Computer security

This article describes how security can be achieved through design and engineering. See the computer insecurity article for an alternative approach that describes computer security exploits and defenses.

[Site] James Madison University - Computer Security
Security Measures That May Impact Your Computer Use ... List of Frequently Asked Questions about Computer Security ... with Computer Security. Privacy (to ...
www.jmu.edu/computing/security

Computer security imposes requirements on computers that are different from most system requirements because they often take the form of constraints on what computers are not supposed to do. This makes computer security particularly challenging because we find it hard enough just to make computer programs do everything they are designed to do correctly. Furthermore, negative requirements are deceptively complicated to satisfy and require exhaustive testing to verify, which is impractical for most computer programs. Computer security provides a technical strategy to convert negative requirements to positive enforceable rules. For this reason, computer security is often more technical and mathematical than some computer science fields.

[News] Treasury Office Faults IRS Computer Security
Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service with known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday.

Typical approaches to improving computer security (in approximate order of strength) can include the following:

[Image]
To download comp: Right-click the image and select 'Save image as...'.Control + Mouse Click if you are using a single button Mac mouse.

• Physically limit access to computers to only those who will not compromise security.
• Hardware mechanisms that impose rules on computer programs, thus avoiding depending on computer programs for computer security.
• Operating system mechanisms that impose rules on programs to avoid trusting computer programs.
• Programming strategies to make computer programs dependable and resist subversion.

[Video] CyberAwareness

Secure operating systems

[Auction] Notebook Laptop Computer Security Chain Lock w/#
Only $6.49

Systems designed with such methodology represent the state of the art of computer security although products using such security are not widely known. In sharp contrast to most kinds of software, they meet specifications with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems designed this way are used primarily to protect national security information, military secrets, and the data of international financial institutions. These are very powerful security tools and very few secure operating systems have been certified at the highest level (Orange Book A-1) to operate over the range of "Top Secret" to "unclassified" (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing MLS LAN.) The assurance of security depends not only on the soundness of the design strategy, but also on the assurance of correctness of the implementation, and therefore there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security functionality and assurance level (such as EAL levels), and these are specified in a Protection Profile for requirements and a Security Target for product descriptions. None of these ultra-high assurance secure general purpose operating systems have been produced for decades or certified under the Common Criteria.

[Post] Information Security Analyst at Joliet Junior College
Bachelor's degree in Information Security, computer science or some related discipline, and minimum of 5 years of progressive experience in IT security and analysis, preferably in higher education. Any equivalent combination of ...

Secure operating systems designed to meet medium robustness levels of security functionality and assurance have seen wider use within both government and commercial markets. Medium robust systems typically provide nearly all of the security features of the most advanced secure operating systems but do so at a lower assurance level (such as EAL4 or EAL5). These systems are found in use on web servers, guards, database servers, and management hosts and are used not only to protect the data stored on these systems but also to provide a high level of protection for network connections and routing services.

[Book] Computer Security: Art and Science Addison-Wesley Professional

Security architecture

[Site] Home Computer Security
Home Computer Security. Table of Contents. Introduction ... drive a car, you need to also be responsible for your home computer's security. ...
www.cert.org/homeusers/HomeComputerSecurity

Security by design

[News] Treasury office faults IRS computer security
Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service with known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday. The office of the Treasury Inspector...

There are several approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).
2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).
3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).
4. Trust no software but enforce a security policy with trustworthy mechanisms.

[Image]
Classification As illustrated in the preceding figure, Computer Security Incident Response Team is part of the following inheritance hierarchy:

Many systems have unintentionally resulted in the first possibility. Since approach two is expensive and non-deterministic, its use is very limited. Approaches one and three lead to failure. Because approach number four is often based on hardware mechanisms and avoids abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.

[Video] DaySafe 200: Anti-theft backpack by PacSafe

There are myriad strategies and techniques used to design security systems. There are few, if any, effective strategies to enhance security after design.

[Auction] NOTEBOOK LAPTOP COMPUTER LOCK SECURITY CABLE CHAIN
Only $4.99

One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.

[Post] Computer Security Professional
Computer Network Protocols. Computer Security Application Development and System Integration. Wireless Networking. Digital Forensics. Artificial Intelligence and Machine Reasoning. Information Security. Embedded Systems ...

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

[Book] Computer Security: Principles and Practice Prentice Hall

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

[Site] Symantec - Antivirus & Security Software
Symantec provides computer protection, arming the consumer against cyber criminals.
www.symantec.com

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

[News] Treasury office faults IRS computer security
Thu, Oct 16, 2008 (12:18 a.m.) Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service with known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable.Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.

