Professional Information Security Association SEP-2009SEP-2009
l l Issue
10 a a
n n
r r
u u
o o
J J
A A
S S
I I
P P PISAPISA JournalJournal
綠壩— 過濾功能的剖析 Reversing Green Dam A Reflection of China’s Clean Internet Initiative AES-256 vs AES-128 Domain Name System Amplification Attack China - Basic Standard for Enterprise Internal Control Best Practices for Information Security in the Web 2.0 Era
www.pisa.org.hk
Page 1 of 36 An Organization for Information Security Professionals Issue 10 Professional Information Security Association SEP-2009 Editor: [email protected]
l l Issue
10 a a
n n
r r
Copyright 2009 u u
Professional Information Security Association o o
J J Licensed under a Creative Commons Attribution-Noncommercial-Share Alike
A A
S S
I I
4 綠壩— 過濾功能的剖析 P P 7 Reversing Green Dam – Uncover the Darkness and Truth 12 Green Dam - A Reflection of China’s Clean Internet Initiative
16 Cryptography AES-256 vs. AES-128: which provides more security control 19 Internet Security A Look at Domain Name System Amplification Attack 23 IT Governance and Compliance China - Basic Standard for Enterprise Internal Control
27 Websense Best Practices for Information Security in the Web 2.0 Era 30 SCWC2009 SC World Congress 2009
3 Message from the Chair
31 Program Snapshot
35 Active in External Affairs
36 Membership Benefits
Page 2 of 36 SoftcopyAn availableOrganization at http://www.pisa.org.hk/publication/journal/ for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 a a
n n
r r
u u
o o
Message from the Chair of PISA
J J
A A
S S
I I
P P Antony Ma CISA, CISSP Chairperson
ISA has been organizing Information From day one, PISA was built on the continuous PPsecurity events, technical research studies and unconditional contributions from our members. and policy comments since 2002. This basic theme We will continue this spirit in the coming years. has not been changed through the years while we When I meet members in our gathering, many new ideas were proposed. With the contribution from have more members and program committees members, I believe we are able to implement some joining us. In 2008, we had a change of the web sit of them and make PISA a more open, responsive led by our EXCO member George Chung. The and professional security association. current web site will be further enhanced to make PISA more responsive to the community. Let us work together to bring PISA a successful year in 2009/10! PISA had very prominent contribution to WiFi security of Hong Kong and school security management. A recently project we are putting in a lot of effort is the Honeynet project which we are cooperating with City University and IVE (Hacking Wong). This project is led by Program Antony Committee members Peter Cheung and Roland September 2009 Cheung.
The newly elected PISA EXCO 2009/10 Jim Shek (left), Antony Ma, Raymond Tang, Frank Chow, Alan Ho, George Chung & James Chan
Page 3 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 Dissecting Green Dam a a
n n
r r
u u
o o 綠壩— 過濾功能的剖析
J J
A A
S S
I I
P P 楊和生 (Sang Young) CISSP CISA CEI ECSA CHFI CIFI CEH Program Committee
壩-花季護航(Green Dam Youth Escort)是中國一間位於杭洲的軟件公司所開發。根據中國工業及信 息化部的指令,原本會在2009年7月1日開始,必須在每一部新電腦上安裝才可出售。可是,由於軟 綠綠 件的質量、推行時間和國內海外的企業和網民的強烈反應,工業及信息化部在2009年6月底把這項 指令推遲執行,直到另行通知。官方把綠壩定位為保護未成年人上網之軟件,可以識別網站的色情圖片和文 章,從而作出過濾。我們嘗測試綠壩的各項功能和「其他功能」。
功能測試
我們是使用家用版版本3.17,打開綠壩系統,它顯示內建綠 的幾個過濾功能,其中較主要的有: • URL過濾 • 關鍵字過濾 • 圖像過濾 • 屏幕文字 以下是綠壩的技術方法的測試結果:
URL過濾
綠壩有一個可定期更新的URL資料庫,假如使用者到訪一些網站的URL,而該URL是被列在資料庫時,便會出 現「DNS錯誤」的信息,而不能探訪。 在我們的測試中,成功被過濾的URL有 http://www.playboy.com 等,但是,基於URL資料庫的缺點,有很多色 情網站的URL還是不能過濾。更且,有很多正當的網站卻被錯誤過濾,例如微軟 SysInternals 保安工具 http://www.sysinternals.com 也被綠壩定為不能探訪的網址) ,造成URL過濾的效能低兼誤多。
關鍵字過濾
綠壩也會基於網頁出現的關鍵字作出過濾,該關鍵字庫也有能力定期更新。 經過我們的測試,如果關鍵字出現的話,Web Browser 也同樣會出現「DNS 錯誤」的信息。例如 http://www.sex141.com,這網址不在URL資料庫中,但是因為網頁上有一些色情有關的關鍵字,綠壩也會把這 網站過濾。 很可惜,關鍵字庫同樣地有嚴重的的缺點,使很多正當的網站被錯誤過濾,例如,香港家計會 (http://www.famplan.org.hk) 的網站因為有一些類似的關鍵字而成了陪葬品。關鍵字過濾還有其他的的缺點,例 如不懂辨別非中文字及英文字,初步的測試是網頁出現有關日文的色情字時,綠壩便不能過濾。
Page 4 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Dissecting Green Dam 10 a a
n n
綠壩 — 過濾功能的剖析
r r
u u
o o
J J
A A
圖像過濾 S S
I I 另一個綠壩號稱功能強大的為智能過濾色情圖像,其技術
是基於膚色辨認 (Skin Tone Detection)。該技術早在10年前 P P 已經有廠家應用互聯網過濾方面,可是Skin Tone Detection技術限制很多,例如只可以識別白及黃皮膚等, 因此而沒有大行其道。
在預設的情況下,綠壩的過濾圖像功能是關閉的,我們把 這功能啟動並進行測試,結果是白人和黃種人的色情照片 成功過濾,不成功的主要是較暗或黑人照片。 成功過濾的有: http://www.wsyoung.com/f/123.bmp,但是亦有不少照未被過濾,計有: http://www.wsyoung.com/f/456.bmp 及 http://gdghdshadh1.blog116.fc2.com/blog-entry-244.html。
不但如此,綠壩也錯誤過濾了大量的非色情照片,例如:嬰兒頭部、胡錦濤面部和中國國旗、黨徽等。
Page 5 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Dissecting Green Dam 10 a a
n n
綠壩 — 過濾功能的剖析
r r
u u
o o
J J
A
A 屏幕文字過濾
S S
屏幕文字過濾是指綠壩會過濾出現關鍵字的 I I
應用程式如Microsoft Office, Notepad等。 P P 我們嘗試把”sex”、”fuck”、「愛」、「屠 殺」等字輸入Notepad 當中,發覺可以成功輸 入;可是當我們輸入「六四屠殺」、 「六四 屠城」、「陷害法輪功」等字時,綠壩會立 即把Notepad關閉,同時顯示「此信息不良! 將被過濾掉!」 ,因為用戶的文件尚未貯 存,會導致未儲存的數據損失。經過測試, 會被關閉的應用程式還包括Wordpad 、 Editpro、Internet Explorer 和 Firefox。 有趣的是,我們衹要把 notepad 的程式改名,便可以把綠壩屏幕文字過濾這個覇道的功能繞過了。
其他測試結果
綠壩的其他功能,包括可以定期擷取用戶的電腦畫面 (screen capture),預設是 每3分鐘一次,最密的設定為1分鐘 ,畫面以時序儲存。其保安威脅是可能錄下敏感的 畫面,例如網上銀行帳戶處理情形、經解密後的文件的內容、私人的通訊等,無論由 綠壩上傳到伺服器,或電腦遭非法存取,擷取的畫面都是敏感的用戶行為的資料庫
過濾圖像方面,不同的敏感度可供設定。
當我們使用Firefox時,過濾功能大打折扣,有時發現不能成功過濾,如果成功過濾, 在Firefox的環境下,並沒有任何錯誤或提示信息,只有網頁是空白一片。
綠壩的語言只設定在中文簡體字的工作環境之下,如果要安裝或更改相關設定,必須 使用簡體字版的Windows或把系統預設語言設定為簡中。在測試期間,綠壩還出現了校 園版本和伺服器版本,據稱校園版跟我們測試的家用版是相同的,而伺服器版本是一 個Microsoft IIS的 plug-in,原意是供網絡內容供應商使用。
Copyright & 總結 Disclaimer 我們使用的綠壩版本為家用3.17版,它能過濾網站色情內容,同時亦會把非色情內容網站過濾。當有一些政治敏
Copyright owned by the 感內容時,綠壩會把應用程式殺掉,不會把用戶輸入的資料儲存。綠壩亦有紀錄功能,能把用戶瀏覽的網址和屏 author. This article is the 幕畫面儲存。綠壩也有對外通訊的功能,可以用作更新資料庫的用途。 views of the author and does not necessarily 楊和生, 2009 ■ reflect the opinion of PISA.
