P I S A J o u r n a l
Professional Information Security Association
SEP-2009 SEP-2009
Issue
10
PISA Journal
綠壩— 過濾功能的剖析 Reversing Green Dam A Reflection of China’s Clean Internet Initiative AES-256 vs AES-128 Domain Name System Amplification Attack China - Basic Standard for Enterprise Internal Control Best Practices for Information Security in the Web 2.0 Era www.pisa.org.hk
Page 1 of 36
An Organization for Information Security Professionals
Issue 10
P I S A J o u r n a l
Professional Information Security Association
4 7
SEP-2009
Editor: editor@pisa.org.hk Issue
10
Copyright 2009 Professional Information Security Association Licensed under a Creative Commons Attribution-Noncommercial-Share Alike
綠壩— 過濾功能的剖析 Reversing Green Dam – Uncover the Darkness and Truth
12
Green Dam - A Reflection of China’s Clean Internet Initiative
16
Cryptography AES-256 vs. AES-128: which provides more security control
19
Internet Security A Look at Domain Name System Amplification Attack
23
IT Governance and Compliance China - Basic Standard for Enterprise Internal Control
27
Websense Best Practices for Information Security in the Web 2.0 Era
30
SCWC2009 SC World Congress 2009
Page 2 of 36
3
Message from the Chair
31
Program Snapshot
35
Active in External Affairs
36
Membership Benefits Anavailable Organization for Information Security Professionals Softcopy at http://www.pisa.org.hk/publication/journal/
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
10
Message from the Chair of PISA
Antony Ma
CISA, CISSP
Chairperson
P
ISA has been organizing Information security events, technical research studies and policy comments since 2002. This basic theme has not been changed through the years while we have more members and program committees joining us. In 2008, we had a change of the web sit led by our EXCO member George Chung. The current web site will be further enhanced to make PISA more responsive to the community.
From day one, PISA was built on the continuous and unconditional contributions from our members. We will continue this spirit in the coming years. When I meet members in our gathering, many new ideas were proposed. With the contribution from members, I believe we are able to implement some of them and make PISA a more open, responsive and professional security association. Let us work together to bring PISA a successful year in 2009/10!
PISA had very prominent contribution to WiFi security of Hong Kong and school security management. A recently project we are putting in a lot of effort is the Honeynet project which we are cooperating with City University and IVE (Hacking Wong). This project is led by Program Committee members Peter Cheung and Roland Cheung.
Antony September 2009
The newly elected PISA EXCO 2009/10 Jim Shek (left), Antony Ma, Raymond Tang, Frank Chow, Alan Ho, George Chung & James Chan
Page 3 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Dissecting Green Dam
SEP-2009
Issue
10
綠壩— 過濾功能的剖析
楊和生 (Sang Young) CISSP CISA CEI ECSA CHFI CIFI CEH Program Committee
綠
壩-花季護航(Green Dam Youth Escort)是中國一間位於杭洲的軟件公司所開發。根據中國工業及信 息化部的指令,原本會在2009年7月1日開始,必須在每一部新電腦上安裝才可出售。可是,由於軟 件的質量、推行時間和國內海外的企業和網民的強烈反應,工業及信息化部在2009年6月底把這項 指令推遲執行,直到另行通知。官方把綠壩定位為保護未成年人上網之軟件,可以識別網站的色情圖片和文 章,從而作出過濾。我們嘗測試綠壩的各項功能和「其他功能」。
功能測試 我們是使用家用版版本3.17,打開綠 綠壩系統,它顯示內建 的幾個過濾功能,其中較主要的有: • URL過濾 • 關鍵字過濾 • 圖像過濾 • 屏幕文字 以下是綠壩的技術方法的測試結果:
URL過濾 綠壩有一個可定期更新的URL資料庫,假如使用者到訪一些網站的URL,而該URL是被列在資料庫時,便會出 現「DNS錯誤」的信息,而不能探訪。 在我們的測試中,成功被過濾的URL有 http://www.playboy.com 等,但是,基於URL資料庫的缺點,有很多色 情網站的URL還是不能過濾。更且,有很多正當的網站卻被錯誤過濾,例如微軟 SysInternals 保安工具 http://www.sysinternals.com 也被綠壩定為不能探訪的網址) ,造成URL過濾的效能低兼誤多。
關鍵字過濾 綠壩也會基於網頁出現的關鍵字作出過濾,該關鍵字庫也有能力定期更新。 經 過 我 們 的 測 試 , 如 果 關 鍵 字 出 現 的 話 , Web Browser 也 同 樣 會 出 現 「 DNS 錯 誤 」 的 信 息 。 例 如 http://www.sex141.com,這網址不在URL資料庫中,但是因為網頁上有一些色情有關的關鍵字,綠壩也會把這 網站過濾。 很可惜,關鍵字庫同樣地有嚴重的的缺點,使很多正當的網站被錯誤過濾,例如,香港家計會 (http://www.famplan.org.hk) 的網站因為有一些類似的關鍵字而成了陪葬品。關鍵字過濾還有其他的的缺點,例 如不懂辨別非中文字及英文字,初步的測試是網頁出現有關日文的色情字時,綠壩便不能過濾。
Page 4 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Dissecting Green Dam
SEP-2009
Issue
綠壩 — 過濾功能的剖析
圖像過濾 另一個綠壩號稱功能強大的為智能過濾色情圖像,其技術 是基於膚色辨認 (Skin Tone Detection)。該技術早在10年前 已經有廠家應用互聯網過濾方面,可是Skin Tone Detection技術限制很多,例如只可以識別白及黃皮膚等, 因此而沒有大行其道。 在預設的情況下,綠壩的過濾圖像功能是關閉的,我們把 這功能啟動並進行測試,結果是白人和黃種人的色情照片 成功過濾,不成功的主要是較暗或黑人照片。 成功過濾的有: http://www.wsyoung.com/f/123.bmp,但是亦有不少照未被過濾,計有: http://www.wsyoung.com/f/456.bmp 及 http://gdghdshadh1.blog116.fc2.com/blog-entry-244.html。 不但如此,綠壩也錯誤過濾了大量的非色情照片,例如:嬰兒頭部、胡錦濤面部和中國國旗、黨徽等。
Page 5 of 36
An Organization for Information Security Professionals
10
P I S A J o u r n a l
Professional Information Security Association
Dissecting Green Dam
SEP-2009
Issue
10
綠壩 — 過濾功能的剖析
屏幕文字過濾 屏幕文字過濾是指綠壩會過濾出現關鍵字的 應用程式如Microsoft Office, Notepad等。 我們嘗試把”sex”、”fuck”、 「愛」 、 「屠 殺」等字輸入Notepad 當中,發覺可以成功輸 入;可是當我們輸入「六四屠殺」、 「六四 屠城」、「陷害法輪功」等字時,綠壩會立 即把Notepad關閉,同時顯示「此信息不良! 將被過濾掉!」 ,因為用戶的文件尚未貯 存,會導致未儲存的數據損失。經過測試, 會 被 關 閉 的 應 用 程 式 還 包 括 Wordpad 、 Editpro、Internet Explorer 和 Firefox。 有趣的是,我們衹要把 notepad 的程式改名,便可以把綠壩屏幕文字過濾這個覇道的功能繞過了。
其他測試結果 綠壩的其他功能,包括可以定期擷取用戶的電腦畫面 (screen capture),預設是 每3分鐘一次,最密的設定為1分鐘 ,畫面以時序儲存。其保安威脅是可能錄下敏感的 畫面,例如網上銀行帳戶處理情形、經解密後的文件的內容、私人的通訊等,無論由 綠壩上傳到伺服器,或電腦遭非法存取,擷取的畫面都是敏感的用戶行為的資料庫 過濾圖像方面,不同的敏感度可供設定。 當我們使用Firefox時,過濾功能大打折扣,有時發現不能成功過濾,如果成功過濾, 在Firefox的環境下,並沒有任何錯誤或提示信息,只有網頁是空白一片。 綠壩的語言只設定在中文簡體字的工作環境之下,如果要安裝或更改相關設定,必須 使用簡體字版的Windows或把系統預設語言設定為簡中。在測試期間,綠壩還出現了校 園版本和伺服器版本,據稱校園版跟我們測試的家用版是相同的,而伺服器版本是一 個Microsoft IIS的 plug-in,原意是供網絡內容供應商使用。 Copyright & Disclaimer
