businesses, academia, and other large scale IT deployments.
• Select topics include: VPNs, data models, cryptography, hash algorithms, etc.
• See http://csrc.nist.gov/publications/PubsSPs.html for a complete reference on the SP 800 publication.

ISO 17799:

• From The International Organization for Standardization – ISO 17799 is a set of information security management standards that have gained international recognition and approval.
• ISO 17799 is made up of two parts, 1) ISO 17799 is set as a ‘code of practice’ that outlines such topics as Security Policy, Security Organization, Asset Classification and Control, Business Continuity Management, etc.
• Part 2) is referred to as BS7799-2 / ISO27001. This standard details Information Security Management System policies and procedures. One site described this process as “Define a security policy, Define the scope of the ISMS, Undertake a risk assessment, Manage the risk, Select control objectives and controls to be implemented, Prepare a statement of applicability.” (See http://www.17799central.com/iso17799.htm for more information as described in part 1 and 2)

PCI Credit Card Standard:

• The PCI (Payment Card Industry Data Security Standard) was enacted by CISP (Cardholder Information Security Program).  CISP, by the way, was created by VISA and the PCI standard in a substandard of CISP.
• The purpose of PCI (and CISP as a whole) is to “ensure and enhance” privacy and security of credit card information – particularly as it is handled by businesses and other agencies.  (For a brief overview, see http://searchfinancialsecurity.techtarget.com/sDefinition/0,,sid185_gci1201178,00.html – where much of this section’s information has been obtained.)
• Standards are in place for online transactions, as well as those placed over the telephone, in store, and by mail order.
• Audits are am integral part of maintaining this standard worldwide.
• See VISA for more details on the program (http://usa.visa.com/merchants/risk_management/cisp.html)

“Who you are, what you have, what you know”

Image via Wikipedia

(Authenticating users and the data is critical to maintaining the integrity of security online. Authentication methods – or factors – can include something that the user has (software or security token, ID card, etc), something that the user knows (password, pin, etc), and/or something that the user is or does (biometrics such as fingerprint, signature, or voice pattern). Truly then, as the title indicates, authentication is based on “who you are, what you have, what you know”.

Using more than one factor in an authentication process in commonly referred to as ’strong authentication’. More and more, authentication processes are moving to ’strong’ methods to provide stronger assurances that data and user are truly authenticated.

Below is a review of some common examples of the factors listed above:

1. What the user has: tokens such as a Smart Card or a USB drive are commonly used as one factor of authentication. As USB devices become more powerful and less expensive, the difference between those USB devices and smart cards are beginning to fade. Another token device on the horizon is the cell phone. Using the cell phone as a token eliminates the need for another device and can serve as a means to enter in a password – making this a dual-channel two-factor method of authentication. (See http://arstechnica.com/news.ars/post/20070717-phonefactor-rings-up-two-factor-authentication.html)
2. What the user knows: passwords and pins are an important part of authentication, but they are increasingly more only a part of that authentication. Making stronger passwords and/or combining the password with a token (as noted above) are additional ways that ‘what the user knows’ is being implemented with more secure results.
3. What the is or does: biometrics such as fingerprinting or retina scans, while generally reliable, are proving to have weaknesses. (These weaknesses are largely mitigated by requiring another factor with it.) Other methods, such as signature and voice pattern are examples of what you do.

(See http://en.wikipedia.org/wiki/Two-factor_authentication)

from news.zdnet.com posted with vodpod

The Low-down on Backup

Image by craig1black via Flickr(I have borrowed heavily from Wikipedia as a reference for the terms at use today. In large part , I believe that much of this article has touched on “common knowledge” (ie: there wasn’t much new material here from what we discussed as a class). And while I have used formatting similar to the current Wikipedia article, I have tried to use my own language in describing otherwise common concepts.)

Backup is a secondary copy of data (whereas ‘archives’ are the primary copy). Backup can be employed in primary two – though necessarily exclusive – ways. One way is to keep a complete, full system backup (everything on your computer – even down to your operating system, etc). Restoring such a backup would give you a full working system identical to the one the way it was running when the backup was made, with all accompanying data.

A second route is to backup data files only. In this way, the files can be restored in relatively small increments. This is a particularly useful approach when installation of an operating system is not particularly unique or difficult. It also typically requires less in resources and employs a number of techniques as listed below to make the backups quickly and efficiently.