Page 6 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10
a Dissecting Green Dam a
n n
r r
u u
Reversing Green Dam o o
J
J – Uncover the Darkness and Truth
A Photo A
S S
I I
Anthony Lai CISSP, CSSLP, CEH P P Program Committee, PISA Founder and Security Researcher, Valkyrie-X Security Research Group
ou may already study the dynamic behavior of the Green Dam Software from Sang Young’s article. I have YY highlighted some important findings after carrying out reverse engineering over a few critical modules in Green Dam to understand what it functions as well as its architecture. Finally, we have provided summary and recommendation as well as the room of further research on Green Dam.
1. Commander of Installation and Process
We have found that XNet2.exe is the major Green Dam service. It is for installation and register software key to the system and responsible for password check and reset. Meanwhile, it acts as a commander of XDaemon.exe and gn.exe and Kick start a number of processes with the following executables:
Xdaemon, gn, HTAnalyzer, MPSVCC, HNCENG, HH, Looklog and LookPic
Figure 1.1: Creating the process
Page 7 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Dissecting Green Dam 10 a a
n n Reversing Green Dam
r r
– Uncover the Darkness and Truth u u
o o
J J
A A 2. Application executable monitoring
S S
It is a critical finding that, from injlib32.dll, it is injected to every critical process. Handle.dll is to create I I
process/thread to monitor any messages received from injected DLL. (As it supports transmit string).
P You could be amazed it is architected like a Malware. This is our proposed model how they interact with each other. P
Figure 2.1: The relationship between injlib32.dll and Handle.dll
Figure 2.2: Following into memory address of loc_100008918, we could have list of executable names loaded before for monitoring.
Page 8 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Dissecting Green Dam 10 a a
n n Reversing Green Dam
r r
– Uncover the Darkness and Truth u u
o o
J J
A A
S S
I I
P P
(a) (b) Figure 2.3a & 2.3b: Display of monitored existent running service at the Green Dam installed computer 3. Connecting to remote time server from NIST (National Institute of Science and Technology) in United States
We found out Green Dam trying to set up several network sockets and connect ISP and NIST's time server in United States. The use of timeserver is to synchronize the time across the time zone for logging and downloading.
Figure 3.1: Setting up and opening network socket
Page 9 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Dissecting Green Dam 10 a a
n n Reversing Green Dam
r r
– Uncover the Darkness and Truth u u
o o
J J
A A
S S
I I
P P
Figure 3.2: List of IP addresses Green Dam attempted to connect Figure 3.3: WhoIs search returns information of IP address “132.163.4.103” related to NIST
4. Suspicious piracy violation and code stealing from Cybersitter
I decrypted the word list file with the information supplied by Technical Analysis of Green Dam [1]. Those keywords and naming conventions are nearly the same as the Cybersitter from Solid Oak. On 25 June, Solid Oak has published a detailed copyright infringement documents about Green Dam Youth Escort contains portions of Cybersitter Code [3].
Figure 4.1: Filtering classification is nearly the same as that found in Cybersitter
Page 10 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Dissecting Green Dam 10 a a
n n Reversing Green Dam
r r
– Uncover the Darkness and Truth u u
o o
J J
A A
Summary and Recommendation • Server edition like the version for Web server has not S S been tested.
I I • We have not carried out reverse engineering over every
From the above findings, our research group believes that module and obtain a complete picture and operation how P P Green Dam does not simply function as Internet Filtering only but give rise to monitoring applications and its typed it flows. in content. In fact, it is a Malware-like architecture and the existent vulnerability could lead to further security Bypassing Green Dam risk exposure. Especially for those editions for various servers, the installation may give rise to loophole of If you are using Green Dam at your workstation and severe attack including DoS and unauthorized access. forced to taste power of monitoring, they rely on the hardcoded string and executable. The easiest way is to It is just the beginning. create another set of executables by renaming like change "notepad.exe" to "nopad.exe" to bypassing the application We have not tested the following scenarios: monitoring. • Whether there is any upgrade version supporting data definition update and upload the violation to the server when sensitive words are input. • Server edition like the version for Web server has not been tested. Anthony Lai, 2009
Reference
[1] Technical Analysis of Green Dam http://wikileaks.org/wiki/A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-Escort'_censorship_software
[2] Analysis of the Green Dam Censorware System http://www.cse.umich.edu/~jhalderm/pub/gd/ Copyright & Disclaimer [3] Green Dam Youth Escort Contains Portions of Cybersitter Code Copyright Infringement Issues – June 25, 2009 http://www.cybersitter.com/gdcs.pdf Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.
Page 11 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10
a Dissecting Green Dam a
n n
r r
u u
Green Dam - A Reflection of China’s o o
J
J Clean Internet Initiative
A A
S S
I I
P P SC Leung CISSP, CSSLP, CBCP Program Committee, PISA
Green Dam Rush Why Green Dam?