Copyright owned by the author. This article is the
總結 我們使用的綠壩版本為家用3.17版,它能過濾網站色情內容,同時亦會把非色情內容網站過濾。當有一些政治敏 感內容時,綠壩會把應用程式殺掉,不會把用戶輸入的資料儲存。綠壩亦有紀錄功能,能把用戶瀏覽的網址和屏 幕畫面儲存。綠壩也有對外通訊的功能,可以用作更新資料庫的用途。
views of the author and does not necessarily
楊和生, 2009 ■
reflect the opinion of PISA.
Page 6 of 36
An Organization for Information Security Professionals
Photo
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue Dissecting Green Dam
10
Reversing Green Dam – Uncover the Darkness and Truth
Anthony Lai
CISSP, CSSLP, CEH Program Committee, PISA Founder and Security Researcher, Valkyrie-X Security Research Group
Y
ou may already study the dynamic behavior of the Green Dam Software from Sang Young’s article. I have highlighted some important findings after carrying out reverse engineering over a few critical modules in Green Dam to understand what it functions as well as its architecture. Finally, we have provided summary and recommendation as well as the room of further research on Green Dam.
1. Commander of Installation and Process We have found that XNet2.exe is the major Green Dam service. It is for installation and register software key to the system and responsible for password check and reset. Meanwhile, it acts as a commander of XDaemon.exe and gn.exe and Kick start a number of processes with the following executables: Xdaemon, gn, HTAnalyzer, MPSVCC, HNCENG, HH, Looklog and LookPic
Figure 1.1: Creating the process
Page 7 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Dissecting Green Dam
Issue
10
Reversing Green Dam – Uncover the Darkness and Truth
2. Application executable monitoring It is a critical finding that, from injlib32.dll, it is injected to every critical process. Handle.dll is to create process/thread to monitor any messages received from injected DLL. (As it supports transmit string). You could be amazed it is architected like a Malware. This is our proposed model how they interact with each other.
Figure 2.1: The relationship between injlib32.dll and Handle.dll
Figure 2.2: Following into memory address of loc_100008918, we could have list of executable names loaded before for monitoring.
Page 8 of 36
SEP-2009
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Dissecting Green Dam
10
Reversing Green Dam – Uncover the Darkness and Truth
(a) (b) Figure 2.3a & 2.3b: Display of monitored existent running service at the Green Dam installed computer
3. Connecting to remote time server from NIST (National Institute of Science and Technology) in United States We found out Green Dam trying to set up several network sockets and connect ISP and NIST's time server in United States. The use of timeserver is to synchronize the time across the time zone for logging and downloading.
Figure 3.1: Setting up and opening network socket
Page 9 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Dissecting Green Dam
10
Reversing Green Dam – Uncover the Darkness and Truth
Figure 3.2: List of IP addresses Green Dam attempted to connect
Figure 3.3: WhoIs search returns information of IP address “132.163.4.103” related to NIST
4. Suspicious piracy violation and code stealing from Cybersitter I decrypted the word list file with the information supplied by Technical Analysis of Green Dam [1]. Those keywords and naming conventions are nearly the same as the Cybersitter from Solid Oak. On 25 June, Solid Oak has published a detailed copyright infringement documents about Green Dam Youth Escort contains portions of Cybersitter Code [3].
Figure 4.1: Filtering classification is nearly the same as that found in Cybersitter
Page 10 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Dissecting Green Dam
10
Reversing Green Dam – Uncover the Darkness and Truth
Summary and Recommendation From the above findings, our research group believes that Green Dam does not simply function as Internet Filtering only but give rise to monitoring applications and its typed in content. In fact, it is a Malware-like architecture and the existent vulnerability could lead to further security risk exposure. Especially for those editions for various servers, the installation may give rise to loophole of severe attack including DoS and unauthorized access.
It is just the beginning. We have not tested the following scenarios: • Whether there is any upgrade version supporting data definition update and upload the violation to the server when sensitive words are input. • Server edition like the version for Web server has not been tested.
• Server edition like the version for Web server has not been tested. • We have not carried out reverse engineering over every module and obtain a complete picture and operation how it flows.
Bypassing Green Dam If you are using Green Dam at your workstation and forced to taste power of monitoring, they rely on the hardcoded string and executable. The easiest way is to create another set of executables by renaming like change "notepad.exe" to "nopad.exe" to bypassing the application monitoring.
Anthony Lai, 2009
Reference [1] Technical Analysis of Green Dam http://wikileaks.org/wiki/A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-Escort'_censorship_software [2] Analysis of the Green Dam Censorware System http://www.cse.umich.edu/~jhalderm/pub/gd/ Copyright & Disclaimer
[3] Green Dam Youth Escort Contains Portions of Cybersitter Code Copyright Infringement Issues – June 25, 2009 http://www.cybersitter.com/gdcs.pdf
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.