[Image]
careful in it's selection of technical personnel to ensure a quality product and our customer's complete satisfaction with our services. BATECH's Technical Support capabilities include: Configuration Management Computer Security Engineering Software Systems Engineering Data Integration

Early history of security by design

[Video] Scan Remove Spyware And Adware

Secure coding

[Auction] NEW COMPUTER NOTEBOOK LAPTOP LOCK SECURITY CABLE CHAIN
Only $5.99

In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection.

[Post] Pepsky All - in - One v4.5.0.1000
Burning MP3 music files to CDs/DVDs, which can be played on a computer or a player supporting MP3 disc playing (such as some car audio system). Create WMA CD/DVD * Burning WMA music files to CDs/DVDs, which can be played on a computer ...

Some common languages such as C and C++ are vulnerable to all of these defects (see Seacord, "Secure Coding in C and C++"). Other languages, such as Java, are more resistant to some of these defects, but are still prone to code/command injection and other software defects which facilitate subversion.

[Book] Introduction to Computer Security Addison-Wesley Professional

Recently another bad coding practice has come under scrutiny; dangling pointers. The first known exploit for this particular problem was presented in July 2007. Before this publication the problem was known but considered to be academic and not practically exploitable. New hacking technique exploits common programming error. SearchSecurity.com, July 2007

[Site] Computer Security Day
Association for Computer Security Day ... Welcome to Computer Security Day! Computer Security Day was started in 1988 to help raise awareness of computer ...
www.computersecurityday.org

In summary, 'secure coding' can provide significant payback in low security operating environments, and therefore worth the effort. Still there is no known way to provide a reliable degree of subversion resistance with any degree or combination of 'secure coding.'

[News] Treasury office faults IRS computer security
WASHINGTON (AP) - A watchdog group says two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service with known security and privacy problems.

Capabilities vs. ACLs

[Image]
Security Specialist A security specialist makes sure that a computer system's security is effective and running properly. A security specialist must be quick thinking and have extensive

Unfortunately, for various historical reasons, capabilities have been mostly restricted to research operating systems and commercial OSs still use ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design. An open source project in the area is the E language.

[Video] How I Removed Spyware from Computer Easily

First the Plessey System 250 and then Cambridge CAP computer demonstrated the use of capabilities, both in hardware and software, in the 1970s, so this technology is hardly new. A reason for the lack of adoption of capabilities may be that ACLs appeared to offer a 'quick fix' for security without pervasive redesign of the operating system and hardware.

[Auction] NOTEBOOK COMPUTER LOCK SECURITY CABLE CHAIN w/#
Only $6.49

The most secure computers are those not connected to the Internet and shielded from any interference. In the real world, the most security comes from operating systems where security is not an add-on, such as OS/400 from IBM. This almost never shows up in lists of vulnerabilities for good reason. Years may elapse between one problem needing remediation and the next.

[Post] Wise Registry Cleaner Pro v3.73.131
The Registry is at the heart of every Windows computer. The older your PC is, the more junked-up its Registry becomes. Badly written programs (and there are plenty of those around) don't bother to clean the Registry when you uninstall ...

A good example of a secure system is EROS. But see also the article on secure operating systems. TrustedBSD is an example of an open source project with a goal, among other things, of building capability functionality into the FreeBSD operating system. Much of the work is already done.

[Book] Principles of Computer Security: Security+ and Beyond The McGraw-Hill Companies, Inc.

Applications

[Site] National Institute of Standards and Technology: Computer Security ...
Designed to collect and disseminate computer security information and resources to help users better protect their data and systems.
csrc.nist.gov

In aviation

[News] Treasury office faults IRS computer security
Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service with known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday. The office of the Treasury Inspector General for Tax Administration said Internal Revenue Service officials failed to ensure that identified weaknesses had been addressed before ...

The consequences of a successful intentional or accidental misuse of a computer system in the aviation industry range from loss of confidentiality to loss of system integrity, which may lead to more serious concerns, like data theft or loss, network and air traffic control outages, which can lead to airport closures, loss of aircraft or even death of passengers. Military systems which control munitions pose an even greater risk, one which is evident enough not to warrant a further explanation.