The Government presented the Green Dam On 9th June 2009, the Ministry of Industry and implementation as part of as a “green Internet” policy to Information Technology (MIIT) of the Chinese protect children from online pornography. The software Government issued a notice to all PC makers in China, was controversial. While some parents support such requiring them to offer the “Green Dam - Youth initiative, many others were arguing that decisions and Escort” (綠壩--花季護航) software, either preinstalled control over filtering to protect children should be left in or as part of basic software packages for all PCs, the hands of parents and teachers. Centralized starting from 1 July 2009. This measure had direct censorship even when well-intentioned are infringing the impact to the hundreds of millions of Internet users in rights of citizens. China and at the same time affected PC manufacturers, online advertising company, bloggers and many others. China has a sophisticated national level filter at the The Green Dam software, downloadable at network gateway -- the Great Firewall of China (GFW). lssw365.net, was developed by two MIIT picked Why is there a need for Green Dam? From the public Chinese software companies, Jinhui Technology and domain analysis, the network filters could be Dazheng Language Technology in a RMB 41M circumvented by users who adopted anonymous web contract. The software is free of charge to users in the proxies and TOR (The Onion Router) [1] technologies. first year and need a subscription fee from the second Green Dam was a client side filtering software, aiming year onwards. to complement GFW. With Green Dam installed, even if a user has proxy server or TOR client installed to bypass the network level filter, Green Dam is able to intercept the data passing through and take proper filtering action before it is displayed to the user,
[1] http://www.torproject.org/
Page 12 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 Dissecting Green Dam a a
n n
Green Dam - A Reflection of China’s Clean Internet Initiative r r
u u
o o
J J
A A 4. The software could capture screenshots similar to
Civilian analysis on Green Dam some spyware software and is not sure if the screens are S S
sent to some central server on request. The software also I I The most heated discussions found in public forums in
mainland China and around the world, were the collected user behaviour and sent information back to P P concerns on possible Internet censorship via Green servers owned by Jinhui Technology, and it was found Dam. Does Green Dam behave exactly as said by the the transmission was not encrypted. government officials? Are there any undocumented features in Green Dam? 5. The software monitored the editor software and terminates them if user type in political sensitive terms The global Internet community was quick to respond to like 「六四屠殺」(June 4th massacre),「陷害法輪功 」 these concerns with sound analysis. Many different (falsely incriminating Falun Gong.) studies were conducted in civil societies around the world. One of the important ones is “A Technical 6. Researchers from the University of Michigan released Analysis of the 'Green Dam-Youth Escort' Software“. an analysis report on the software, [5] citing two critical [2] The coincidence of the findings reinforce the security vulnerabilities in web filtering and blacklist credibility of the results. Here are some findings of the update that when being exploited, could allow the studies. software manufacturer or hackers taking total control of the PCs. The Green Dam enabled PCs could become a 1. The Green Dam was found to use several filtering large scale botnet. Furthermore, updates are delivered technologies: URL, keyword and skin tone recognition. via unencrypted HTTP, which could allow a third party to impersonate the update server and take control of 2. The filtering performance was in general poor. It did users' computers using this attack. not work well with Firefox browser. It failed to block pornography of black-skinned people while it blocked 7. A software house, Solid Oak Software issued a non-obscene content like baby photos.[3] Green Dam document “Copyright Infringement Issues -- Green Dam seemed to block very broad keywords, causing severe Youth Escort Contains Portions of Cybersitter Code” on over-blocking. For example, The Family Planning June 25, 2009, condemning Green Dam using their Association of Hong Kong was blocked because some blacklist. [6] sex education terms are in the blacklist.
3. The keyword blacklist contains a lot of political terms which indicated the software was not solely for filtering pornography but political information. [4]
[2] https://docs.google.com/View?id=afk7vnz54wt_12f8jzj9gw [3] Translated posts: http://www.zonaeuropa.com/200906a.brief.htm#017 [4] http://wikileaks.org/wiki/Chinese_Green_Dam_Falun_Gong_related_censorship_keywords%2C_June_2009 [5] Analysis of the Green Dam Censorware System http://www.cse.umich.edu/~jhalderm/pub/gd/ [6] http://government.zdnet.com/?p=5034
Page 13 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 Dissecting Green Dam a a
n n
Green Dam - A Reflection of China’s Clean Internet Initiative r r
u u
o o
J J
A A MIIT forced an urgent patch to Green Dam security 7. The software connected with a central database to get
holes.[7] The researchers of the University of updates of the URL blacklist and keyword blacklist. S S
Michigan subsequently studied the patch 3.173a and There was no transparency in the blacklist items and I I
discovered a new vulnerability.[8] They also found there was no mechanism available to appeal and correct P P Green Dam had ceased the use of the Cybersitter mis-configured items. Users could hardly know what blacklist starting this version. They found in a latter contents were blocked, and if the blocked contents were version 3.174 that Green Dam added the license text harmful. required for the OpenCV open-source project to Green Dam's help file. The researchers said that “while the 8. Foreigner businesses who had sensitive 3.174 filter update added the required license, Green communication like trade secrets are using VPN and Dam's use of OpenCV prior to version 3.174 may be in other end point encryption to protect thief information violation of OpenCV's license.” traversing untrusted networks. They were afraid that Green Dam could provide a perfect backdoor to bypass all these protections, leading to data leakage. General concerns 9. Many international companies have their global 1. The over-blocking caused blocking of access to purchasing guidelines that are enforceable to their proper information access and affects productivity or offices in China. The requirement of having Green Dam school learning. installed on purchased PCs created a headache in compliance with the company's global practices. 2. The blocking of political content was a form of censorship in freedom of information access 10. The use of mandatory client filtering software created a monoculture which lacks competition and 3. The monitoring of typed in information had commercial incentive to improve, making a more infringed freedom of expression. vulnerable software.
4. Some were afraid of logging of user activities would 11. The use of a single national filtering software in be used to prosecute and to arrest people for possible citizen PCs created an attractive target for attack and offense. impact national security.
5. The capture of screenshots infringed personal 12. Many international companies have their global privacy purchasing guidelines that are enforceable to their offices in China. The requirement of having Green Dam 6. People were feared that they had no control on how installed on purchased PCs created a headache in Green Dam evolves after software update. compliance with the company's global practices.