Page 11 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue Dissecting Green Dam
Green Dam - A Reflection of China’s Clean Internet Initiative
SC Leung
CISSP, CSSLP, CBCP Program Committee, PISA
Green Dam Rush On 9th June 2009, the Ministry of Industry and Information Technology (MIIT) of the Chinese Government issued a notice to all PC makers in China, requiring them to offer the “Green Dam - Youth Escort” (綠壩--花季護航) software, either preinstalled or as part of basic software packages for all PCs, starting from 1 July 2009. This measure had direct impact to the hundreds of millions of Internet users in China and at the same time affected PC manufacturers, online advertising company, bloggers and many others. The Green Dam software, downloadable at lssw365.net, was developed by two MIIT picked Chinese software companies, Jinhui Technology and Dazheng Language Technology in a RMB 41M contract. The software is free of charge to users in the first year and need a subscription fee from the second year onwards.
Why Green Dam? The Government presented the Green Dam implementation as part of as a “green Internet” policy to protect children from online pornography. The software was controversial. While some parents support such initiative, many others were arguing that decisions and control over filtering to protect children should be left in the hands of parents and teachers. Centralized censorship even when well-intentioned are infringing the rights of citizens. China has a sophisticated national level filter at the network gateway -- the Great Firewall of China (GFW). Why is there a need for Green Dam? From the public domain analysis, the network filters could be circumvented by users who adopted anonymous web proxies and TOR (The Onion Router) [1] technologies. Green Dam was a client side filtering software, aiming to complement GFW. With Green Dam installed, even if a user has proxy server or TOR client installed to bypass the network level filter, Green Dam is able to intercept the data passing through and take proper filtering action before it is displayed to the user,
[1] http://www.torproject.org/
Page 12 of 36
10
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Dissecting Green Dam
Green Dam - A Reflection of China’s Clean Internet Initiative
Civilian analysis on Green Dam The most heated discussions found in public forums in mainland China and around the world, were the concerns on possible Internet censorship via Green Dam. Does Green Dam behave exactly as said by the government officials? Are there any undocumented features in Green Dam? The global Internet community was quick to respond to these concerns with sound analysis. Many different studies were conducted in civil societies around the world. One of the important ones is “A Technical Analysis of the 'Green Dam-Youth Escort' Software“. [2] The coincidence of the findings reinforce the credibility of the results. Here are some findings of the studies. 1. The Green Dam was found to use several filtering technologies: URL, keyword and skin tone recognition. 2. The filtering performance was in general poor. It did not work well with Firefox browser. It failed to block pornography of black-skinned people while it blocked non-obscene content like baby photos.[3] Green Dam seemed to block very broad keywords, causing severe over-blocking. For example, The Family Planning Association of Hong Kong was blocked because some sex education terms are in the blacklist.
4. The software could capture screenshots similar to some spyware software and is not sure if the screens are sent to some central server on request. The software also collected user behaviour and sent information back to servers owned by Jinhui Technology, and it was found the transmission was not encrypted. 5. The software monitored the editor software and terminates them if user type in political sensitive terms like 「六四屠殺」(June 4th massacre),「陷害法輪功 」(falsely incriminating Falun Gong.) 6. Researchers from the University of Michigan released an analysis report on the software, [5] citing two critical security vulnerabilities in web filtering and blacklist update that when being exploited, could allow the software manufacturer or hackers taking total control of the PCs. The Green Dam enabled PCs could become a large scale botnet. Furthermore, updates are delivered via unencrypted HTTP, which could allow a third party to impersonate the update server and take control of users' computers using this attack. 7. A software house, Solid Oak Software issued a document “Copyright Infringement Issues -- Green Dam Youth Escort Contains Portions of Cybersitter Code” on June 25, 2009, condemning Green Dam using their blacklist. [6]
3. The keyword blacklist contains a lot of political terms which indicated the software was not solely for filtering pornography but political information. [4]
[2] https://docs.google.com/View?id=afk7vnz54wt_12f8jzj9gw [3] Translated posts: http://www.zonaeuropa.com/200906a.brief.htm#017 [4] http://wikileaks.org/wiki/Chinese_Green_Dam_Falun_Gong_related_censorship_keywords%2C_June_2009 [5] Analysis of the Green Dam Censorware System http://www.cse.umich.edu/~jhalderm/pub/gd/ [6] http://government.zdnet.com/?p=5034
Page 13 of 36
10
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Dissecting Green Dam
Green Dam - A Reflection of China’s Clean Internet Initiative
MIIT forced an urgent patch to Green Dam security holes.[7] The researchers of the University of Michigan subsequently studied the patch 3.173a and discovered a new vulnerability.[8] They also found Green Dam had ceased the use of the Cybersitter blacklist starting this version. They found in a latter version 3.174 that Green Dam added the license text required for the OpenCV open-source project to Green Dam's help file. The researchers said that “while the 3.174 filter update added the required license, Green Dam's use of OpenCV prior to version 3.174 may be in violation of OpenCV's license.”
General concerns 1. The over-blocking caused blocking of access to proper information access and affects productivity or school learning. 2. The blocking of political content was a form of censorship in freedom of information access
7. The software connected with a central database to get updates of the URL blacklist and keyword blacklist. There was no transparency in the blacklist items and there was no mechanism available to appeal and correct mis-configured items. Users could hardly know what contents were blocked, and if the blocked contents were harmful. 8. Foreigner businesses who had sensitive communication like trade secrets are using VPN and other end point encryption to protect thief information traversing untrusted networks. They were afraid that Green Dam could provide a perfect backdoor to bypass all these protections, leading to data leakage. 9. Many international companies have their global purchasing guidelines that are enforceable to their offices in China. The requirement of having Green Dam installed on purchased PCs created a headache in compliance with the company's global practices.
3. The monitoring of typed in information had infringed freedom of expression.
10. The use of mandatory client filtering software created a monoculture which lacks competition and commercial incentive to improve, making a more vulnerable software.
4. Some were afraid of logging of user activities would be used to prosecute and to arrest people for possible offense.
11. The use of a single national filtering software in citizen PCs created an attractive target for attack and impact national security.
5. The capture of screenshots infringed personal privacy
12. Many international companies have their global purchasing guidelines that are enforceable to their offices in China. The requirement of having Green Dam installed on purchased PCs created a headache in compliance with the company's global practices.