[Image]
Password Generator November 19th, 2005 Need a good, random password? Steve Gibson has created a password generator that does the trick. His site, www.grc.com is a good resource for the computer user interested in privacy and

A proper attack does not need to be very high tech, or well funded, for a power outage at an airport alone can cause repercussions worldwide. J. Zellan, Aviation Security. Hauppauge, NY: Nova Science, 2003, pp. 65-70.. One of the easiest and, arguably, the most difficult to trace security vulnerabilities is achievable by transmitting unauthorized communications over specific radio frequencies. These transmissions may spoof air traffic controllers or simply disrupt communications altogether. These incidents are very common, having altered flight courses of commercial aircraft and caused panic and confusion in the past. Controlling aircraft over oceans is especially dangerous because radar surveillance only extends 175 to 225 miles offshore. Beyond the radars' sight, controllers must rely on periodic radio communications through a third party.

[Video] WINDOWS XP Tricks 2

Lightning, power fluctuations, surges, brown-outs, blown fuses, and various other power outages instantly disable all computer systems, since they are dependent on electrical source. Other accidental and intentional faults have caused significant disruption of safety critical systems throughout the last few decades and dependence on reliable communication and electrical power onlyjeopardizes computer safety.

[Auction] NOTEBOOK COMPUTER LOCK SECURITY CABLE CHAIN w/#
Only $6.49

Notable system accidents

[Post] Privacy Shield v3.0.81
It completely cleans your computer of any Internet or Windows habits you want to guarantee won't get discovered. In seconds it will clear your browser history, browser cache, system cookies, typed URL list, index.dat file, temp files, ...

In 1994, over a hundred intrusions were made by unidentified hackers into the Rome Laboratory, the US Air Force’s main command and research facility. Using trojan horse viruses, hackers were able to obtain unrestricted access to Rome’s networking systems and remove traces of their activities. The intruders were able to obtain classified files, such as air tasking order systems data and furthermore able to penetrate connected networks of National Aeronautics and Space Administration's Goddard Space Flight Center, Wright-Patterson Air Force Base, some Defense contractors, and other private sector organizations, by posing asa trusted Rome center user. Information Security. United States Department of Defense, 1986

[Book] Computer Security Wiley

Electromagnetic interference is another threat to computer safety and in 1989, a United States Air Force F-16 jet accidentally dropped a 230 kg bomb in West Georgia after unspecified interference caused the jet’s computers to release it. Air Force Bombs Georgia. The Risks Digest, vol. 8, no. 72, May 1989

[Site] Computer Security Products, Inc
Provides a variety of physical security devices to prevent computer and laptop theft.
www.computersecurity.com

A similar telecommunications accident also happened in 1994, when two UH-60 Blackhawk helicopters were destroyed by F-15 aircraft in Iraq because the IFF system’s encryption system malfunctioned.

[News] Treasury office faults IRS computer security
Wed, Oct 15, 2008 (9:21 p.m.) Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service with known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday.

Terminology

• Firewalls can either be hardware devices or software programs. They provide some protection from online intrusion, but since they allow some applications (e.g. web browsers) to connect to the Internet, they don't protect against some unpatched vulnerabilities in these applications (e.g. lists of known unpatched holes from Secunia and SecurityFocus).

[Image]

• Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
• Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.

[Video] What is Spyware

A bigger OS, capable of providing a standard API like POSIX, can be built on a secure microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: e.g. Hurd or Minix 3.

[Auction] NOTEBOOK LAPTOP COMPUTER LOCK SECURITY CABLE CHAIN
Only $4.99

• Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
• Strong authentication techniques can be used to ensure that communication end-points are who they say they are.

[Post] Automatic Feature Selection for Anomaly Detection.
Network intrusion detection requires discriminative features from network traffic, which for the case of misuse detection allow for the precise formulation of signatures and rules, and which, on the other end, enable application of ...

Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.

[Book] Computer Security Lab Manual (Information Assurance & Security) Career Education

• Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
• Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
• Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.

[Site] History of Computer Security
Offers unpublished, seminal works in computer security compiled by the Computer Security Laboratory of the Computer Science Department at the University of ...
csrc.nist.gov/publications/history

Some of the following items may belong to the computer insecurity article:

[News] Burning Question: How Much Computer Security Is Enough?
Put down that money order and step away from the Internet, sir. You could blow your kid's college fund on computer security doodads: biometric password protectors, remotely erasable hard drives, GPS tracking — every day, there's some new and irresistible offering for the paranoid. But what do you really need to protect your computer? Less than you think. The gospel is familiar: An antivirus ...