[7] China orders plug for hole in Green Dam http://news.zdnet.co.uk/security/0,1000000189,39664231,00.htm [8] http://www.cse.umich.edu/~jhalderm/pub/gd/#add1
Page 14 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 Dissecting Green Dam a a
n n
Green Dam - A Reflection of China’s Clean Internet Initiative r r
u u
o o
J J
A A
Suspension of Green Dam Post Green Dam Era S S
I I
At the end of June, the Chinese officials tuned down the Chinese Government maintains a high profile in P
P mandatory enforcement of the policy to an advisory. On “cleaning up the Internet” although the push of Green one hand the policy received serious criticism from Dam was suspended. Chinese netizens. On the other hand, discussion in some official forums indicated some other governmental 1. The Government stated that she would improve the departments also had reservation on Green Dam. Green Dam software.[10] For schools and Internet cafes, it was reported that the Green Dam implementation The vendors in western countries where the civil societies continued. are stronger, received a lot of pressure on Green Dam installation on to the PCs. The Global Network Initiative 2. The Government continued to push forward real name [9] which included several major suppliers like Microsoft, registration in web portals and online forums to increase Google and Yahoo!, and other research institutes and the authenticity of user account which the Government human rights watch groups, had openly criticized China's believed could mitigate abuse of Internet usage. Users of Green Dam policy. It would be hard for the vendors to Sina (新浪, sina,com), WuYi (网易, 163.com) and SoHu comply to Chinese requirement, let alone the tight (搜狐, sohu.com) were required to use real name and ID schedule. card number to register. [11]
3. On 11 September, Chinese Government ordered all web servers and web hostings in China to install a server based filtering software BlueDon (藍盾) [12] . The software was said to filter illegal content at the web server. [13]
So suspension of Green Dam is not the end of the story but only a milestone. We should see more development in China’s “clean Internet” policy in different perspectives.
SC Leung, 2009
Copyright & Disclaimer
Copyright owned by the [9] http://www.globalnetworkinitiative.org/ author. This article is the [10] http://www.rfa.org/mandarin/yataibaodao/lvba-08132009160342.html views of the author and [11] http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%9E%E5%90%8D%E5%88%B6 does not necessarily [12] http://download.bluedon.com/ reflect the opinion of PISA. [13] http://www.rfa.org/mandarin/yataibaodao/wangluo-09112009101909.html
Page 15 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 Cryptography a a
n n
r r
u u
o AES-256 vs. AES-128: which provides a more o
J J secure control?
A A
S S
I I
P P Otto Lee CISA CISSP CSSLP
he AES is a global standard of encryption algorithm. It was to replace Triple DES which was broken in 200x. TT There are various versions of AES and are named according to the cipher block size. The larger cipher block requires more computation so in general people regard a larger cipher harder to break. In this article the author critically analyzed AES-256 security with respect to recent attacks with practical complexity.
Introduction Advanced Encryption Standard (AES) Advanced Encryption Standard (AES) is an encryption standard and was announced by National Institute of As stated in [1], AES has a fixed block size of 128 bits Standards and Technology (NIST) as FIPS 197 in 2001. It and a key size of 128, 192, or 256 bits in their number of was then approved by National Security Agency (NSA) rounds (10, 12, 14, respectively), and can be specified for top secret information and currently one of the most with block and key sizes in any multiple of 32 bits, with a popular algorithms used in symmetric key cryptography minimum of 128 bits and a maximum of 256 bits.
AES has three block ciphers, AES-128, AES-192 and Assuming one byte equals 8 bits, the fixed block size of AES-256, a fixed block size of 128 bits and a key size of 128 bits is 128 ÷ 8 = 16 bytes. AES operates on a 4×4 128, 192, or 256 bits. array of bytes, and its calculations are done in a special finite field. In the last few months, there have been a couple of attacks published against AES-192 and AES-256, and the The AES cipher is specified as a number of repetitions of latest one published by Alex Biryukov, Orr Dunkelman, transformation rounds that convert the input plain-text Nathan Keller, Dmitry Khovratovich, and Adi Shamir, into the final output of cipher-text. Each round consists of seems to be quite destructive and is treated to be a several processing steps, including one that depends on completely attack against 11 round AES-256. This article the encryption key. A set of reverse rounds is applied to will describe about those attacks on AES-256 and the transform cipher-text back into the original plain-text corresponding impacts. using the same encryption key.
Page 16 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Cryptography 10 a a
n n
AES-256 vs. AES-128: which provides a more secure control?
r r
u u
o o
J J
A A
Attack One Impacts S S
I I In May 2009, Alex Biryukov and Dmitry Khovratovich
After the disclosure of those attacks, it does raise a published a paper [2] about 2 related-key boomerang P
P question about the effectiveness of AES-256 against attacks on the full AES-256 and AES-192. For AES-256, AES-128. Currently, AES-128 is not vulnerable to the 119 they showed the first key recovery attack requiring 2 attacks that have been found, so we assume that the only time; while for AES-192, they showed the attack attack method is brute force, taking 2128 time. This would 176 requiring 2 time. Though these complexities are faster suggest that the assurance we get from using AES-256 is than exhaustive search, they seem not a practice attack not the orders of magnitude above AES-128 that we may and do not pose any real threat to the security of systems have previously expected. That said, there’s nothing that using AES. we can see that would indicate that AES-128 is inadequate for the majority of the things we use symmetric encryption for. Attack Two On the other hand, the new attacks work best against In July 2009, Alex Biryukov, Orr Dunkelman, Nathan AES-256, but, will there be any new attack on AES-128 Keller, Dmitry Khovratovich, and Adi Shamir published a which is faster than exhaustive search? Moreover, as paper [3] described several attacks which can break with AES-256 was supposed to be the strongest member of practical complexity the variants of AES-256 whose AES currently, so the previous research would focus on number of rounds (9-round and 10-round) are comparable it. Once the focus shifts back to AES-128, probably there to that of AES-128. They also described an almost could be new attacks on AES-128 in the near future. practical attack against 11-round AES-256 that requires 270 time. Moreover, the Attack Two above breaks 11 rounds of AES-256, but full AES-256 has 14 rounds. Bruce Schneier suggested [4] using more rounds of AES, e.g., AES-128 at 16 rounds, AES-192 at 20 rounds, and AES- 256 at 28 rounds.
In short, based on the latest information so far, if one has been using AES-256, one can continue using it without a strong reason to change it, if not, unless there is any new attack against AES-128, otherwise AES-128 has been providing enough security margins in the near future.
Otto Lee, 2009
Page 17 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Cryptography 10 a a
n n
AES-256 vs. AES-128: which provides a more secure control?
r r
u u
o o
J J
A A
Reference S S
I I
P P 1. Advanced Encryption Standard http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
2. Related-key Cryptanalysis of the Full AES-192 and AES-256 (28 Jun 2009) http://eprint.iacr.org/2009/317.pdf
3. Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds (29 Jul 2009) http://eprint.iacr.org/2009/374.pdf
4. Schneier on Security - Another New AES Attack (30 July 2009) http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
Contribution to PISA Journal
•To join the Editorial Committee of this professional publication
• To contribute to the next issue and make your publication public Copyright & Disclaimer
Copyright owned by the author. This article is the Please contact the Editor Next Issue: views of the author and [email protected]) does not necessarily Mar-2010 reflect the opinion of PISA.
Page 18 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 Internet Security a a
n n
r r
u u
A Look at Domain Name System Amplification o o
J J Attack
A A
S S
I I
P P Warren Kwok CISSP Program Committee
have heard about domain name system (DNS) amplification attack since 2006 but over time I II have not had the opportunity to witness how this kind of attack takes place. Between January and February 2009, I got the chance to see botnet hosts launching a new variant of DNS amplification attack involving root name server query. This article is written to share my observations, analysis, and to discuss some technical solutions for preventing and defending against DNS amplification attack.
