Security in Applications, 29 September 2009

Lecture 7 of IT security course is about Security in Application which concentrates on Electronic Mail Security. Lecture start with En.Mohd Zaki explained on what is an email. According to him, an email (Electronic mail) is the exchange of computer-stored message by telecommunication. An email message is usually encoded in ASCII text and consists of two parts which are header and body separated by blank line. The header consists of sender, recipient, date, and subject and delivery path while body consists of actual message content.

Besides that, En.Mohd Zaki told us that there are security provided in E-mail which is confidentiality, data origin authentication, message integrity, non-repudiation of origin and key management. Data origin authentication and non repudiation of origin can be provided by digital signature which has been register at Verisign. Confidentiality can be provided by login function while message integrity can be provided by message encryption.

However, email also exposed to some threats which is generally divided into two main group such as threats to the security of email itself and threats to an organization that are enabled by the use of an email. Loss of confidentiality, loss of integrity, lack of data origin authentication, lack of non-repudiation and lack of notification of receipt are email security threats. All these threats will causes disclosure of sensitive information either deliberate or unintentional, exposure of systems to malicious code where view email through html is vulnerable to virus attack, exposure of systems to denial of service attacks and spamming.

En.Mohd Zaki told us that in order to secure email, S/MIME and PGP can be used. S/MIME allows flexible client-client security through encryption and signatures. PGP is similar to S/MIME by using encryption for confidentiality and signature for non-repudiation or authenticity. However, PGP is not secure if public key and private key is not register.

Besides, En.Mohd Zaki also explained to us about web security which includes security of server, security of client, and network traffic security between a browser and a server. Web security can be implement using SSL/TLS, SSH and SET. SSL/TLS are widely used in web browsers and servers to support secure e-commerce over HTTP by providing secure channel for sending credit card information and personal details. However, it only secures to customer side but not secure at receiving side. SSH is designed to replace secure rsh and telnet utilizes to support secure file transfer and email. SSH provides security at Application layer and install at server side. SET is an open encryption and security specification designed to protect credit card transactions on the Internet. It uses SSL to secure communication links.

Lastly, En. Mohd Zaki proceeds to biometric topic. Biometric refer to authentication techniques that rely on measurable physical characteristic that can be automatically checked.

Physiological (Static) biometric method
Biometric Identification	Description
Fingerprint recognition	Analysis of an individual’s unique fingerprints.
Retinal scan	Analysis of the capillary vessels located at the back of the eye.
Iris scan	Analysis of the colored ring that surrounds the eye’s pupil.
Hand geometry	Analysis of the shape of the hand and the length of the fingers.
Face	Analysis of facial characteristics using visible and infrared light.

Behavioral (dynamic) biometric methods
Biometric Identification	Description
Signature recognition	Analysis of the way a person signs his name.
Speaker recognition	Analysis of the tone, pitch, cadence and frequency of a person’s voice.
keystroke dynamics	Analysis of the coloured ring that surrounds the eye’s pupil.

Security in Network, 15 September 2009

Lab 7 of IT security course is about Security in Network. Lab starts with En. Mohd Zaki briefly describes on how to perform lab task before let us start lab activities. After listen to En.Mohd Zaki explanation, we start our lab activities which consist of two tasks.

The first task is to capturing File transfer protocol (FTP) username and password. Before start task 1, I have created 2 Windows Server 2003 virtual machine with one is winserv03_server, IP address of 192.177.1.107 and another one is winserv03_client, IP address of 192.177.1.105. Winserv03_server is installed with FTP and Wireshark in it. On winserv03_client, I login to FTP server on winserv03_server by using command. While on winserv03_server, I login view the Wireshark interface, I notice that username and password that I use to login to FTP server can clearly seen on the monitor.

The second task is to using IPSec to secure FTP transaction. On winserv03_server, I change several setting of Management Console to implement IP security. Besides that, I also change some setting on winserv03_client to enable authentication method. After a few steps of configuration of FTP and Wireshark, I try to login just like task 1. The result of task 2 is Wireshark cannot display the username and password.

As a conclusion, the difference of Wireshark output of task 1 and task 2 is Wireshark cannot display username and password in task 2 while username and password is display in task 1. This shown that FTP and Telnet is not secure because username and password are sent in clear text which enables intruder use Network Monitoring tool to sniff all packet transfer. IPSec is able to safeguard the transmission of data over FTP from being seen by unauthorized user by handling encrypted data.