6. People were feared that they had no control on how Green Dam evolves after software update.
[7] China orders plug for hole in Green Dam http://news.zdnet.co.uk/security/0,1000000189,39664231,00.htm [8] http://www.cse.umich.edu/~jhalderm/pub/gd/#add1
Page 14 of 36
10
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Dissecting Green Dam
10
Green Dam - A Reflection of China’s Clean Internet Initiative
Suspension of Green Dam
Post Green Dam Era
At the end of June, the Chinese officials tuned down the mandatory enforcement of the policy to an advisory. On one hand the policy received serious criticism from Chinese netizens. On the other hand, discussion in some official forums indicated some other governmental departments also had reservation on Green Dam.
Chinese Government maintains a high profile in “cleaning up the Internet” although the push of Green Dam was suspended.
The vendors in western countries where the civil societies are stronger, received a lot of pressure on Green Dam installation on to the PCs. The Global Network Initiative [9] which included several major suppliers like Microsoft, Google and Yahoo!, and other research institutes and human rights watch groups, had openly criticized China's Green Dam policy. It would be hard for the vendors to comply to Chinese requirement, let alone the tight schedule.
1. The Government stated that she would improve the Green Dam software.[10] For schools and Internet cafes, it was reported that the Green Dam implementation continued. 2. The Government continued to push forward real name registration in web portals and online forums to increase the authenticity of user account which the Government believed could mitigate abuse of Internet usage. Users of Sina (新浪, sina,com), WuYi (网易, 163.com) and SoHu (搜狐, sohu.com) were required to use real name and ID card number to register. [11] 3. On 11 September, Chinese Government ordered all web servers and web hostings in China to install a server based filtering software BlueDon ( 藍 盾) [12] . The software was said to filter illegal content at the web server. [13] So suspension of Green Dam is not the end of the story but only a milestone. We should see more development in China’s “clean Internet” policy in different perspectives.
SC Leung, 2009
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.
Page 15 of 36
[9] http://www.globalnetworkinitiative.org/ [10] http://www.rfa.org/mandarin/yataibaodao/lvba-08132009160342.html [11] http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%9E%E5%90%8D%E5%88%B6 [12] http://download.bluedon.com/ [13] http://www.rfa.org/mandarin/yataibaodao/wangluo-09112009101909.html
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Cryptography
10
AES-256 vs. AES-128: which provides a more secure control?
Otto Lee
CISA CISSP CSSLP
T
he AES is a global standard of encryption algorithm. It was to replace Triple DES which was broken in 200x. There are various versions of AES and are named according to the cipher block size. The larger cipher block requires more computation so in general people regard a larger cipher harder to break. In this article the author critically analyzed AES-256 security with respect to recent attacks with practical complexity.
Introduction
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is an encryption standard and was announced by National Institute of Standards and Technology (NIST) as FIPS 197 in 2001. It was then approved by National Security Agency (NSA) for top secret information and currently one of the most popular algorithms used in symmetric key cryptography AES has three block ciphers, AES-128, AES-192 and AES-256, a fixed block size of 128 bits and a key size of 128, 192, or 256 bits. In the last few months, there have been a couple of attacks published against AES-192 and AES-256, and the latest one published by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, seems to be quite destructive and is treated to be a completely attack against 11 round AES-256. This article will describe about those attacks on AES-256 and the corresponding impacts.
Page 16 of 36
As stated in [1], AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits in their number of rounds (10, 12, 14, respectively), and can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. Assuming one byte equals 8 bits, the fixed block size of 128 bits is 128 ÷ 8 = 16 bytes. AES operates on a 4×4 array of bytes, and its calculations are done in a special finite field. The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plain-text into the final output of cipher-text. Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds is applied to transform cipher-text back into the original plain-text using the same encryption key.
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Cryptography
10
AES-256 vs. AES-128: which provides a more secure control?
Attack One
Impacts
In May 2009, Alex Biryukov and Dmitry Khovratovich published a paper [2] about 2 related-key boomerang attacks on the full AES-256 and AES-192. For AES-256, they showed the first key recovery attack requiring 2119 time; while for AES-192, they showed the attack requiring 2176 time. Though these complexities are faster than exhaustive search, they seem not a practice attack and do not pose any real threat to the security of systems using AES.
After the disclosure of those attacks, it does raise a question about the effectiveness of AES-256 against AES-128. Currently, AES-128 is not vulnerable to the attacks that have been found, so we assume that the only attack method is brute force, taking 2128 time. This would suggest that the assurance we get from using AES-256 is not the orders of magnitude above AES-128 that we may have previously expected. That said, there’s nothing that we can see that would indicate that AES-128 is inadequate for the majority of the things we use symmetric encryption for.
Attack Two In July 2009, Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir published a paper [3] described several attacks which can break with practical complexity the variants of AES-256 whose number of rounds (9-round and 10-round) are comparable to that of AES-128. They also described an almost practical attack against 11-round AES-256 that requires 270 time.
On the other hand, the new attacks work best against AES-256, but, will there be any new attack on AES-128 which is faster than exhaustive search? Moreover, as AES-256 was supposed to be the strongest member of AES currently, so the previous research would focus on it. Once the focus shifts back to AES-128, probably there could be new attacks on AES-128 in the near future. Moreover, the Attack Two above breaks 11 rounds of AES-256, but full AES-256 has 14 rounds. Bruce Schneier suggested [4] using more rounds of AES, e.g., AES-128 at 16 rounds, AES-192 at 20 rounds, and AES256 at 28 rounds. In short, based on the latest information so far, if one has been using AES-256, one can continue using it without a strong reason to change it, if not, unless there is any new attack against AES-128, otherwise AES-128 has been providing enough security margins in the near future. Otto Lee, 2009
Page 17 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Cryptography
10
AES-256 vs. AES-128: which provides a more secure control?
Reference
1. Advanced Encryption Standard http://en.wikipedia.org/wiki/Advanced_Encryption_Standard 2. Related-key Cryptanalysis of the Full AES-192 and AES-256 (28 Jun 2009) http://eprint.iacr.org/2009/317.pdf 3. Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds (29 Jul 2009) http://eprint.iacr.org/2009/374.pdf 4. Schneier on Security - Another New AES Attack (30 July 2009) http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
Contribution to PISA Journal
• To join the Editorial Committee of this professional publication
• To contribute to the next issue and make your publication public Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily
Please contact the Editor editor@pisa.org.hk)
reflect the opinion of PISA.
Page 18 of 36
An Organization for Information Security Professionals
Next Issue: Mar-2010
P I S A J o u r n a l
Professional Information Security Association
Internet Security
SEP-2009
Issue
10
A Look at Domain Name System Amplification Attack
Warren Kwok CISSP Program Committee
I
have heard about domain name system (DNS) amplification attack since 2006 but over time I have not had the opportunity to witness how this kind of attack takes place. Between
January and February 2009, I got the chance to see botnet hosts launching a new variant of DNS amplification attack involving root name server query. This article is written to share my observations, analysis, and to discuss some technical solutions for preventing and defending against DNS amplification attack.