DNS Amplification Attack by Root Zone Query In the beginning, I found the error logs of my DNS filled with tens of millions lines denying query about the name servers of the root zone, sample as in Figure 1 below:
Figure 1 : queries of name servers for root zone denied
Page 19 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Internet Security 10 a a
n n A Look at Domain Name System Amplification Attack
r r
u u
o o
J J
A A On analysis of the sample log above, I found
that zombie hosts sent UDP packets with S S
spoofed IP address 206.71.158.30 to query I I
name server records of the root zone. The P P size of an incoming packet for such query is 45 bytes. If a DNS is operating as an open resolver, a packet of 500 bytes containing the names and IP addresses of 13 root servers would be sent to the target victim with the IP address 206.71.158.30. In this connection, open resolvers are resolving name servers that perform recursive queries from untrusted hosts and IP addresses. Figure 2 illustrates, by means of the "dig" command, the response of an open resolver.
For systems that have banned open recursion, the message "query refused" is sent out. The size of this packet is 17 bytes as shown in Figure 3. Summarizing, the output of 500 bytes from an open resolver yields an amplification factor of 11 (500 bytes divided by 45 bytes). This factor, if multiplied by a large number of queries, can be used to launch large scale DDoS attacks against a target victim. Apparently, the two elements Figure 2: Response of an open resolver to root zone query of DNS amplification attack are IP address spoofing and open resolvers which deserve considerable attention by the Internet community.
Figure 3: Query of name servers for root zone denied
Page 20 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Internet Security 10 a a
n n A Look at Domain Name System Amplification Attack
r r
u u
o o
J J
A A Implementation of Source Address Disabling Open Recursion in
S S Validation Domain Name System
I I
By implementing source address validation (SAV), In the DNS amplification attack, open resolvers are being P P Internet Service Providers (ISPs) can help to defeat used as amplifiers to cause UDP flood to the victim. Not DDoS attacks which employ IP address spoofing. The only will open resolvers be exploited for launching DDoS use of ingress filtering between the customer’s network attacks, but also these systems are susceptible to cache and the ISP side is a well-proven solution. The poisoning. The information security industry has long underlying logic is that customers should not be sending considered open resolvers as a big configuration mistake any IP packets out to the Internet with a source address which poses imminent security threats to the Internet. To other than the addresses their serving ISPs have allocated make the Internet safe, all system administrators must to them. ensure that their DNS are not mis-configured with open recursion. Putting up an access control list (ACL) on each ingress interface is a straight forward way of SAV. An ACL contains a list of valid source IP addresses at the router Rate Limiting Incoming Packets on interface to filter packets. Nevertheless, this method the ISP’s Router requires considerable time and effort to manage since the source lists must be up to date to cater for changes on the In the case of DNS amplification attack, the packets user’s network, maintenance and operation. received by the victim will not be processed. Suffice to say DNS amplification attack is not to overload the CPU A more effective approach for SAV is to use unicast or memory resources of a victim’s server, but rather to reverse path forwarding (uRPF) which is available in saturate all the available bandwidth. It should be noted common brand routers such as Cisco and Juniper. uRPF that implementation of rate limiting on the victim’s uses the routing table to determine whether a source perimeter router is not an effective preventive means. To address is acceptable. A packet is considered acceptable protect against bandwidth exhaustion, rate limiting of if the route to the source of the packet (the reverse path) incoming packets should best be done on the ISP’s router points to the interface that the packet actually came in. which has the capability to assign a bandwidth limit to Failing this check, the packet is considered spoofed and is different kinds of Internet connections such as ICMP, dropped. UDP or specific applications.
Despite SAV is an important security feature, it is not widely implemented. Some ISPs fear that the Disabling Root Zone Query implementation adds administrative overhead and might adversely impact performance because every single For DNS that have prohibited recursion, these systems packet originated from the customer side must be still deliver the “query refused” message to flood the inspected before sending out. target victim. Some system administrators might consider to block root zone query so as to avoid the unnecessary outgoing traffic. At this moment, there is not much information whether DNS should ban root zone query. A
Page 21 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Internet Security 10 a a
n n A Look at Domain Name System Amplification Attack
r r
u u
o o
J J
A A root zone query is not malicious in itself which can be
Looking Forward used for testing configuration or troubleshooting but can S S
also be used in a DDoS attack. I I
DNS amplification attack will continue to plague the P P If system administrators consider root zone query as an Internet since SAV is not widely implemented and there attack, they can readily deploy network-based intrusion are still a large number of open resolvers. When new prevention systems to drop the incoming packets. The variants of DNS amplification attack emerge, system attack signature which consists of a fixed byte length and administrators need to quickly analyze the attack vectors a fixed string is easy to detect. Alternatively, firewalls and to develop mitigation measures such as adding could be used to filter UDP packets destined for port 53 firewall rules or tuning intrusion prevention/detection carrying the simple and easy identifiable payload. There systems. Besides, they must also be well-prepared at all is also an easy way to block UDP packets destined for times to seek the assistance of their serving ISPs in order port 53 with packet length of 45 bytes. By means of to protect their networks. iptables, I have tested filtering root zone query on a DNS resolver and the result is satisfactory.
Warren Kwok, 2009
Reference
1. Implement anti-spoofing to prevent DNS Amplification Attack http://www.sanog.org/resources/sanog8/sanog8-ip-spoofing-akinori-maz.pdf
2. DNS Amplification Attacks, Preliminary release, Randal Vaughn and Gadi Evron http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
3. The Continuing Denial of Service Threat Posed by DNS Recursion http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
4. Anatomy of a DNS DDoS Amplification Attack http://www.watchguard.com/infocenter/editorial/41649.asp
5. SSAC Advisory SAC008 - DNS Distributed Denial of Service (DDoS) Attacks Copyright & http://www.icann.org/en/committees/security/dns-ddos-advisory-31mar06.pdf Disclaimer 6. DNS Amplification Variation Used in Recent DDoS Attacks http://www.secureworks.com/research/threats/dns-amplification/ Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.
Page 22 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 IT Governance and Compliance a a
n n
China - Basic Standard for Enterprise Internal r r
u
u Control
o o
J J
Howard Lau CISSP A A
Program Committee S S
I I
he Basic Standard for Enterprise Internal Control its provisions. The Standard includes fifty articles under P P TT 企業內部控制基本規範(the Standard)1 seven chapters or areas, including (1) General Provisions was released on June 28, 2008 by five Chinese 總則、(2) Internal Environment 內部環境、(3) Risk government authorities and regulators as follows: Assessment 風險評估、(4) Control Activities 控制活動、 (5) Information and Communication 信息與溝通、(6) • Ministry of Finance 財政部 Internal Monitoring 內部監督 and (7) Supplementary • National Audit Office 審計署 Provisions 附則. Excluding the first and the last • China Securities Regulatory Commission 證監會 chapters, the middle five chapters are similar to the five • China Banking Regulatory Commission 銀監會 elements of the Committee of Sponsoring Organizations 3 • China Insurance Regulatory Commission 保監會 (COSO) framework (1992) [Figure 1] . The Standard also get reference to eight elements in COSO’s Enterprise Risk Management (ERM) - Integrated Framework (2004) The Standard applies to all companies listed on the [Figure 2] 4. The Standard requires a listed company Shanghai and Shenzhen stock exchanges. The start date has been delayed from July 1, 2009 to January 20102. By • to establish and implement internal control policies. the end of year 2010, listed companies will have • to set a suitable business management IT system with prepared their assessment reports. It is expected that embedded controls. companies listed both inside and outside China Mainland • to make self-assessment of the effectiveness of its are the first batch of companies to implement the internal control on a periodic basis and issue control Standard. Other companies also are encouraged to adopt self-assessment reports.