Data repository models

• Unstructured: Keeping your backup files on cd/dvds in a pile under your desk – with little regard to what is included or when – is a haphazard approach to backup that never seems to satisfy the need. Believe me, as a recovering unstructured backup guy, there is little comfort in this approach.
• Full + Incremental: To clear the air, the definition of a ‘full’ backup is largely user defined (‘full’ then meaning 100% of the files that the user wants backed up – whether it is a full system backup or a set of data files.) Thus, after a full backup is taken, this method then backs up all files new files and files that have changed since the last full or incremental backup. One advantage to incremental backup is that it is usually faster to complete the backup cycle. A downside to this approach is that one needs the entire chain of incremental backups to make the full backup in the case of a full restore.
• Full + Differential: Differential is similar to incremental in that it targets the new and changed files since the full backup. It differs, however, by creating a backup that contains all new or changed files since the full backup. So there would be two backups (the full and the differential), instead of many (full and the many incremental).
• Continuous Data Protection: These backups are done the instant that a change is found in a file. This is typically done by saving the differences in bytes rather than at the file-level (as the file may still be open, etc).

There are many types of media that are employed in backup. These include:

• Magnetic Tape: Primarily a corporate medium, with a notable absence in the consumer market. Tapes are relatively inexpensive and have proven t be a dependable medium. Like the music cassettes of yesteryear, the access time to information on the tape will be slow (sequentially recorded). However, remember “high dub”? – tapes can record at speeds near hard drives.
• Hard Disk: High capacity and low access time. Hard disks make it easy to put large amounts of data and/or system images into storage at relatively high write speeds. Local connections like SCSI, Firewire, or USB provide standard connection interfaces. Networked connections through ethernet, fiber, etc provide more opportunities for use. Hard disks have demonstrated sustained growth in capacity and declining pricing on the technology over the course of the past two decades.
• Optical Disc: I remember a time when everyone who was anyone was out buying a cd-writer to, among other uses, backup their data. (And how could we ever fill 700mb! Whoa!) DVDs followed with a 4.7gb capacity – and subsequently released a double layer DVD that held 9.4gb. Using optical media for backup worked very well for people for a number of years because of the relatively high capacity of the media, the relatively low cost of the media, and the portable nature of the media. The media could be taken off-site for added security against theft or natural disaster/fire, etc. There has been a lag in optical media over the past few years as capacities have failed to rise in the face of low cost flash drives and hard disks that offered greater capacities and read/write ease. Only in the past few months has Blu-ray discs – with a capacity of around 50gb – begun to take a foothold in the industry.
• Floppy Disk: I recall sitting in my junior high class (and even high school) and being required to bring a floppy disk to class to save homework on. The capacity of those disks was somewhere around 1.44mb. Yeah… The first flash drives that came to market completely blew these disks to oblivion. Curiously, my ward on campus uses these same floppy disks to back up financial data.
• Solid State: This encompasses a wide range of implementations including flash drives (or thumb drives, etc) that have been referenced previously. These tend to be the portable tool of choice for student and professional alike in current day. Unfortunately, reliance on these devices alone for backup tend to be the fall of many. Either through loss of the devices or corruption of files, many a student has lost a semester’s work (usually during finals week). Memory cards such as Secure Digital, Compact Flash, etc have also enjoyed widespread adoption in the digital camera market (and throughout consumer electronics in general). Solid State hard drives have also begun emerging as an as of yet pricey alternative to hard disk for laptops.
• Remote Backup Service: Many companies have begun offering backup services in their data centers (usually hard disk) over the internet. Advantages are that the off-site storage protects against theft, fire, and other natural disasters. Disadvantages include relatively slower speed and putting your data in the hands of a third party.

802.16 = wimax

802.16 is an emerging wireless networking standard set by the IEEE that is still under development even as it is being deployed. The term “WiMax” stands for “Worldwide Interoperability for Microwave Access” and refers to the 802.16 standard in general – much the same way that “WiFi” refers to 802.11 in all of its flavors (a, b, g, n, etc). WiMax has a relatively large range and offers users broadband speeds.

IEEE 802.11 Specifications

• Range – 30-mile (50-km) radius from base station
• Speed – 70 megabits per second
• Line-of-sight not needed between user and base station
• Frequency bands – 2 to 11 GHz and 10 to 66 GHz (licensed and unlicensed bands)
• Defines both the MAC and PHY layers and allows multiple PHY-layer specifications

(From HowStuffWorks.com)

How Does WiMax Work?

Think of WiMax as a mix between Cellular technology and WiFi. Towers are setup throughout the area, much like cell phone towers. These towers have a range of about 4-6 mile radius to provide out-of-site connections – similar again to cell phone towers. (Line-of-site WiMax connections can have a 30 mile radius.)

These WiMax towers receive their internet access through either a wired connection (such as fiber or a T3 line) or through line-of-site microwave connection (more common in the rural deployments).

Receivers, such as a desktop modem or PCMCIA card (and soon to be integrated into Intel mobile architectures and mobile phones, etc) are specifically calibrated to communicate with WiMax towers.

Later releases of the 802.16 standard (such as the ‘e’ revision), allow for handshake trade off between towers as the user moves about – in very much the same way as cell phones.