DNS Amplification Attack by Root Zone Query In the beginning, I found the error logs of my DNS filled with tens of millions lines denying query about the name servers of the root zone, sample as in Figure 1 below:
Figure 1 : queries of name servers for root zone denied
Page 19 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Internet Security
A Look at Domain Name System Amplification Attack
On analysis of the sample log above, I found that zombie hosts sent UDP packets with spoofed IP address 206.71.158.30 to query name server records of the root zone. The size of an incoming packet for such query is 45 bytes. If a DNS is operating as an open resolver, a packet of 500 bytes containing the names and IP addresses of 13 root servers would be sent to the target victim with the IP address 206.71.158.30. In this connection, open resolvers are resolving name servers that perform recursive queries from untrusted hosts and IP addresses. Figure 2 illustrates, by means of the "dig" command, the response of an open resolver.
Figure 2: Response of an open resolver to root zone query
For systems that have banned open recursion, the message "query refused" is sent out. The size of this packet is 17 bytes as shown in Figure 3. Summarizing, the output of 500 bytes from an open resolver yields an amplification factor of 11 (500 bytes divided by 45 bytes). This factor, if multiplied by a large number of queries, can be used to launch large scale DDoS attacks against a target victim. Apparently, the two elements of DNS amplification attack are IP address spoofing and open resolvers which deserve considerable attention by the Internet community.
Figure 3: Query of name servers for root zone denied
Page 20 of 36
10
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Issue
Internet Security
10
A Look at Domain Name System Amplification Attack
Implementation of Source Address Validation
Disabling Open Recursion in Domain Name System
By implementing source address validation (SAV), Internet Service Providers (ISPs) can help to defeat DDoS attacks which employ IP address spoofing. The use of ingress filtering between the customer’s network and the ISP side is a well-proven solution. The underlying logic is that customers should not be sending any IP packets out to the Internet with a source address other than the addresses their serving ISPs have allocated to them.
In the DNS amplification attack, open resolvers are being used as amplifiers to cause UDP flood to the victim. Not only will open resolvers be exploited for launching DDoS attacks, but also these systems are susceptible to cache poisoning. The information security industry has long considered open resolvers as a big configuration mistake which poses imminent security threats to the Internet. To make the Internet safe, all system administrators must ensure that their DNS are not mis-configured with open recursion.
Putting up an access control list (ACL) on each ingress interface is a straight forward way of SAV. An ACL contains a list of valid source IP addresses at the router interface to filter packets. Nevertheless, this method requires considerable time and effort to manage since the source lists must be up to date to cater for changes on the user’s network, maintenance and operation. A more effective approach for SAV is to use unicast reverse path forwarding (uRPF) which is available in common brand routers such as Cisco and Juniper. uRPF uses the routing table to determine whether a source address is acceptable. A packet is considered acceptable if the route to the source of the packet (the reverse path) points to the interface that the packet actually came in. Failing this check, the packet is considered spoofed and is dropped. Despite SAV is an important security feature, it is not widely implemented. Some ISPs fear that the implementation adds administrative overhead and might adversely impact performance because every single packet originated from the customer side must be inspected before sending out.
Page 21 of 36
SEP-2009
Rate Limiting Incoming Packets on the ISP’s Router In the case of DNS amplification attack, the packets received by the victim will not be processed. Suffice to say DNS amplification attack is not to overload the CPU or memory resources of a victim’s server, but rather to saturate all the available bandwidth. It should be noted that implementation of rate limiting on the victim’s perimeter router is not an effective preventive means. To protect against bandwidth exhaustion, rate limiting of incoming packets should best be done on the ISP’s router which has the capability to assign a bandwidth limit to different kinds of Internet connections such as ICMP, UDP or specific applications.
Disabling Root Zone Query For DNS that have prohibited recursion, these systems still deliver the “query refused” message to flood the target victim. Some system administrators might consider to block root zone query so as to avoid the unnecessary outgoing traffic. At this moment, there is not much information whether DNS should ban root zone query. A
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Internet Security
10
A Look at Domain Name System Amplification Attack
root zone query is not malicious in itself which can be used for testing configuration or troubleshooting but can also be used in a DDoS attack. If system administrators consider root zone query as an attack, they can readily deploy network-based intrusion prevention systems to drop the incoming packets. The attack signature which consists of a fixed byte length and a fixed string is easy to detect. Alternatively, firewalls could be used to filter UDP packets destined for port 53 carrying the simple and easy identifiable payload. There is also an easy way to block UDP packets destined for port 53 with packet length of 45 bytes. By means of iptables, I have tested filtering root zone query on a DNS resolver and the result is satisfactory.
Looking Forward DNS amplification attack will continue to plague the Internet since SAV is not widely implemented and there are still a large number of open resolvers. When new variants of DNS amplification attack emerge, system administrators need to quickly analyze the attack vectors and to develop mitigation measures such as adding firewall rules or tuning intrusion prevention/detection systems. Besides, they must also be well-prepared at all times to seek the assistance of their serving ISPs in order to protect their networks.
Warren Kwok, 2009
Reference 1. 2. Evron
Implement anti-spoofing to prevent DNS Amplification Attack http://www.sanog.org/resources/sanog8/sanog8-ip-spoofing-akinori-maz.pdf DNS Amplification Attacks, Preliminary release, Randal Vaughn and Gadi http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
Copyright & Disclaimer
3.
The Continuing Denial of Service Threat Posed by DNS Recursion http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
4.
Anatomy of a DNS DDoS Amplification Attack http://www.watchguard.com/infocenter/editorial/41649.asp
5.
SSAC Advisory SAC008 - DNS Distributed Denial of Service (DDoS) Attacks http://www.icann.org/en/committees/security/dns-ddos-advisory-31mar06.pdf
6.
DNS Amplification Variation Used in Recent DDoS Attacks http://www.secureworks.com/research/threats/dns-amplification/
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.