Figure 1 : Figure 2 : COSO’s Internal Control - Integrated Framework COSO’s Enterprise Risk Management (ERM) - Integrated Framework
Page 23 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
IT Governance and Compliance 10 a a
n n
China - Basic Standard for Enterprise Internal Control
r r
u u
o o
Three Guidelines J J Article 24 Besides the Standard, these five Chinese government An enterprise shall apply qualitative and quantitative authorities and regulators also issued three draft guideline methods to analyze and prioritize identified risks…
documents, namely: A A
Article 25 S S • The Enterprise Internal Control Assessment Guideline An enterprise shall determine its risk responses based on
I 5 I (企業內部控制評價指引) the outcome of its risk analysis, risk appetite and
• The Enterprise Internal Control Implementation consideration on risk and reward… P P Guideline (企業內部控制應用指引)6 • The Enterprise Internal Control Assurance Guideline Article 26 (企業內部控制鑒證指引)7 An enterprise shall apply appropriate risk response measures such as risk avoidance, risk reduction, risk sharing or risk acceptance to control identified risks effectively…
Article 37 An enterprise shall establish advance risk warning and emergency response mechanisms, clearly define the advance risk warning criteria, and in relation to potential safety, environmental protection and other major risks or emergencies, establish an emergency response plan, clearly allocate responsibilities, formalizing handling procedures to ensure that emergencies are responded to in a timely and proper manner.
Article 38 An enterprise shall establish an information and communication policy and clearly define its procedures relating to the gathering, handling and communication of internal control related information in order to ensure the timely communication of information and effective operation of internal control.
Figure 3 : Article 39 Books about the Basic Standard for Enterprise An enterprise shall establish steps to screen, verify and Internal Control8 collate the information received from internal and external sources in order to ensure the information's usability. An enterprise can attain internal information Selected Articles from the Standard through its financial accounting data, business management data, research reports, special information, There are 50 articles in the Standard. The followings are corporate periodicals and office network and other some articles relating to IT governance, IT audit, business internal sources of data and channels. An enterprise can continuity and risk management. attain external information through industry associations,
Page 24 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
IT Governance and Compliance 10 a a
n n
China - Basic Standard for Enterprise Internal Control
r r
u u
o o Market and Impact to the Industry
J J Article 39 (con’t) social agencies, business related parties, market research, After the third plenary session of the eleventh Central mails, business network, press and regulatory bodies and Committee of the Communist Party of China in
other external sources of data and channels. December 1978, Mr. Deng Xiaoping elaborated on the A A modernization drive and actively promoted reform. In
1990, both the Shanghai Stock Exchange (SSE) and the S Article 41 S Article 41
An enterprise shall apply information technology to Shenzhen Stock Exchange (SZSE) were established. I
I An enterprise shall apply information technology to
improve information gathering and sharing and to Nowadays there are about 900 and 800 listed companies P P maximize the effect of information and communication. in SSE and SZSE respectively. Small and Medium An enterprise shall ensure the safe and stable operation of Enterprise Board (SME Board) of SZSE was introduced its information technology system through the in 2004. Currently there are over 280 companies in the establishment of proper control over systems SME board. Moreover, there is a plan to launch development, maintenance, access, changes, data input Nasdaq-style second board with looser regulations than and output, backup, network safety and other key SME board and main boards. China’s economy reform information technology related activities. is an obvious success in past 30 years. However, during the last decade, there were a lot of fraud cases in big Article 42 enterprises in China9, e.g. An enterprise shall establish anti-fraud policies, • 2001: Bank of China Kaiping Branch Case, Y2.73B emphasize the importance of preventing frauds, clearly • 2005: Bank of China Heilongjiang Branch Case, Y 1B define the crucial aspects of anti-fraud activities, duties • 2006: Shenzhen Development Bank Case, Y 1.5B and responsibilities, authorities and limits of interested • 2008: Dalian Security Case, over Y 4B parties, and formalize reporting, investigation, handling • 2009: Liaoning Zhida group & Agricultural Bank of and remediation procedures… China Case, Y 0.85B
Article 43 There were many enterprise fraud cases in other An enterprise shall establish proper complaints handling countries also. That is why Sarbanes-Oxley Act was and complainant protection policies … in order to signed into US laws in 2002. There are similar provide an effective channel for dissatisfied interested compliance standards in Japan and in other countries. parties to report and address their complaints… Financial tsunami in 2008 / 2009 also showed the importance of monitoring and good regulatory systems Article 46 for enterprises, specially in banking and financial As part of internal monitoring, an enterprise shall institutions. As the Basic Standard for Enterprise Internal perform a self-assessment of the effectiveness of its Control becomes a necessary compliance requirement for internal control on a periodic basic and issue a control listed companies in China, it is expected there will be a self-assessment report… vast market for service providers (outsourcing partners) and professionals (internal staff) in compliance, Article 47 accounting, audit , IT audit, and other IT business (e.g. An enterprise shall keep proper records (either in database, ERP, data-mining, log management and physical or appropriate alternative form) of the internal business intelligence…). More importantly, the Standard control established and implemented by it in order to is a “modernization drive” and “reform” for enterprises in provide evidence and audit trails of such internal control China. We expect to see there will be alignment of establishment and implementation activities. management standards for enterprises and professional standards for individuals, between China and in worldwide.