How Does WiMax Differ From WiFi?

1. Range – WiMax has a much greater signal range than WiFi. For example, only two towers are needed by the local WiMax service provider to cover the entire city of Rexburg. Conversely, there are dozens of WiFi access points on the campus of BYU-Idaho alone that still do not provide full saturation.

2. “In Wi-Fi the media access controller (MAC) uses contention access — all subscriber stations that wish to pass data through a wireless access point (AP) are competing for the AP’s attention on a random interrupt basis. This can cause subscriber stations distant from the AP to be repeatedly interrupted by closer stations, greatly reducing their throughput. This makes services such as Voice over IP (VoIP) or IPTV, which depend on an essentially-constant Quality of Service (QoS) depending on data rate and interruptibility, difficult to maintain for more than a few simultaneous users. In contrast, the 802.16 MAC uses a scheduling algorithm for which the subscriber station need compete once (for initial entry into the network). After that it is allocated an access slot by the base station. The time slot can enlarge and contract, but remains assigned to the subscriber station, which means that other subscribers cannot use it. In addition to being stable under overload and over-subscription (unlike 802.11), the 802.16 scheduling algorithm can also be more bandwidth efficient. The scheduling algorithm also allows the base station to control QoS parameters by balancing the time-slot assignments among the application needs of the subscriber stations.” (Quoted from Wikipedia.org)

What are the Practical Uses of WiMax?

• WiMax is a viable solution for closing in on the “last mile” routes. Particularly in rural areas – where broadband access is unavailable due to the prohibitively high cost of laying cable (vs. return on investment) – WiMax can be seen as a means of reaching people that have yet to have been reached.
• Mobile broadband – the mobile standard of WiMax (that handshakes, like a cell phone) is expected by Intel, Sprint, and others to fuel the use of internet on mobile devices in the US and abroad significantly in the coming years. Nokia and other handset manufacturers are set to introduce devices that integrate WiMax into the heart of the functionality. Not only cell phones, but a derivative type of device – dubbed “Mobile Internet Device” (or MID) – are set to be a sector of growth over the coming months and years.
• Internet connection at home – WiMax has proven to challenge the likes of cable and DSL in the residential market. Even for those who never plan to go mobile with their internet – the low price of deployment for the ISP allows the savings to be passed onto the consumer. This allows for an enticing, additional form of competition in the residential internet market.
• Look for WiMax is emerging markets as well. India, China, and many African nations are looking toward WiMax and similar long range wireless technologies for connectivity. India currently has a large scale deployment of WiMax via the Tata corporation.

(Sources: HowStuffWorks.com and Wikipedia.org)

 

WiMax Deployment

A number of key developments have fueled the integration of WiMax into an emerging platform for mobile broadband.

• Intel has announced that the forthcoming laptop architecture “Montevina” will integrate WiMax onboard, in addition to WiFi (scheduled for a June release).
• Sprint has recently launched a test period of its WiMax based “XOHM” network in Chicago. The tests show 3-5mbps down and 1-1.5mbps upload. (http://www.engadget.com/2008/02/14/sprints-april-wimax-soft-launch-on-track-full-scale-deployment/)
• Digital Bridge Communications launched a WiMax network in Rexburg, Idaho! BooYah! (See more in following post)
• The ITU recently declared WiMax to be part of the 3G standard (the first non-cellular technology to be declared). (http://www.engadget.com/2007/10/19/wimax-now-officially-part-of-the-3g-standard/)
• India experiencing widespread rollout via “Tata” (http://www.engadget.com/2008/03/04/tata-rolls-out-worlds-largest-commercial-wimax-network-in-ind/)
• Etc

The video below offers a more broad look at the worldwide deployment of WiMax underway.

Rexburg an unlikely frontrunner with wimax

On the surface, Rexburg does not seem like it would be at the forefront of new wireless standards.  But in June of 2007, Digital Bridge Communications inexplicably launched one of the nation’s first WiMax networks in the bustling metro area of Rexburg.

With 802.16 chips still missing in most mobile devices, Digital Bridge leans on DSL-looking modems to bring the power to the people.  Particularly enticing to students, the company has undercut the local cable and DSL competition by offering the service for under $25 per month with no yearly contract.  While this student rate buys a 1.5mbps connection, the company offers connections up to 3mbps.

The following Local News 8 news segment further covers the local WiMax deployment.

Use GPG With Thunderbird

Installation:

1) Thunderbird

2) GnuPG

3) EnigMail Plugin 

TSL & SSL

SSL (Secure Sockets Layer) is the predecessor to TSL (Transport Layer Security). These protocols have been established to provide a secure means of transmitting information over the internet. Example uses could be email, web-surfing, instant messaging, etc. Save it be for a few differences, SSL and TSL work the same way.