Page 22 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
10
China - Basic Standard for Enterprise Internal Control
Howard Lau
CISSP
Program Committee
T
he Basic Standard for Enterprise Internal Control 企 業 內 部 控 制 基 本 規 範 (the Standard)1
was released on June 28, 2008 by five Chinese government authorities and regulators as follows: • • • • •
Ministry of Finance 財政部 National Audit Office 審計署 China Securities Regulatory Commission 證監會 China Banking Regulatory Commission 銀監會 China Insurance Regulatory Commission 保監會
The Standard applies to all companies listed on the Shanghai and Shenzhen stock exchanges. The start date has been delayed from July 1, 2009 to January 20102. By the end of year 2010, listed companies will have prepared their assessment reports. It is expected that companies listed both inside and outside China Mainland are the first batch of companies to implement the Standard. Other companies also are encouraged to adopt
Figure 1 : COSO’s Internal Control - Integrated Framework
Page 23 of 36
Issue
IT Governance and Compliance
its provisions. The Standard includes fifty articles under seven chapters or areas, including (1) General Provisions 總則、(2) Internal Environment 內部環境、(3) Risk Assessment 風險評估、(4) Control Activities 控制活動、 (5) Information and Communication 信息與溝通、(6) Internal Monitoring 內部監督 and (7) Supplementary Provisions 附 則 . Excluding the first and the last chapters, the middle five chapters are similar to the five elements of the Committee of Sponsoring Organizations (COSO) framework (1992) [Figure 1]3. The Standard also get reference to eight elements in COSO’s Enterprise Risk Management (ERM) - Integrated Framework (2004) [Figure 2] 4. The Standard requires a listed company • to establish and implement internal control policies. • to set a suitable business management IT system with embedded controls. • to make self-assessment of the effectiveness of its internal control on a periodic basis and issue control self-assessment reports.
Figure 2 : COSO’s Enterprise Risk Management (ERM) Integrated Framework
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
IT Governance and Compliance
10
China - Basic Standard for Enterprise Internal Control
Three Guidelines Besides the Standard, these five Chinese government authorities and regulators also issued three draft guideline documents, namely: • • •
The Enterprise Internal Control Assessment Guideline (企業內部控制評價指引)5 The Enterprise Internal Control Implementation Guideline (企業內部控制應用指引)6 The Enterprise Internal Control Assurance Guideline (企業內部控制鑒證指引)7
Article 24 An enterprise shall apply qualitative and quantitative methods to analyze and prioritize identified risks… Article 25 An enterprise shall determine its risk the outcome of its risk analysis, consideration on risk and reward…
responses based on risk appetite and
Article 26 An enterprise shall apply appropriate risk response measures such as risk avoidance, risk reduction, risk sharing or risk acceptance to control identified risks effectively… Article 37 An enterprise shall establish advance risk warning and emergency response mechanisms, clearly define the advance risk warning criteria, and in relation to potential safety, environmental protection and other major risks or emergencies, establish an emergency response plan, clearly allocate responsibilities, formalizing handling procedures to ensure that emergencies are responded to in a timely and proper manner. Article 38 An enterprise shall establish an information and communication policy and clearly define its procedures relating to the gathering, handling and communication of internal control related information in order to ensure the timely communication of information and effective operation of internal control.
Figure 3 : Books about the Basic Standard for Enterprise Internal Control8
Selected Articles from the Standard There are 50 articles in the Standard. The followings are some articles relating to IT governance, IT audit, business continuity and risk management.
Page 24 of 36
Article 39 An enterprise shall establish steps to screen, verify and collate the information received from internal and external sources in order to ensure the information's usability. An enterprise can attain internal information through its financial accounting data, business management data, research reports, special information, corporate periodicals and office network and other internal sources of data and channels. An enterprise can attain external information through industry associations,
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Issue
IT Governance and Compliance
10
China - Basic Standard for Enterprise Internal Control Market and Impact to the Industry Article 39 (con’t) social agencies, business related parties, market research, mails, business network, press and regulatory bodies and other external sources of data and channels. Article 41 An enterprise shall apply information technology to improve information gathering and sharing and to maximize the effect of information and communication. An enterprise shall ensure the safe and stable operation of its information technology system through the establishment of proper control over systems development, maintenance, access, changes, data input and output, backup, network safety and other key information technology related activities. Article 42 An enterprise shall establish anti-fraud policies, emphasize the importance of preventing frauds, clearly define the crucial aspects of anti-fraud activities, duties and responsibilities, authorities and limits of interested parties, and formalize reporting, investigation, handling and remediation procedures… Article 43 An enterprise shall establish proper complaints handling and complainant protection policies … in order to provide an effective channel for dissatisfied interested parties to report and address their complaints… Article 46 As part of internal monitoring, an enterprise shall perform a self-assessment of the effectiveness of its internal control on a periodic basic and issue a control self-assessment report… Article 47 An enterprise shall keep proper records (either in physical or appropriate alternative form) of the internal control established and implemented by it in order to provide evidence and audit trails of such internal control establishment and implementation activities.
Page 25 of 36
SEP-2009
After the third plenary session of the eleventh Central Committee of the Communist Party of China in December 1978, Mr. Deng Xiaoping elaborated on the modernization drive and actively promoted reform. In 1990, both the Shanghai Stock Exchange (SSE) and the Shenzhen Stock Exchange (SZSE) were established. Nowadays there are about 900 and 800 listed companies in SSE and SZSE respectively. Small and Medium Enterprise Board (SME Board) of SZSE was introduced in 2004. Currently there are over 280 companies in the SME board. Moreover, there is a plan to launch Nasdaq-style second board with looser regulations than SME board and main boards. China’s economy reform is an obvious success in past 30 years. However, during the last decade, there were a lot of fraud cases in big enterprises in China9, e.g. • 2001: Bank of China Kaiping Branch Case, Y2.73B • 2005: Bank of China Heilongjiang Branch Case, Y 1B • 2006: Shenzhen Development Bank Case, Y 1.5B • 2008: Dalian Security Case, over Y 4B • 2009: Liaoning Zhida group & Agricultural Bank of China Case, Y 0.85B There were many enterprise fraud cases in other countries also. That is why Sarbanes-Oxley Act was signed into US laws in 2002. There are similar compliance standards in Japan and in other countries. Financial tsunami in 2008 / 2009 also showed the importance of monitoring and good regulatory systems for enterprises, specially in banking and financial institutions. As the Basic Standard for Enterprise Internal Control becomes a necessary compliance requirement for listed companies in China, it is expected there will be a vast market for service providers (outsourcing partners) and professionals (internal staff) in compliance, accounting, audit , IT audit, and other IT business (e.g. database, ERP, data-mining, log management and business intelligence…). More importantly, the Standard is a “modernization drive” and “reform” for enterprises in China. We expect to see there will be alignment of management standards for enterprises and professional standards for individuals, between China and in worldwide.
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
IT Governance and Compliance
author. This article is the views of the author and
10
Reference 1.
The Basic Standard for Enterprise Internal Control (企業內部控制基本規範) http://big5.china.com.cn/policy/txt/2008-07/03/content_15924643.htm 企業內部控制基本規范, 中國財政經濟出版社, 2008
2.
