Lecture 10: Cyber law in Malaysia

Cyber Law is any laws relating to protecting the Internet and other online communication technologies. Cyberlaw is a term that encapsulates the legal issues related to use of communicative, transactional, and distributive aspects of networked information devices and technologies. It is less a distinct field of law in the way that property or contract are, as it is a domain covering many areas of law and regulation. Some leading topics include intellectual property, privacy, freedom of expression, and jurisdiction.

In the early 1987, the ICT industry in Malaysia started to growth and it growth rapidly when years past by till now. There are five Cyberlaw acts in Malaysia. There are Digital Signature Act 1997, Computer Crimes Act 1997, Telemedicine Act 1997, Communication and Multimedia Act 1998, and Copyright (Ammenment) Act 1997. The Electronic Transactions Act (ETA), E-Government Activities Act (EGA) and Personal Data Protection Act is the new Cyberlaw Acts in Malaysia.

Malaysia has created the Multimedia Super Corridor (MSC). MSC development is to control the behavior of computer users in the country. There are 7 flagship applications slated for the MSC:
1. Electronic Government - Multimedia networked paperless administration
2. National Multi-Purpose Card
3. Smart Schools - Distance-learning Universities and wired schools
4. Telemedicine
5. R&D Cluster
6. World Wide Manufacturing Webs - remote manufacturing coordination and engineering support hub
7. Borderless Marketing Centers - multimedia customer service hub to provide electronic publishing, content localization, telemarketing and remote customer care.

Lecture 9: Legal and Ethical Issues In Computer Security

Legal and Ethical

a) Law

§ Law is not always the appropriate way to deal with issue of human behavior.

§ Impossible or impractical to develop laws to describe and enforce all form or behavior acceptable to society.

§ Society relies on ethics or morals to prescribe generally accepted standards of proper behavior.

b) Ethics

§ An ethic is an objective defined standard of right and wrong.

§ Ethical standard are often idealistic principles.

§ Each person is responsible for deciding what to do in a specific situation, hence defines a personal set of ethical practices.

Differences between Laws And Ethics

Law

• Formal, documented
• Interpreted by courts
• Established by legislature representing everyone
• Applicable to everyone
• Priority determined by courts if two laws conflict
• Enforceable by police and courts

Ethic

• Described by unwritten principles
• Interpreted by individuals
• Presented by philosophers, religions, professional group
• Personal choice
• Priority determined by individual if two principles conflict

Ethic Concept in Information Security

• Ethical Differences Across Cultures
• Software License Infringement
• Illicit use
• Misuse of Corporate Resources
• Ethics and Education
• Deterrence

Protecting Program And Data

a) Copyright

§ Are designed to protect the expression of idea.

§ Must apply to an original work and it must be in some tangible medium of expression. Example printed, recorded, or mode concrete in some other way.

§ must apply to an original work and it must be in some tangible medium of expression

b) Patents

§ Designed to protect the device pr process for carrying out an idea, not the idea itself.

§ Can valid only for something that is truly novel or unique.

§ The invention to be patented must not been previously patented.

§ Patented object may be marked with a patent number to warn others that the technology is patent.

c) Trade Secret

§ must be kept a secret

§ the owner must protect the secret by any means, such as by storing it in a safe, encrypting it and by making employees sign a statement that they will not disclose the secret

§ trade secret protection can also vanish through reverse engineering

Information and The Law

Information is valuable in that it is used in businesses and everyday life. Businesses pay for credit reports and client list. We also want inside information about competitors. Information does not fit other familiar commercial paradigms.

Features of information as an object :

§ It can be replicated

§ It has a minimal marginal cost

§ It's value if often timely

§ It is often transferred intangibly

Right of Employees and Employers

• Ownership of a Patent
• Ownership of copyright
• Work for Hire
• Licenses
• Trade Secret Protection
• Employment Contracts

Computer Crimes
A separate category for computer crime is needed because of the following reason:

• Rules of properties
• Rules of Evidence
• Threats to Integrity and Confidentiality
• Value of Data
• Acceptance of Computer Terminology

Privacy
Some ethical issue in security seem to be in the domain of individual's right to privacy verses to greater good of a larger entity. Example: tracking employee computer use, crowd surveillance and etc.

There are four ethical issues of information age:

• Privacy
• Accuracy
• Property
• Accessibility

Control Protecting Privacy
Some controls methods can be used to protect privacy:

• Authentication
• Anonymity
• Computer Voting
• Pseudonymity
• Legal Control

Ethical Issues in Computer Security

• Ethics and Religion
• Ethics is not universal
• Ethics Does Not Provide Answers
• Ethical Reasoning

Examining a Case for Ethical Issue

• Understand the situation
• Know several theories of ethical reasoning.
• List the ethical principles involved
• Determine which principles outweigh others.