• application with known security flaws should not be run. Either leave it turned off until it can be patched or otherwise fixed, or delete it and replace it with some other application. Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products.

[Image]
Articles

techniques involve transforming information, scrambling it so it becomes unreadable during transmission. The intended recipient can unscramble the message, but eavesdroppers cannot.]]

[Video] Totally Free Spyware Removal Do you Even Have Spyware

• Backups are a way of securing information; they are another copy of all the important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Suggested locations for backups are a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside bank vaults. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals.
• Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.

[Auction] Notebook Laptop Computer Security Chain Lock Cable
Only $4.99

• Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).

[Post] White Shark 3D Screensaver v1.0
After you install on your computer, this unusual saver immersing you in a mysterious and deadly world of the ocean, where only the strongest survive. OS : Windows 98/ME/2000/XP/Vista Size : 15.5 MB ...

• Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules.

[Book] The Little Black Book of Computer Security, Second Edition 29th Street Press, a division of Penton Media, Inc.

• Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.

[Site] computer security: Definition from Answers.com
Computer Security Method of protecting information, computer programs, and other computer system assets ... Military Dictionary: computer security ...
www.answers.com/topic/computer-security

• Encryption is used to protect the message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.
• Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.
• Pinging The ping application can be used by potential crackers to find if an IP address is reachable. If a cracker finds a computer they can try a port scan to detect and attack services on that computer.
• Social engineering awareness keeps employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers.
• Honey pots are computers that are either intentionally or unintentionally left vulnerable to attack by crackers. They can be used to catch crackers or fix vulnerabilities.

[News] Treasury office faults IRS computer security
Associated Press - October 16, 2008 1:53 AM ET WASHINGTON (AP) - A watchdog group says two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into...

Notes

[Image]

References

[Video] Totally Free Spyware Removal

Further reading

• The Information Age - an e-primer providing a comprehensive review of the digital and information and communications technology revolutions and how they are changing the economy and society. The primer also addresses the challenges arising from the widening digital divide.
• pwn2own - a $25,000 computer security competition in which competitors are challenged to create a previously unknown security exploit and fully penetrate security on a correctly patched Windows, Mac or Linux computer. The 2007 winner took 12 hours to crack Mac OS X security via a vulnerability later classified as "highly critical" by Secunia [1].
• Boeing 787 Integration - Avionics Magazine provides an overview of computer systems and their security and integration upon Boeing's latest and largest long-range airliner, including networking and fly-by-wire concerns.

  [Auction] Notebook Laptop Computer Security Chain Lock w/#
  Only $6.49

  [Post] Burning Question: How Much Computer Security Is Enough?
  You could blow your kid's college fund on computer security doodads: biometric password protectors, remotely erasable hard drives, GPS tracking — every day, there's some new and irresistible offering for the paranoid. ...

  [Book] Computer Security Fundamentals (Prentice Hall Security Series) Prentice Hall
  

  [News] FBI sees rise in computer crime
  Computer spying and theft of personal information have risen notably in the past year, costing tens of millions of dollars and threatening US security, the FBI's cyber division head said.
  
  

  [Image]
  COMPUTER SECURITY
  
  

  [Video] Totally Free Spyware Removal
  

  [Auction] Notebook Laptop Computer Security Chain Lock Cable
  Only $4.99

  [Post] Hotel Network Security
  Download link: Hotel Network Security: A Study of Computer Networks in US Hotels [PDF] Author note: at the time of publishing, the PDF link was not working well. Via GCN ; Image: Microsoft Clipart.

  [Book] Essential Computer Security: Everyone's Guide to Email, Internet, and Wireless Security Syngress
  

  [News] FBI sees rise in computer crime
  WASHINGTON, USA: Computer spying and theft of personal information have risen notably in the past year, costing tens of millions of dollars and threatening U.S. security, the FBI's cyber division head said on Wednesday.
  
  

  [Image]
  thesamet Arm yourself and prepare for battle! This post is intended as a reminder about the possible security attacks your Web application may be vulnerable to. While it is not meant as a comprehensive
  
  

  [Video] Spyware_SmitFraud Infection and Phishing Attempt
  

  [Auction] NOTEBOOK LAPTOP COMPUTER LOCK SECURITY CABLE CHAIN
  Only $5.98

  [Post] Some still skeptical of electronic voting machines
  SNPX.com - security news on topics like computer viruses, trojans, phishing, hackers, firewalls, spyware, spam, exploits, vulnerabilities and alerts for Microsoft and Linux users and network administrators.