企業內控規範三配套文件進入會簽階段 http://big5.bjsme.gov.cn/news/200905/t59759.htm
3.
"Putting COSO Theory into Practice." Tone at the Top, The Institute of Internal Auditors, November 2005 http://www.theiia.org/download.cfm?file=42122
4.
Enterprise Risk management – Integrated Framework, Executive Summary http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
5.
The Enterprise Internal Control Assessment Guideline (企業內部控制評價指引) http://szs.mof.gov.cn/kjs/zhengwuxinxi/gongzuotongzhi/200901/P0200901166026146955 02.doc
6.
The Enterprise Internal Control Implementation Guideline (企業內部控制應用指引) http://szs.mof.gov.cn/kjs/zhengwuxinxi/gongzuotongzhi/200901/P0200901085000011047 57.doc
7.
The Enterprise Internal Control Assurance Guideline (企業內部控制鑒證指引) http://www.cicpa.org.cn/professional_standards/comments/200807/W020080709285369 212505.doc
8.
Release Ceremony on Basic Standard for Enterprise Internal Control and the 1st HighLevel Forum on Enterprise Internal Control 企業內部控制基本規范發布會暨首屆企業內部控制高層論壇專輯, 中國財政經濟出版社 , 2008
9.
Apple Daily, Aug 1, 2009, 銀行監管不足 金融大案頻生 http://hk.apple.nextmedia.com/template/apple/art_main.php?iss_id=20090801&sec_id=1 5335&subsec=15336&art_id=13050610
does not necessarily reflect the opinion of PISA.
Page 26 of 36
Issue
China - Basic Standard for Enterprise Internal Control
Copyright & Disclaimer
Copyright owned by the
SEP-2009
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Industry Corner
10
Best Practices for Information Security in the Web 2.0 Era
William Tam Technical Manager, Asia Pacific and Middle East, Websense, Inc.
T
o IT professionals in Hong Kong, it has become very obvious that Web 2.0 has made a big impact in the workplace – changing not only the way people communicate with each other, but also the way organizations conduct business. To better understand the impact of and threats underlying the popularity of Web 2.0, in early 2009, Websense commissioned Dynamic Markets to conduct a global survey of 1,300 IT managers and professionals across 10 countries including Hong Kong. The interviewees were asked about their perceptions of Web 2.0 in the workplace, their understanding of Web 2.0 technologies, and whether their organizations are ready for the challenges of the Web 2.0 era. According to the survey, nearly all IT managers in Hong Kong (98 percent) allow employees access to some Web 2.0 sites and applications in the workplace. However,
Page 27 of 36
more than half of the Hong Kong IT managers (54 percent) admit that their users try to bypass their company’s security policies, to access Web 2.0 applications that are restricted at work. At the same time, a majority of the IT managers (88 percent) feel pressured to allow and adopt more Web 2.0 sites and technologies at work. The report reflects the fact that IT managers in Hong Kong share the same struggle as the rest of the world – to strike a balance between taking advantage of the benefits of Web 2.0, whilst mitigating the security risks. In response to the survey findings, Websense has teamed up with IDC to produce a whitepaper, “Best Practices for Securing Web 2.0”, which aims to provide guidelines to IT professionals and organizations on how to secure access to Web 2.0 sites and applications, while minimizing the risk of malicious attack and possible data leakage. Here are some key considerations:
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Page 28 of 36
SEP-2009
Issue
Industry Corner
10
Best Practices for Information Security in the Web 2.0 Era
Real-time Content Classification
The high volume of user-generated content in the Web 2.0 environment requires a security solution that can perform real-time deep content analyses and classification. Many Web 2.0 sites today incorporate some form of Web site mash-up that may be customized to an individual's interests. It is necessary for a system to analyze multiple flows in real-time, to allow good information in while keeping out the bad.
Employee Access Rights
A mature web security solution must allow access to mission-critical SaaS application on the web, while enabling safe and controlled access to non-business sites such as social networking sites. It should also be able to provide safe but time-limited access to sites for personal use. For example, organizations can allow up to 60 minutes per day of access to personal Web sites, such as for Web-based email and social networking.
Data Loss Prevention (DLP)
In the Web 2.0 era, blogs, social networking sites etc. are becoming channels for information leakage. Web 2.0 users may unintentionally post confidential information on blogs and forums. An integrated DLP-Web solution adds the identity and location context to the access, preventing data leakage through Web-based email, or social networking Web sites.
Application Control
Many Web 2.0 applications leverage evasive techniques to communicate and share information. For example, organizations may wish to allow Facebook access, but not Facebook-delivered games. A mature solution must provide control over these applications, whether they run over HTTP, HTTPS or other protocols. It should also provide the correct level of granularity of control, which ensures secure access for users.
Remote Access
The growing number of mobile and remote users is creating a complex distributed workplace. Many corporate applications are being moved to the Web 2.0 environment to allow remote employees to work more efficiently. An effective Web 2.0 solution should provide the customer with choices regarding how to support the remote user while ensuring the application of a consistent policy throughout the organization.
Unified Policy Management
Web 2.0 requires a policy to address multiple technology stacks, spanning everything from malware protection to objectionable content and application control. This complexity can lead to errors in translating a corporate policy into reality, unless the policy management engine is designed to pull all of these items together into a single policy that can be applied on a global basis.
Comprehensive Reporting and Logging
Employees may use Web 2.0 technologies located outside the corporate network for collaboration on sensitive internal projects, as well as mission critical reporting and logging for audit and forensics. The Web 2.0 solution must enable multiple levels of reporting, including easy-to-interpret summary reports and the ability to drill down and quickly investigate violations against specific policy categories or by specific users and groups.
Performance and Scalability
As the Web 2.0 world continues to mature and change, a good Web 2.0 security solution must provide high scalability, so it can expand and adapt to current or future needs, and its performance must be high enough to deliver security and control without impacting end users’ ability to perform their duties.
The Server Side of Web 2.0
Companies are increasingly allowing their customers to post comments on public support forums, Facebook, blogs etc. A Web 2.0 security solution needs to ensure that no malware and inappropriate contents are posted on the sites and associated with their brands. To limit liability and protect their brands, organizations need to think about how they can scan blog posts before they hit Web 2.0 sites.
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
Industry Corner
10
Best Practices for Information Security in the Web 2.0 Era
Being the market leader and pioneer in web security, Websense has made some industry-first moves and initiatives to better protect customers in the Web 2.0 era. For example, through the recent acquisition of Defensio, a unique company that developed technology for dealing with spam and malicious posting on Web 2.0 properties. Websense now provides web site owners with accurate, personalized and adaptive protection from comment spam and malware embedded in user-generated content, in realtime. By delivering unique real-world data analysis from blog comments as they are posted and other Web 2.0 applications, Websense can provide users with the security capabilities that enable them to safely determine if usergenerated content is malicious, unwanted or confidential – without having to embed anything in their applications or products. In future, the technology will be extended to deliver protection from malicious code, phishing sites and fraud posted to and hosted on user-generated content sites.