Lab 8: Hacking wireless password of modem

For this lab, Mr Zaki set up a wireless network using DLink. Then, he ask us to search for the wireless network. Then, we connect it by using ‘1a2b3c4d’ as a password. In this lab, we need a backtrack and a wireless NIC(USB). Mr. Zaki ask us to download a backtrack from the website diven and required to login by username “root” and password “toor”. Then, we need to get to know whether the wireless card has been switched on by type ‘ipconfig’ to know whether the network card can be used and type ‘iwconfig’ to know whether the wireless network card be used.

Mr. Zaki told us that real key is set on wireless AP (access point) where 24 key is given by the IV and 40 key is given by ourselves. To switch on the rausb 0, type “ipconfig rausb0 up' in the command prompt. To ensure rausb 0 is switch on, type “ipconfig”. Then, type “iwconfig rausb0 mode monitor' follow by type 'iwconfig', the results of ‘Mode: Monitor’ will be seen. After that start backtrack and plugin usb.

Mr. Zaki also shows us about ‘Kismet’. ‘Kismet’ is typed to scan the wireless and the result is DLink was seen and all information of DLink is displayed. Mr. Zaki told us that ‘s’ is for sorting and ‘b’ is to sort according the BBSD. We need an encryption key here. Then we press 'q' to reach to Network List screen. Use airodump to cache the packet and save it in some path. Then, 'airodump-ng --ivs -w output-abg rausb0' is typed where the 'output' is the filename and rausb0 is the wireless network card. Follow by, 'aireplay-ng -3 -b 00:1E:58:FB:57:ED -h 00:22:6B:A9:59:AF -x 1024 rausb0' is typed where the first address is the MAC address, while the second address is local MAC address. After send a lot of packet, it will send back response. In order to know how many IDs have cached, 'aircrack-ng -0 -n 64 -f 4 output-06.ivs' is typed where output is the file name. This command is used to get the password.

Lecture 8: Wireless Security

Wireless LANs

§ IEEE ratified 802.11 in 1997- Also known as Wi-Fi.

§ Wireless LAN at 1 Mbps & 2 Mbps. -WECA

§ Now Wi-Fi Alliance 802.11 focuses on Layer 1 & Layer 2 of OSI model. ( Physical

layer Data link layer)

802.11 Components
Two pieces of equipment defined:

§ Wireless station A desktop or laptop PC or PDA with a wireless NIC.

§ Access point A bridge between wireless and wired networks Composed of Radio Wired network interface (usually 802.3) Bridging software Aggregates access for multiple wireless stations to wired network.

802.11 safeguards

§ Security Policy & Architecture Design

§ Treat as untrusted LAN

§ Discover unauthorised use

§ Access point audits

§ Station protection

§ Access point location

§ Antenna design

802.11 modes

§ Infrastructure mode

§ Ad-hoc mode

There were 3 basic security for environment wifi :-
1. Authentication : Provide security service to identify consumer identity communicate.
2. Integrity : To be sure message unmodified during transaction between wifi clients and

access point.
3. Confidentiality : To provide privacy are achieved by a network wired.

WEP
WEP stands for Wired Equivalent Privacy. This encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks.

WPA
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 80.211i security standard that was developed by the Wi-Fi Alliance to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional

For conclusion :

§ WAP is used on small, handheld devices like cell phones for out-of-the-office connectivity

§ Designers created WTLS (Wireless Transport Layer Security) as a method to ensure privacy of the data because it was being broadcast

§ 802.11 does not allow physical control of the transport mechanism

§ Transmission of all network data wirelessly transmits frames to all wireless machines, not just a single client

§ Poor authentication. The SSID is broadcast to anyone listening

§ Flawed implementation of the RC4 encryption algorithm makes even encrypted traffic subject to interception and decryption

§ WEP is used to encrypt wireless communications in an 802.11 environment and S/MIME for email

Lecture 7 : Security in Applications

An e-mail is a message made up of a string of ASCII characters in a format specified by RFC 822. It consists of two parts, separated by blank line which is the header (sender, recipient, date, subject, delivery path) and the body: containing the actual message content. The security provided in an email are Confidentiality, Data origin authentication, Message integrity, Non-repudiation of origin and Key management.

Security in Email :

S/MIME
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME.
S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc.

S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption). S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them.


PGP
PGP is a freeware and commercial email and file encryption utility. It is also discussed in the chapter "Security Mechanisms".
Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is a replacement for rlogin, rsh, rcp, and rdist.


HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. HTTPS should not be confused with Secure HTTP (S-HTTP) specified in RFC 2660

SFTP
SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server,can connect to an FTP server with a client that supports only SFTP.

Web Security

Web security included 3 parts:

1. Security of server.

2. Security of client

3. Network traffic security between a browser and a server.

Security of server and security of client are problems of computer security. Network security can considered at different level, for examples:

§ network level: use IPSec,

§ Transport level:Use SSL (Secure socket layer) or TLS (Transport layer security)

§ Application level: Use PGP,S/MIME,SET(Secure Electronic Transaction).