Page 25 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
IT Governance and Compliance 10 a a
n n China - Basic Standard for Enterprise Internal Control
r r
u u
o o
J J
Reference A A
S S
1. The Basic Standard for Enterprise Internal Control (企業內部控制基本規範) I I
http://big5.china.com.cn/policy/txt/2008-07/03/content_15924643.htm P P 企業內部控制基本規范, 中國財政經濟出版社, 2008
2. 企業內控規範三配套文件進入會簽階段 http://big5.bjsme.gov.cn/news/200905/t59759.htm
3. "Putting COSO Theory into Practice." Tone at the Top, The Institute of Internal Auditors, November 2005 http://www.theiia.org/download.cfm?file=42122
4. Enterprise Risk management – Integrated Framework, Executive Summary http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
5. The Enterprise Internal Control Assessment Guideline (企業內部控制評價指引 ) http://szs.mof.gov.cn/kjs/zhengwuxinxi/gongzuotongzhi/200901/P0200901166026146955 02.doc
6. The Enterprise Internal Control Implementation Guideline (企業內部控制應用指引 ) http://szs.mof.gov.cn/kjs/zhengwuxinxi/gongzuotongzhi/200901/P0200901085000011047 57.doc
7. The Enterprise Internal Control Assurance Guideline (企業內部控制鑒證指引) http://www.cicpa.org.cn/professional_standards/comments/200807/W020080709285369 212505.doc
8. Release Ceremony on Basic Standard for Enterprise Internal Control and the 1st High- Level Forum on Enterprise Internal Control Copyright & 企業內部控制基本規范發布會暨首屆企業內部控制高層論壇專輯, 中國財政經濟出版社 , Disclaimer 2008
9. Apple Daily, Aug 1, 2009, 銀行監管不足金融大案頻生 Copyright owned by the http://hk.apple.nextmedia.com/template/apple/art_main.php?iss_id=20090801&sec_id=1 author. This article is the views of the author and 5335&subsec=15336&art_id=13050610 does not necessarily reflect the opinion of PISA.
Page 26 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Industry Corner 10 a a
n n
r r
u
u Best Practices for Information
o o
Security in the Web 2.0 Era J J
A A
S S
I I
P William Tam P Technical Manager, Asia Pacific and Middle East, Websense, Inc.
o IT professionals in Hong Kong, it has become more than half of the Hong Kong IT managers (54 TT very obvious that Web 2.0 has made a big impact percent) admit that their users try to bypass their in the workplace – changing not only the way people company’s security policies, to access Web 2.0 communicate with each other, but also the way applications that are restricted at work. At the same time, organizations conduct business. a majority of the IT managers (88 percent) feel pressured to allow and adopt more Web 2.0 sites and technologies To better understand the impact of and threats underlying at work. The report reflects the fact that IT managers in the popularity of Web 2.0, in early 2009, Websense Hong Kong share the same struggle as the rest of the commissioned Dynamic Markets to conduct a global world – to strike a balance between taking advantage of survey of 1,300 IT managers and professionals across 10 the benefits of Web 2.0, whilst mitigating the security countries including Hong Kong. The interviewees were risks. asked about their perceptions of Web 2.0 in the workplace, their understanding of Web 2.0 technologies, In response to the survey findings, Websense has teamed and whether their organizations are ready for the up with IDC to produce a whitepaper, “Best Practices for challenges of the Web 2.0 era. Securing Web 2.0”, which aims to provide guidelines to IT professionals and organizations on how to secure According to the survey, nearly all IT managers in Hong access to Web 2.0 sites and applications, while Kong (98 percent) allow employees access to some Web minimizing the risk of malicious attack and possible data 2.0 sites and applications in the workplace. However, leakage. Here are some key considerations:
Page 27 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Industry Corner 10 a a
n n
Best Practices for Information Security in the Web 2.0 Era
r r
u u
o o
J J
A Real-time Content The high volume of user-generated content in the Web 2.0 environment requires a A
Classification security solution that can perform real-time deep content analyses and classification. S S Many Web 2.0 sites today incorporate some form of Web site mash-up that may be
I customized to an individual's interests. It is necessary for a system to analyze multiple I
flows in real-time, to allow good information in while keeping out the bad. P P Employee Access Rights A mature web security solution must allow access to mission-critical SaaS application on the web, while enabling safe and controlled access to non-business sites such as social networking sites. It should also be able to provide safe but time-limited access to sites for personal use. For example, organizations can allow up to 60 minutes per day of access to personal Web sites, such as for Web-based email and social networking.
Data Loss Prevention In the Web 2.0 era, blogs, social networking sites etc. are becoming channels for (DLP) information leakage. Web 2.0 users may unintentionally post confidential information on blogs and forums. An integrated DLP-Web solution adds the identity and location context to the access, preventing data leakage through Web-based email, or social networking Web sites.
Application Control Many Web 2.0 applications leverage evasive techniques to communicate and share information. For example, organizations may wish to allow Facebook access, but not Facebook-delivered games. A mature solution must provide control over these applications, whether they run over HTTP, HTTPS or other protocols. It should also provide the correct level of granularity of control, which ensures secure access for users.
Remote Access The growing number of mobile and remote users is creating a complex distributed workplace. Many corporate applications are being moved to the Web 2.0 environment to allow remote employees to work more efficiently. An effective Web 2.0 solution should provide the customer with choices regarding how to support the remote user while ensuring the application of a consistent policy throughout the organization. Unified Policy Web 2.0 requires a policy to address multiple technology stacks, spanning everything Management from malware protection to objectionable content and application control. This complexity can lead to errors in translating a corporate policy into reality, unless the policy management engine is designed to pull all of these items together into a single policy that can be applied on a global basis.
Comprehensive Employees may use Web 2.0 technologies located outside the corporate network for Reporting and Logging collaboration on sensitive internal projects, as well as mission critical reporting and logging for audit and forensics. The Web 2.0 solution must enable multiple levels of reporting, including easy-to-interpret summary reports and the ability to drill down and quickly investigate violations against specific policy categories or by specific users and groups. Performance and As the Web 2.0 world continues to mature and change, a good Web 2.0 security Scalability solution must provide high scalability, so it can expand and adapt to current or future needs, and its performance must be high enough to deliver security and control without impacting end users’ ability to perform their duties.
The Server Side of Companies are increasingly allowing their customers to post comments on public Web 2.0 support forums, Facebook, blogs etc. A Web 2.0 security solution needs to ensure that no malware and inappropriate contents are posted on the sites and associated with their brands. To limit liability and protect their brands, organizations need to think about how they can scan blog posts before they hit Web 2.0 sites.
Page 28 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Industry Corner 10 a a
n n
Best Practices for Information Security in the Web 2.0 Era
r r
u u
o o
J J
A A Being the market leader and pioneer in web security, Websense was also one of the first technology providers
Websense has made some industry-first moves and to address the needs of real-time content classification S S
initiatives to better protect customers in the Web 2.0 era. and analysis in the Web 2.0 world. In 2008, Websense I I
launched Web Security Gateway, which combined anti- P P For example, through the recent acquisition of Defensio, a malware, Web reputation, and URL filtering protection to unique company that developed technology for dealing with proactively block malicious content on a real-time basis. spam and malicious posting on Web 2.0 properties. It keeps networks secure from malicious attacks and data Websense now provides web site owners with accurate, leaks, while still enabling the latest Web-based tools, personalized and adaptive protection from comment spam applications, and legitimate content. Moreover, Websense and malware embedded in user-generated content, in real- Web Security Gateway recognizes and controls more than time. By delivering unique real-world data analysis from 130 separate network protocols that are used by blog comments as they are posted and other Web 2.0 thousands of applications, and enables full control and applications, Websense can provide users with the security auditing of the usage of these tools within the capabilities that enable them to safely determine if user- organization. Applications can thus be blocked, allowed generated content is malicious, unwanted or confidential – or limited, to control their impact on network resources. without having to embed anything in their applications or products. In future, the technology will be extended to By delivering a total Web security solution together with deliver protection from malicious code, phishing sites and a data security solution, which focuses on protecting data fraud posted to and hosted on user-generated content sites. itself and enables organizations to set granular policies around specific data, Websense can protect customers from dynamic malicious attacks and data leakage while allowing them to enjoy the benefits of Web 2.0.