Websense was also one of the first technology providers to address the needs of real-time content classification and analysis in the Web 2.0 world. In 2008, Websense launched Web Security Gateway, which combined antimalware, Web reputation, and URL filtering protection to proactively block malicious content on a real-time basis. It keeps networks secure from malicious attacks and data leaks, while still enabling the latest Web-based tools, applications, and legitimate content. Moreover, Websense Web Security Gateway recognizes and controls more than 130 separate network protocols that are used by thousands of applications, and enables full control and auditing of the usage of these tools within the organization. Applications can thus be blocked, allowed or limited, to control their impact on network resources. By delivering a total Web security solution together with a data security solution, which focuses on protecting data itself and enables organizations to set granular policies around specific data, Websense can protect customers from dynamic malicious attacks and data leakage while allowing them to enjoy the benefits of Web 2.0.
William Tam, Websense ■
References
Copyright & Disclaimer Copyright owned by the author. This article is the
Whitepaper including more details on IDC’s “Best Practices for Securing Web 2.0” can be downloaded from http://www.websense.com/site/docs/whitepapers/en/IDC_Web2.0BestPracticesWP_Jun2009.pdf Full details on the survey methodology can be found in the report "Web2.0@Work" on http://www.websense.com/Web2.0atWork
views of the author and does not necessarily reflect the opinion of PISA.
Page 29 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
this article the author critically analyzed... analyzed... n this articlen the author critically
Page 30 of 36
An Organization for Information Security Professionals
10
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Event
Issue
Snapshot We Contribute. We Achieve.
Macao War Driving (Sep-2009) PISA and WTIA co-organized this activity with Macao organizations ISACA Macao Chapter and Macau New Technologies Incubator Centre (Manetic) in the Macao War Driving 2009. This is a continuation of the war driving activity in Macao since 2008.There were around 40 participants from Hong Kong and Macao. Each participant uses WiFi Hopper or Vistumbler to collect the Wifi signal data. The project group is consolidating the results from individual participants.
Group photo at the Guia Fortress
Professionals of PISA and WTIA briefed new participants from Macao how to read the data collected by the tools.
Page 31 of 36
An Organization for Information Security Professionals
10
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Event
Issue
10
Snapshot We Share, We Progress.
PISA Annual General Meeting (Aug-2009) PISA held the AGM and the EXCO Election.
We had a good turn out and members took a group photo after the meeting.
Daniel Eng, our ex-Chairperson delivered the EXCO’s business report to the fellow members.
Theme Seminar: Two-factor authentication: is it unbreakable
The Theme Seminar before the AGM was presented by S.C. Leung. There were 30 participants from PISA and ISC2. The talk was very interactive. Participants discussed potential ways that 2FA can be breached and how current security measures can be enhanced. It was an enjoyable session.
Page 32 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Event
Issue
Snapshot We Contribute. We Achieve.
Seminar: Dissection of Green Dam (Jun-2009) In June, Chinese Government announced that a filtering software called Green Dam must be installed in all manufactured PCs on 1-July onwards. The nature of the software had aroused the attention of the general public. PISA, Internet Society Hong Kong (ISOC-HK), Information Security and Forensics Society (ISFS) and Hong Kong Internet Service Providers Association (HKISPA) and Valkyrie-X Research Lab responded swiftly and coorganized a technical seminar dissecting the software. In a very short notice, Hong Kong Polytechnics University provided the venue was filled up with enthusiastic people.
Speakers Sang Young (PISA), Anthony Lai (VX-Lab) and Issac Mao (mainland blogger)
Panel Discussion: ( l e f t ) S C L e u n g ( M o d e r a t or) , Anthony Lai (VX Lab), Charles Mok (ISOC-HK), Issac Mao (blogger), Franki Li (ISFS) and Thomas Tsang (PISA)
Participants actively spoke up in the panel discussion.
Page 33 of 36
An Organization for Information Security Professionals
10
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Event
Issue
10
Snapshot We Share, We Progress.
PISA Networking Hours (Aug-2009) PISA held a networking even. Our members, Honourary Advisors and Guests of Honour had a great evening.
(left) SC Leung, Dave Yip, Ian
Group Photo
Christofis and Dale Johnstone
Biometrics: valuable but misused (Apr-2009) Ian Christofis delivered a talk on biometrics (such as fingerprint, face or iris recognition) which are sometimes seen as the strongest type of authentication, but this is not really true. Ian discussed the vulnerabilities of biometrics, when they are the best choice, and when they should not be used.
Page 34 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Issue
10
Our vision provides us our destination. Our missions provide us the directions.
Promotion of information security in schools PISA has partnered with ISC2, OGCIO and HKPF (Police) to deliver InfoSec talks to youngster. SC Leung delivered the talk to TWGHs. S.C.Gaw Memorial College (Tsing Yi) in April and Howard Lau delivered the talk to Ju Ching Chu (Tuen Mun) Secondary School in May.
Kitty Chung of ISC2 was with a student who asked questions.
Delivering public talks on Information Security Howard Lau delivered a talk in the NGO Day of The Hong Kong Council of Social Services in June.
Providing Expert Opinions on Public Affairs PISA sent representatives to “COIAO Forum in Technology Aspect” (Jun-09) and the “Tech Crime Roundtable Discussion” (Jul-09) organized by IT Legislator Samson Tam’s Office, to give comments.
Page 35 of 36
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
SEP-2009
Professional Information Security Association
Issue
10
http://www.pisa.org.hk
Vision to be the prominent body of professional information security practitioners, and utilize expertise and knowledge to help bring prosperity to the society in the Information Age
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information
Many Ways
Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, WLAN & Bluetooth Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using postnominal designation
Membership Requirements Enquiry email: membership@pisa.org.hk
Membership Application Form: http://www.pisa.org.hk/me mbership/member.htm
Annual Membership Fee (HK$) Type Full
500
Associate
300
Affiliate
300
Student
100
Qualifications
Requirements Relevant Experience
Recognized Degree in Computing discipline, OR other appropriate educational / professional qual. Tertiary Education Interested in furthering any of the objects of the society Full-time student over 18 years old
3 years Info-Sec working experience Info-Sec related experience Nil Nil
Code of Ethics: http://www.pisa.org.hk/ethi cs/ethics.htm
Page 36 of 36
• Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. • All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals