Tuesday, November 12, 2013

Fixing Internet Explorer

Ever get sick of Internet Explorer thinking it needs to run? Windows forcing a substandard (more like anti-standards from a web standards point of view) browser on you?

Here at SecsAndCyber I have a solution for you! This one registry patch will solve all of your Internet Explorer issues in a single double-click! (and accompanying UAC prompt if you have kept your system secure) I give you... FixIE.reg!


Humor aside, the technique used in this joke is a serious target for malware persistence.

The fine authors over at SysInternals, Mark Russinovich and Bryce Cogswell, have built detection of this into their tool Autoruns for Windows. The "Image Hijacks" tab looks for executables that are being grabbed like this. Try it out and keep yourself safe!

Sunday, November 10, 2013

System Assurance through Memory and Shared Resource Protection

To follow up on the teaser introduction posted a few days ago, here is the public release of my recent paper System Assurance through Memory and Shared Resource Protection!

Week 10 of 12 for this semester. Almost finished!

System Assurance through Memory and Shared Resource Protection

Thursday, November 7, 2013

Cloud Provider Assurances

How could Airange maintain a proper authentication system for its clients?

As Airange is providing only remotely accessible services, their options for authentication is severely limited. Options which are not viable include photo badge validation, physical keys to unlock the system space, and safe locks. (Jessup, Valacich, & Wade, 2003) Passwords are the most common system in use, though they only provide effective security if they are sufficiently long enough, randomized, and changed frequently. Additionally, they must be stored securely by Airange, both to be inaccessible to clients and intruders and be protected from insiders. Salting and hashing is an absolute necessity, else the weaker passwords are susceptible to rainbow tables and identifying shared passwords between users. (Goodrich & Tamassia, 2011) Encrypting the plaintext passwords would provide them the ability to provide forgotten passwords back to the users, but presents the administrators the ability to recover the passwords too.

How might Airange ensure that one client’s data is kept confidential and protected from other clients who also have access to the same data center?

One effective method of ensuring confidential and protected data is to enforce isolation through virtualization. (UMUC, 2011) Each client is provided their own virtual server to work within without the option of communicating with the host machine or other virtual servers on the system. Within the sandbox environment of the virtual server, an individual client can access, manipulate, and delete their own data, but cannot see any of the data stored by any other. This arrangement poses the risk of a client being able to escape their virtual server and directly access or impact the host system. Airange must run intrusion detection software on the host and regularly update the software, else a malicious client could gain access to the host and directly view the contents of the storage mediums, including the data stored by other clients. (Coggins & Levine, 2009)

What type of assurances would a client expect that the security of the software components and utilities provided by Airange will be consistently maintained?

Clients expect Airange to provide detailed guarantees as to the expected confidentiality, integrity assurances, and uptime or availability of the system. These details can be provided to clients, and documented, through negotiated service level agreements. (UMUC, 2011) Concerning the availability of the system, specifics as to the allowable downtime, expected maintenance time, mean time between failures, and mean time to repair will be needed to be declared ahead of time. Given that standing behind rigorous uptime guarantees is expensive, Airange will have to decide how to market their brand and provide the service. Do they want to provide budget-friendly services or strictly security focused ones?

Coggins, C. & Levine, D. (2009). Monitoring and Control Systems. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Goodrich, M. T., & Tamassia R., (2011) Introduction to Computer Security. Boston, MA: Pearson

Jessup, L. M., Valacich, J. S., & Wade, M. (2003). Information systems today. Upper Saddle River, NJ, USA: Prentice Hall.

UMUC. (2011). Preventive and Protective Strategies in Cybersecurity. CSEC-630. Retrieved from http://tychousa3.umuc.edu/

Cloud Storage and Confidentiality

How could Medical Imaging manage the images split across multiple third-party ISPs?

This is a strong point of cloud storage and virtualization, the abstraction away of what specific machine data is stored on. MI doesn’t have to manage how the images are split across the ISPs, since Airange provides transparent aggregation for them. That transparent aggregation allows for there to be rapid scaling and load balancing to provide high availability, even with fluctuating computing needs. (UMUC, 2011, pg 5)

What they do need to manage is that they provide for the confidentiality protection of their images, since they are not direct parties to the security arrangements between the cloud provider and the third party infrastructure. Since the images they are storing should be just be stored, MI should be encrypting their data before uploading it. This is not always useful, or practical though; such as when the cloud is being expected to provide data analytics or manipulation. (Kumar & Lu, 2010) Documents, like those written on Google Docs, cannot be encrypted before uploading if users want to harness the benefits of spelling checks.

How might Medical Imaging (MI) keep other cloud subscribers from accessing MI’s data?

Depending on how their storage situation is occurring, MI may not have any action other than to encrypt their uploads. If, though, they have been provided an entire virtual machine in which to store the images, then they should implement the full gambit of host based protections, just as if it were their own machine. A hardened operating system, if that level of customization is available, such as SELinux or a BSD distro versus Ubuntu. (NSA, 2009) Anti-virus, software firewall, and disabling unnecessary services.

Kumar, K., & Lu, Y. H. (2010). Cloud computing for mobile users: Can offloading computation save energy?. Computer, 43(4), 51-56.

NSA. (2009). Security-Enhanced Linux. National Security Agency. Retrieved from http://www.nsa.gov/research/selinux

UMUC. (2011). Preventive and Protective Strategies in Cybersecurity. CSEC-630. Retrieved from http://tychousa3.umuc.edu/