The Open Source Security Threat
Fast moving mobile phone development has made Open Source software
development a popular approach. One particular reason for the popularity
of open-source in organizations is that it has been proven to cut
costs. The value of this development methodology is not just the design
of the software but the marketing opportunity it provides to
organizations and individuals. Open source platforms are provided by
Google (Android), Palm (GNU/Linux), Nokia (Maemo) and Apple (iPhone).
The open source model allows much greater creativity as it differs
from the more corporate centralized development models that have been
used to date (BlackBerry is an example). The essence of open source is
public collaboration which results with a peer production development of
open source software in particular in the mobile phone software
industry.
Fast Development
The open source community is developing
very fast these days, galvanized by mobile phone developers. Open
source software development however, does have potential security risks
both for corporations and individuals. Too often the open source
communities that offer their software for free don't appear to be as
mindful of security practices as their commercial counterparts, which charge for software and support.
New prospects for social engineering, such as figuring out when you
are away from your home for crime purposes (sites like PleaseRobMe.com)
do just this. Of the same ilk, facial recognition technology and the
tagging of users in photos on social media sites blur the work-home
boundaries even more. For example, police officers have already come
under attack, after their identities were breached by social media and
facial recognition technology.
Near Field Contact
NFC (Near Field Contact) technology is an interesting example of
innovative technology that aims to deliver convenience for consumers.
However, it will introduce a new dimension of challenges for security
professionals making mobile devices much more interesting as a target to
steal money. There is a push to build NFC technology into mobile
devices, enabling users to make payments or pass on personal information
with a simple swipe of a mobile device over a reader. This will further
transform the smartphone into the single device from which most aspects
of your life are driven making it even more attractive to
cybercriminals.
Third Party Applications
Mobile devices are also starting to define their architectures based
on modern working practices - BlackBerry (for example), has introduced a
feature which provides two isolated working environments on the same
device (sandboxing), allowing you to separate
work and play data. Even those with a strong security reputation like
BlackBerry have been victims (of exploitation and breaches) too. While
malware attacks for mobile devices are undoubtedly different, they are
still entirely possible.
There are those that believe that the open source nature of Linux
(for example) provides a primary vehicle for making security
vulnerabilities easier to identify and fix. The main advantage here is
that the community can review the source code and make the code more
secure, which in turn facilitates potential security best practices.
Users and time will decide whether this is actually the case. The advent
of social websites such as Facebook, MySpace and Twitter have led to a
surge in third party application development for desktops, laptops, tablets and smartphones.
Facebook & Third Party
Facebook, the fastest growing of these social websites allows
publishers to develop third party applications to improve the Facebook
experience. Closer inspection of most third party applications reveal to
the users that they all require your 'login and password' details. It
appears that most Facebook users don't believe this is a risk to their
identity. Maybe it isn't, but how do you manage the risk of your 'login
and password' details falling into the hands of a cybercriminal? The
major risk is if you are paying for third party software, the software
might steal your financial login data as well as installing malicious
software on your smartphone. The final infiltration will occur (as the
last security flaw) when the mobile user connects to their PC via either
Bluetooth or USB, and you receive a cross platform infection from the
third party software to your PC. There are no instances I know of where
this has happened yet, but in time this attack vector will surely
appear.
In Conclusion
It is the development of open source software that may well lead to
these security issues and many others to be discovered. New
functionality breeds fresh opportunities for the bad guys. New features
like augmented reality, facial recognition and integrated social media
could leave users open to new kinds of abuse. Augmented reality, for
example, connects location information with a user's social media
"friends", enabling them to identify digital contacts nearby. We will
find out in the coming years whether open source software development
has opened up a security hornets nest. Users meanwhile, need to embrace
the Security Suites offered by companies like Bullguard, Kaspersky
Mobile 9, ESET, Panda, AVG, Trend Micro, Webroot, F-Secure, Norton, etc.
to lock down their systems.
Saturday, May 5, 2012
Using the Keystrokes Dynamic for Systems of Personal Security
Access to computer systems is
usually controlled by user accounts with usernames and passwords. Such
scheme has little security (Hu. J et al. (2008), Pavaday. N and
Soyjaudah. K.M.S (2007)) if the information falls to wrong hands. Key
cards or biometric systems (Adrian Kapczynski et al. ( 2006), Gláucya C.
Boechat et al. (2007), Anil Jain et al. (2003), Duane Blackburn et al.
(2007)), for example fingerprints (Lin Hong and Anil Jain, (1998)) is
being used nowadays to improve the security. Biometric methods measure
biological and physiological characteristics to uniquely identify
individuals. The main drawback of most biometric methods is that they
are expensive to implement, because most of them require specialized
hardware to strengthen security. On the other hand keystroke dynamics
(Fabian Monrose and Aviel D. Rubin (2000), Jarmo Ilonen, (2003)) consist
of many advantages like (i) It can be used without any additional
hardware (ii) Hardening the existing security.
Keystroke analysis (Christopher S. Leberknight et al. (2008)) is of two kinds Static and Dynamic. Static keystroke analysis essentially means that the analysis is performed on typing samples produced using the same predetermined text for all the individuals under observation. Dynamic keystroke analysis implies a continuous or periodic monitoring of issued keystrokes and is intended to be performed during a log-in session, after the authentication phase has passed.
One area where the use of a static approach to keystroke dynamics may be particularly interesting is in restricting source level access to the master server hosting a Kerberos (Gabriel. L. F. B. G. Azevedo et al. (2007)) key database. Any user accessing the server is prompted to type a few words or a pass phrase in conjunction with his/her username and password. Access is granted if his/her typing pattern matches within a reasonable threshold of the claimed identity. This safeguard is effective as there is usually no remote access allowed to the server, and the only entry point is via console login. Alternatively, dynamic or continuous monitoring of the interaction of users while accessing highly restricted documents or executing tasks in environments where the user must be alert at all times (for example air traffic control), is a ideal scenario for the application of a keystroke authentication system. Keystroke dynamics may be used to detect uncharacteristic typing rhythm (brought on by drowsiness, fatigue etc.) in the user and notify third parties.
Keystroke analysis (Christopher S. Leberknight et al. (2008)) is of two kinds Static and Dynamic. Static keystroke analysis essentially means that the analysis is performed on typing samples produced using the same predetermined text for all the individuals under observation. Dynamic keystroke analysis implies a continuous or periodic monitoring of issued keystrokes and is intended to be performed during a log-in session, after the authentication phase has passed.
One area where the use of a static approach to keystroke dynamics may be particularly interesting is in restricting source level access to the master server hosting a Kerberos (Gabriel. L. F. B. G. Azevedo et al. (2007)) key database. Any user accessing the server is prompted to type a few words or a pass phrase in conjunction with his/her username and password. Access is granted if his/her typing pattern matches within a reasonable threshold of the claimed identity. This safeguard is effective as there is usually no remote access allowed to the server, and the only entry point is via console login. Alternatively, dynamic or continuous monitoring of the interaction of users while accessing highly restricted documents or executing tasks in environments where the user must be alert at all times (for example air traffic control), is a ideal scenario for the application of a keystroke authentication system. Keystroke dynamics may be used to detect uncharacteristic typing rhythm (brought on by drowsiness, fatigue etc.) in the user and notify third parties.
Subscribe to:
Posts (Atom)