Secure Socket Layer (SSL)

SSL is developed by Netscape. The main part of SSL contains several protocol: SSL Handshake protocol, SSL change cipher spec protocol, SSL alert protocol, and SSL record protocol.

Secure Shell (SSH)

1. Initially designed to replace insecure SSH, telnet utilities.

2. Secure remote administration (mostly of Unix system).

3. Extended to support secure file transfer and email.

4. Latterly, provide a general secure channel for network application.

5. SSH-1 flawed, SSH-2 better secure security (and different architecture).

Secure Electronic Transaction (SET)

SET is an open encryption and security specification designed to protect credit card transaction on the internet. SSL secures communications between a client and a server.

Biometric
Biometrics is the measurement and statistical analysis of biological data. In IT, biometrics refers to technologies for measuring and analyzing human body characteristics for authentication purposes. Biometric has two types which are Static and Dynamic. The biometric methods for Static (also called physiological) are authentication based on a feature that is always present. In the other hand, Dynamic uses authentication based on a certain behavior pattern as their biometric method. We also studied one of the Static types which is fingerprint recognition. It uses Sensors and Integrated products.

Lab 6: Security In Network

The first task is to capturing File transfer protocol (FTP) username and password. Firstly, we have created 2 Windows Server 2003 virtual machine with one is winserv03_server, IP address of 192.177.1.107 and another one is winserv03_client, with the IP address of 192.177.1.105. Winserv03_server is installed with FTP and Wire Shark in it. On winserv03_client, we login to FTP server on winserv03_server by using command. While on winserv03_server, we login view the Wire Shark interface, I notice that username and password that we use to login to FTP server can clearly seen on the monitor.

The second task is to using IPSec to secure FTP transaction. IPSec is one of the solutions to safeguard the transmission of data over FTP from being seen by an unauthorized user. Even though it is not mandatory to use IPSec in IPv4, it is already available in IPv4 and user has the choice to enable it. IPSec will encrypt the data sent using normal FTP connection, thus only the authorized party can see the content. On winserv03_server, we change several setting of Management Console to implement IP security and change some setting on winserv03_client to enable authentication method. After a few steps of configuration of FTP and Wire Shark, we try to login just like task 1. The result of task 2 is Wire Shark cannot display the username and password.

Lecture 6: Security in Network

A computer network is a group of computer that are connected to each other for the purpose of communication. Networks may be classified according to a wide variety of characteristics. A computing network is a computing environment with more than one independent processors and may be multiple users per system.

What is network can provide?
Network provided logical interface function, sending messages, receiving messages, executing program, obtaining status information and obtaining status information on other network users and their status.

Type of Network
One way to categorize the different types of computer network designs is by their scope or scale. For historical reasons, the networking industry refers to nearly every type of design as some kind of area network. Common examples of area network types are:
LAN - Local Area Network
WLAN - Wireless Local Area Network
WAN - Wide Area Network
MAN - Metropolitan Area Network

Network topologies
There are 4 topology such as Bus Topology, Star topology, Ring Topology and Mesh Topology.

IPSec

§ Authentication & encapsulation

§ Work on layer 3

§ Only can be decrypt on the receiver side

SSL

SSL is the most widely used Internet security protocol supported by all the major web browsers. SSL adds a security layer between application protocols and TCP, so applications explicitly have to ask for security. SSL specification defines a handshake protocol whereby client and server agree on a cipher suite, establish the necessary keying material and authenticate each other. Combining of symmetric (on client host)and asymmetric (on server)algorithm

Kerberos

§ 1 server use to provide control authentication called as Kerberos server

§ Host need to have a ticket before able to send a packet to any server, 1 authentication server use to control the ticket.

§ The ticket characteristic is unique, encrypted and have a life time period, since the life time is over the limit, client should request the new one before able to communicate to other server.

Firewall

A firewall prevent specific types of information from moving between the outside world and the inside world and may be separate computer system. There are four basic types of firewalls which are Packet filter, Circuit-level proxy, Stateful packet filter and Application-level proxy. The challenges in building firewalls are twofold. With respect to functionality, the protection mechanisms in the firewall have to match the customers’ security policies, which often are a mixture of address-based and identity-based policies.

IDS

§ Capture packet and compare with the rule of IDS that installed and stored in database. If detect the malicious packet, an alert will be sent to admin so an admin can go to firewall device to block that particular packet.

§ Based on attitude of admin and rule, admin must update the rule constantly so it would be still relevant.

IPS

Scan the network, and if detect a malicious packet, IPS will send alert to access list on firewall, the firewall will directly block that particular packet.

Hacking involved:

§ Reconnaissance – gain general info on target host

§ Scanning

§ Gaining access

§ Maintaining access

§ Covering track