Security in Network, 14 September 2009

Lecture 6 of IT security course is about Security in Networks. Lecture start with En.Mohd Zaki gave some introduction to network. A computer network is a system in which computers are connected to share information and resources. The connection can be done as peer to peer or client server. En.Mohd Zaki has given us some revision on types of network, network topology and ISO reference model.

After that, En.Mohd Zaki told us that people who cause security problem are hacker, spy, student, businessman, ex-employee, stockbroker and terrorist. According to En.Mohd Zaki, there are three types of hackers which are white hacker who is good, grey hacker who is between good and bad and lastly is black hacker who is bad. White hacker will find problem in system and then inform administrator. Follow by, En.Mohd Zaki explained about hacking phase which start with reconnaissance, follow by scanning, gaining access, maintaining access and lastly covering tracks.

For this lecture, En.Mohd Zaki mainly focused on two subtopics which are threats in network and network security control. Threats in network are includes security exposures, impersonating, eavesdropping, denial of service, packet replay and packet modification. In the other hands, network security control includes encryption, strong authentication, Kerberos, honeypot and firewalls.

There are two types of encryption which is link encryption and end-to-end encryption. Link encryption involves encryption at layer 1 or 2 in the OSI model while decryption occurs as the communication arrives each end of communication lines. Link encryption used in Virtual Private Network (VPN) aided by firewalls. End--to-end encryption involves encryption at layer 6 or 7 in the OSI model. Message usually encrypted by sender at point of origin and only decrypted by intended receiver. SSH (Secure shell) encryption is example of end-to-end encryption used for remote access to computer resources over Internet. Differences between SSH and telnet also has been discussed. Telnet is insecure compare to SSH because it does not involve encryption.

SSL (Secure Sockets Layer) encryptions also have been explained by En.Mohd Zaki. He told us that SSL is used to protect communication between a web browser and server. Encrypted communication between client and server has been discussed with the aid of diagram. IPSec which is protocol for securing VPN tunnels and strong authentication using password has been explained by En.Mohd Zaki.

Follow by, we are exposed to Kerberos. Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications. The core of Kerberos architecture is the KDC (Key Distribution Server). The KDC stores authentication information and uses it to securely authenticate users and services. After that, explanation proceeded to firewalls. A firewall is a network security device that is set up to control traffic flow between two networks. However, firewalls do have limitation which is it can only filter traffic which pass through it. If traffic can get to a network by other means, the firewall cannot block it. During this lecture, I have learned about four basic types of firewalls which are packet filter, circuit-level proxy, stateful packet filter and application level proxy. In addition, I learned about Intrusion Detection System (IDS) which is a system for detecting misuse of network or computer resources. An IDS will have a number of sensors it utilizes to detect intrusions. Snort is an excellent open source Network Intrusion Detection System.

In addition to this topic, En.Mohd Zaki has introduced another network security controls to us which is honeypot. A honeypot is a trap that is used to identify, avert and, to some extent, neutralize attempts to hijack information systems and networks. It is usually made up of a single computer or a network site that disguises itself as a normal computer or network. It traps hackers by make them think that they have successfully hack the network but in fact they are not hacking the real network. This lecture let me gained a lot of knowledge on network security and I feel satisfactory with it.

Database Security, 25 August 2009

Lab 6 of IT security courses is about database security. We are required to perform lab tasks according to lab sheets by using MySQL. En.Mohd Zaki has guided us in the installation of MySQL. At first, we are failed to install MySQL using common installation method. However, finally we have successfully install MySQL by using command prompt. Before run MySQL, I have reset a new password by type following command in command prompt:

SET PASSWORD FOR root@localhost=OLD_PASSWORD(‘abc123’);

After that, I start to use MySQL to create an account database and then create a records table which includes attributes of CustomerName, Account-Number, Balance, CreditRating. Follow by, I create user table with attributes of Customer, Clerk, Manager. After finish creating database and table, I define an access structure according to situation given.

Customers can read their own account

- Customer will be set the access to user. Set read only privileges for customer.

Clerk can read all fields other than CreditRating and update Balance for all account

- Customer will be set the access to user. Set read and write privileges for clerk other than CreditRating and update Balance for all account

Manager can create new records, read all fields, and update CreaditRating for all accounts.

- Manager will be set the access to administrator. Set full access privileges read and write for all accounts for manager.

At the end of this practical section, I understand the importance of security issues specifically in database systems and the problem related to information protection besides investigate the potential implementation of security mechanism in the database management system and operating system.