TSL/SSL establish a secure connection in the following steps:

• Peer negotiation for algorithm support
  • Client initiates the contact with the server. The client and server then determine a common algorithm and configuration to use.
• Key exchange and authentication
  • Private/Public key system is used. Using the private key to encrypt, an identical session key is delivered back to the client. The session key will remain valid throughout the predetermined duration (usually in minutes) or until the client or server terminates the session or connection.
• Symmetric cipher encryption and message authentication
  • Message is authenticated using a Certificate Authority.

Note the following from Wikipedia -

How it works

“SSL handshake with two way authentication with certificates.

A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection’s security.

• The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions.

• From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.

• The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server’s public encryption key.

The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding.

• In order to generate the session keys used for the secure connection, the client encrypts a random number with the server’s public key, and sends the result to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data.

• From the random number, both parties generate key material for encryption and decryption.

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.

If any one of the above steps fails, the TLS handshake fails, and the connection is not created.”

See http://en.wikipedia.org/wiki/Secure_Sockets_Layer#How_it_works

(Information gathered from “Principles of Information Security”, Whitman/Mattord, pg 382-383)

Secure-HTTP

Secure-HTTP (designated as ‘https’ in the browser bar) is simply an extended version of HTTP that provides – you guessed it – security. Secure-HTTP is essentially SSL applied over HTTP – but it works differently in a few distinct ways.

• In a difference to SSL, a secure-HTTP is established to send a single message over the internet at a time, so secure-HTTP must establish a new connection each time it is used.
• Establishing a session entails the client and server having compatible cryposystems and an agreeing configuration.
  • The client can then send the serer its own public key so that the server can create a session key. The client’s public key is then used to encrypt the server’s session key. Both the client and server now having identical session keys, the transmission begins.
• Secure-HTTP support is built into modern browser for nearly universal use. Examples of use are email, banking, shopping, etc.

(Information gathered from “Principles of Information Security”, Whitman/Mattord, pg 382-383)

cryptology in history

Cryptology has a long history, beginning around 1900 B.C. – when non-standard hieroglyphs were used by the Egyptians on monuments and in clay tablets. Many today believe that these were meant more for intrigue and entertainment than for communicating secrets. It wasn’t until around 1500B.C., that the Mesopotamians utilized cryptology to protect recipes (for pottery glazes, etc) that were of commercial value.

Throughout the course of the next 1000s of years, more methods of cryptology were being produced and used – particularly among the military and those seeking to practice religion without being persecuted. In 500B.C., hebrew scribes used a reversed alphabet substitution cipher called ATBASH to write the book of Jeremiah. Just 13 years later, the Spartans of Greece developed a system called skytale that used a papyrus and a wooden staff to encrypt messages.

Julias Caesar was also known to have incorporated and even devised new means of cryptology to help his military pursuits. In 50B.C., Caesar is credited with creating a cipher that shifted the letter of the alphabet three places. To further enhance the security of the cipher, Caesar also changed the letters of the alphabet from Latin to Greek.

Throughout much of the last 2000 years, the standards of today’s cryptology have emerged. Throughout the first thousand years, writers such as Abu Wahshiyyaan-Nabati published cipher codes, alphabets, and other aspects of cryptology. Moving further, an Arabic encyclopedia in 1412 had a section on cryptology. Then, in 1466, Leon Battista Alberti (who is considered the Father of Western cryptology), designed a cipher disk and worked with polyalphabetic substitutions.

The year 1518 brought the first printed book about cryptology by Johannes Trithemius. He also invented a steganographic cipher around the same period. Passwords were introduced in 1553 by Giovan Batista Belaso. The first uses of steganography were used by Sir Francis Bacon in 1663 by hiding additional letters within the font of the text.

Thomas Jefferson is also credited for having a hand in the cryptology sector, by inventing a 26-letter cipher that he would use in official communications while serving as an ambassador to France.

More recently, British troops in World War I broke the Zimmerman Telegram – which was a German communication meant for Mexico that offered the Mexicans US land in return for their help with an invasion.

Similarly, during World War II, the allies secretly broke the Enigma cipher. Many attribute this feat as single-handedly bringing the war to a close as much as 2 years earlier than otherwise possible. Navajo “code talkers” were also employed as a means of US communication. There efforts proved immensely valuable to the allied cause, and there code of encrypted Navajo language (a language that was unwritten at the time), proved to be unbreakable by opposing forces. There communications were invaluable in the allied siege of Okinawa.

In 1976 Whitefield Diffie and Martin Hellman brought the idea of a public key system into the public view. In 1977, the RSA family of computer encryption algorithms was born. PGP (Pretty Good Privacy) was ratified in 1991. The Riijndael cipher was selected as the Advanced Encryption Standard in 2000.