William Tam, Websense ■
References
Whitepaper including more details on IDC’s “Best Practices for Securing Web 2.0” can be downloaded from Copyright & http://www.websense.com/site/docs/whitepapers/en/IDC_Web2.0BestPracticesWP_Jun2009.pdf Disclaimer
Copyright owned by the Full details on the survey methodology can be found in the report "Web2.0@Work" on author. This article is the http://www.websense.com/Web2.0atWork views of the author and does not necessarily reflect the opinion of PISA.
Page 29 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 a a
n n
r r
u u
o o
J J
A A
S S
I I
P P
n this articlen thethis article author the author criticallycritically analyzed... analyzed...
Page 30 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Event 10 a a
n n
r
r Snapshot
u u
We Contribute. We Achieve. o o
J J
A Macao War Driving A
(Sep-2009) S S
I
I PISA and WTIA co-organized this activity with Macao organizations ISACA Macao Chapter and Macau New
Technologies Incubator Centre (Manetic) in the Macao War Driving 2009. This is a continuation of the war P P driving activity in Macao since 2008.There were around 40 participants from Hong Kong and Macao. Each participant uses WiFi Hopper or Vistumbler to collect the Wifi signal data. The project group is consolidating the results from individual participants.
Group photo at the Guia Fortress
Professionals of PISA and WTIA briefed new participants from Macao how to read the data collected by the tools.
Page 31 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Event 10 a a
n n
r
r Snapshot
u u
We Share, We Progress. o o
J J
A PISA Annual General Meeting A
(Aug-2009) S S
I I PISA held the AGM and the EXCO Election.
P P
We had a good turn out and members took a group photo after the meeting.
Daniel Eng, our ex-Chairperson delivered the EXCO’s business report to the fellow members.
Theme Seminar: Two-factor authentication: is it unbreakable
The Theme Seminar before the AGM was presented by S.C. Leung. There were 30 participants from PISA and ISC2. The talk was very interactive. Participants discussed potential ways that 2FA can be breached and how current security measures can be enhanced. It was an enjoyable session.
Page 32 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Event 10 a a
n n
r
r Snapshot
u u
We Contribute. We Achieve. o o
J J
A Seminar: Dissection of Green Dam A
(Jun-2009) S S
I
I In June, Chinese Government announced that a filtering software called Green Dam must be installed in all
manufactured PCs on 1-July onwards. The nature of the software had aroused the attention of the general public. P P PISA, Internet Society Hong Kong (ISOC-HK), Information Security and Forensics Society (ISFS) and Hong Kong Internet Service Providers Association (HKISPA) and Valkyrie-X Research Lab responded swiftly and co- organized a technical seminar dissecting the software. In a very short notice, Hong Kong Polytechnics University provided the venue was filled up with enthusiastic people.
Speakers Sang Young (PISA), Anthony Lai (VX-Lab) and Issac Mao (mainland blogger)
Panel Discussion: (left) SC Leung (Moderator), Anthony Lai (VX Lab), Charles Mok (ISOC-HK), Issac Mao (blogger), Franki Li (ISFS) and Thomas Tsang (PISA)
Participants actively spoke up in the panel discussion.
Page 33 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Event 10 a a
n n
r
r Snapshot
u u
We Share, We Progress. o o
J J
A A
PISA Networking Hours
S (Aug-2009) S
I I
PISA held a networking even. Our members, Honourary Advisors and Guests of Honour had a great P P evening.
(left) SC Leung, Dave Yip, Ian Group Photo Christofis and Dale Johnstone
Biometrics: valuable but misused (Apr-2009)
Ian Christofis delivered a talk on biometrics (such as fingerprint, face or iris recognition) which are sometimes seen as the strongest type of authentication, but this is not really true. Ian discussed the vulnerabilities of biometrics, when they are the best choice, and when they should not be used.
Page 34 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
10 a a
n n
r r
Our vision provides us our destination. Our missions provide us the directions. u u
o o
J J
A
A Promotion of information security in schools
S S PISA has partnered with ISC2, OGCIO and HKPF (Police)
I I to deliver InfoSec talks to youngster.
P P SC Leung delivered the talk to TWGHs. S.C.Gaw Memorial College (Tsing Yi) in April and Howard Lau delivered the talk to Ju Ching Chu (Tuen Mun) Secondary School in May.
Kitty Chung of ISC2 was with a student who asked questions.
Delivering public talks on Information Security
Howard Lau delivered a talk in the NGO Day of The Hong Kong Council of Social Services in June.
Providing Expert Opinions on Public Affairs
PISA sent representatives to “COIAO Forum in Technology Aspect” (Jun-09) and the “Tech Crime Roundtable Discussion” (Jul-09) organized by IT Legislator Samson Tam’s Office, to give comments.
Page 35 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009
l l Issue
Professional Information Security Association 10 http://www.pisa.org.hk a a
n n
r r
Vision u u to be the prominent body of professional information security practitioners, and utilize
expertise and knowledge to help bring prosperity to the society in the Information Age o o
J J Successful Career Networking Continued Education
Enjoy networking and Check out job listings
collaboration opportunities information provided by A A with other in-the-field
members. Get information security professionals and S
S on continuing education
exchange technical inform-
I and professional certification I
ation and ideas for keeping Be up-to-date and be more P
P your knowledge up to date competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career. Enjoy the discounted or free Sharing of Information admissions to association Find out the solution to your activities - including seminars, technical problems from our discussions, open forum, IT email groups and connections related seminars and with our experienced members conferences organized or Many Ways and advisors. supported by the Association. You Can Benefit Realize Your Potential Professional Recognition Develop your potentials and cap- Benefit from the immediate abilities in proposing and running access to professional project groups such as Education recognition by using post- Sector Security, WLAN & Bluetooth nominal designation Security, Honeynet, Public Policy Committee and others and enjoy the Membership sense of achievement and recognition Information of your potentials
Membership Requirements Enquiry email: [email protected] Members hi p Annual Requirements Type Fee (HK$) Qualifications Relevant Experience Full 500 Recognized Degree in Computing 3 years Info-Sec working Membership discipline, OR other appropriate experience Application Form: educational / professional qual. http://www.pisa.org.hk/me Associate 300 Tertiary Education Info-Sec related experience mbership/member.htm Affiliate 300 Interested in furthering any of the Nil objects of the society Student 100 Full-time student over 18 years old Nil Code of Ethics: http://www.pisa.org.hk/ethi • Relevant computing experience (post-qualifications) will be counted, and the recognition of professional cs/ethics.htm examinations / membership is subject to the review of the Membership Committee. • All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association Page 36 of 36 An Organization for Information Security Professionals