Embed Size (px)
Citation preview
Security seminar topics2010
Aleksei Gorny
Usability of security
Overview
Bad security/usability balancing choices prevail in software design. Blame the user for being stupid!
Misunderstanding of the economic and psychological drive of users leads to ineffective use of security solutions.
Victims: Browsers, OS-es, SSL, IPSec, you name it...
What should you do?
Step 1. Obtain an overview of security solutions in a common area of your choice (e.g. web browsing). Understand which security services these provide.
Step 2. Explain in detail the design deficiencies which make these solutions ineffective.
Step 3. Provide realistic guidelines on how to design solutions that provide the underlying services and are better aligned with the needs of most users.
Why is it fun?
You will learn the basics of how to design usability and security into software.
You will learn how to make people appreciate your work by considering it from their perspective.
The result of your work may be useful to others.
You might come up with a great idea how to improve on some known security solution and become famous.
Filesystem forensics
OverviewEach filesystem type (e.g. FAT-xx, NTFS, ext-x) stores data and handles interactions with the operating system in its own way.
Thus, to see deleted data or data that someone has maliciously hidden on the system, one must act based on its type. The probability of success also differs, depending on the implementation of deletion, etc.
Recovering correct data is crucial in investigations involving digital evidence. Also, it’s a skill you wish you had when you accidentally delete that one important file.
What should you do?
Step 1. Read up on how different filesystems are implemented. You should definitely look at ext4.
Step 2. Consider how to recover both legitimate and hidden data from the systems.
Step 3. Evaluate the difficulty of recovery if the filesystem has been used for some time, has been manipulated by a malicious entity or is in use at the moment of investigation.
Why is it fun?
You get an in-depth knowledge of the current filesystems.
You understand how to recover lost data and how to securely delete it.
You get to know the methodologies employed by digital forensic investigators (as seen on TV).
Automated prevention of I/O validation vulnerabilities
OverviewMost of the software vulnerabilities today stem from insufficient filtering of the input supplied by the user. Validation problems enable malicious entities to submit special types of input that break security of the system.
Examples: SQL Injection, Cross-site scripting, Buffer overflows, ...
Common way to automatically analyse software for validation problems is to use tools that scan the source code or check how the program handles weird input.
These tests must be performed after the developers have finished coding - extra cost of fixing found issues!
What should you do?
Step 1. Understand the basic principles of attacks that rely on insufficient input/output validation.
Step 2. Review solutions to mitigate these attacks automatically. A special case of interest are frameworks and programming languages that perform input validation by default.
Step 3. Establish the current status of automated input validation vulnerability scanning and highlight possible directions for its future.
Why is it fun?
You will get to know how to hack (somewhat).
You will learn to appreciate the art of security testing.
You will see how security testing fits into the software development lifecycle and why it’s good to test early.
E-commerce in Estonian legislation
Many laws affect IT companies, those who just happen to use IT (e.g. own a website) and the consumer.
Most entities are interested in using security controls that make sure they don’t end up in court. They also would like to know how does the law protect them if they incur losses due to someone else’s actions.
It is difficult to understand how the legal stuff translates into technical and administrative measures. Especially as law people often don’t understand IT themselves.
Overview
Example
Fairly recently, a new gambling law was enacted.
This law required all online gambling sites accessible in Estonia to register with the authorities and pay tax.
To enforce this, the law made it illegal to provide access to unregistered online gambling sites. This sets obligations to many entities definitely not considered and is difficult to translate into technical requirements.
There are no consequences for individuals who bypass access restriction mechanisms.
TOTAL MESS WITH THE LAW / IT CONNECTION!
What should you do?Step 1. Read a part of Prof. Chris Reed’s book that gives an overview of law types that affect companies and individuals using IT.
Step 2. Select a bunch of law types you are interested in the most.
Step 3. Work with Elektrooniline Riigi Teataja and find out how these types are implemented in Estonia. Write out obligations and rights for involved entities.
Step 4 (optional). Explain, what security measures should a company use to comply with these
Why is it fun?
You will find out how the legal system works. It’s actually a pretty useful thing to know!
You will get a good introduction to how the Internet and IT related activities are regulated in general and where does Information Security come into play.
You will get to know in detail, how your selected topics are regulated in Estonia.
Your work will result in a document that many other people may want to read.
