Blog of Random Thoughts and Pictures

API Authentication

July 8th, 2012

Options for the design of real-time API authentication

Virtualisation for Security

July 8th, 2012

The Hoff over on Rational Survivability points out » Elemental: Leveraging Virtualization Technology For More Resilient & Survivable Systems . This is an approach taken in our PASSIVE project.

Protection and Trust in Financial Infrastructures

September 24th, 2010

Not one our first projects to start in the FP7 programme, but our first project to finish. PARSIFAL was a coordination action, funded by the European Research Programme for Critical Infrastructure Protection. Its objective was to define how to better protect Critical Financial Infrastructures (CFI) in Europe.
There were a limited set of partners on the project ATOS Origin Sae, Spain (coordinators), ACRIS GmbH, Switzerland; @bc – Arendt Business Consulting, Germany; Avoco Secure Ltd, UK; EDGE International BV, Netherlands and of coures ourselves from the TSSG.
The key achievement of the project was to strengthened engagement between the European Commission and the Financial Services Industry in terms of trust, security and dependability. Financial Services are seen as a critical ICT infrastructures and so the purpose of this project was to provide direction for future research programmes, helping to align research in this area to the needs of the Financial Services Industry.
Parsifal has produced a whitepaper to highlight its acheivements [pdf].
There is also a document which gives some further details of the main research gaps in the area such as the classification of identity attributes for on-line and mobile users of financial services. The document points out this these identity attributes should be defined and well understood by providers of these services and their customers and in particular the:
3.1 Classification of identity attributes for online and mobile users
3.2 Trust Indicators for financial services to determine risk level
3.3 Multiple-identity management platforms
With the new dimension of cloud computing/architectural changes and de-perimeterization, can lead to new needs for standardization and regulations (flexible virtual concentration)
4.1 Standard and cross border digital identities in the financial market
4.2 Data-linked security policies
4.3 De-perimeterization of organizations: models and cross order issues:
5.1 Design and implementation of secure platforms and applications
5.2 Model Definition
For the full document read Section 3.1 of the Gap analysis report by clicking here
One of the main research items from the project has been the draft ontology of financial risks & dependencies within and without the Financial Sector (D2.1 – V2.0) [pdf].
The aim of the document is to contribute to a common understanding of the key concepts in risk management and financial infrastructures. It presents a simple model combining the ontologies from both the security and the financial sector.
There are ontologies in three work areas (business continuity, control engineering, trusted sharing of sensitive /confidential information). These ontologies lay the ground for further approaches, while one-page roadmaps illustrate the instant benefits of this approach.
There is an extensive structured glossary in the document too. This glossary is based on a compilation of terms, available from public institutions (like the European Central Bank) or known experts. It includes more terms appearing in the other deliverables of the Parsifal project and being especially relevant to our context.
The main contributors to this work were J.-Yves Gresser, B. Haemmerli, S. Morrow, H. Arendt and Keiran Sullivan (TSSG), with Keiran leading a paper in the area “Risk ontologies – Security or Trust? Terminological & Knowledge Organisation”, TKE 2010, Sept. 2010.
All in all not a bad output from a humble CSA.

Protecting privacy in this social networking age

April 28th, 2009

I must admit I’m an avid reader of Bernie Goldbach’s blog and his most recent acertion in regards to protecting personal privacy online rings true.

This goes hand in hand with some recent material coming from the EC in regards to privacy in the digital age [pdf]. The theme coming through here is clear “European privacy rules are crystal clear: a person’s information can only be used with their prior consent”.
Its the rule ….. but then I wondered how would this be enforced? Which lead me to find this site on what the EU is doing in regards to Social Networking sites.
There’s a document that makes for interesting reading off the site on “Safer Social Networking Principles for the EU [pdf]“. Here are the 7 principles SN’s should consider:

  • Principle 1: Raise awareness of safety education messages and acceptable use policies to users, parents, teachers and carers in a prominent, clear and age-appropriate manner
  • Principle 2: Work towards ensuring that services are age-appropriate for the intended audience
  • Principle 3: Empower users through tools and technology
  • Principle 4: Provide easy-to-use mechanisms to report conduct or content that
    violates the terms of service
  • Principle 5: Respond to notifications of Illegal content or conduct
  • Principle 6: Enable and encourage users to employ a safe approach to personal
    information and privacy
  • Principle 7: Assess the means for reviewing illegal or prohibited content/conduct

  • There are some pretty compelling signatories to these principles.

    Trust within network enabled relationships and software security errors

    April 5th, 2009

    2 reports to mention in this quick post, firstly this ISOC report [pdf] which looks (briefly) at the trust and identity issues that are to tackled on/for/with the Internet. The key point I took from it is that we should “incorporate trust as a core element of the Internet design and deployment process” and in doing so we should look at
    What are the alternative futures for trust and the Internet?
    Where do you see the boundaries between technology and policy?
    Photo Credit Visentico / Sento on Flickr
    Moving on I found the following classification of coding errors from Fortify Software intriguing. ColdFusion, C/C++, C#/VB.NET/ASP.NET, HTML, Java/JSP, JavaScript, PHP, PLSQL/TSQL,VisualBasic/VBScript/ASP, Webservices, XML are covered, although I think some effort should also be placed on Python, Perl, Delphi and Ruby.
    TIOBE Programming Community Index Chart for March 2009

    Reblog this post [with Zemanta]

    Security threats, IPv4 address ownership and P2P traffic

    February 15th, 2009

    Via Circle ID I picked up on this IBM X-Force(R) Trend and Risk Report for 2008. There’s plenty of insight from the Circle ID and IBM executive summary on the headliner treat items ….. sorry typo I meant to say threat items. What I took from the report was on page 40 and [drum roll, please] the most vulnerable operating systems as per usual is ………… Apple Mac OS X. No hang on, no that cannot be right, please explain this one! (Which was followed in the list by Linux Kernal, Sun Solaris and then well you know who).
    I’m still scratching my head, well anyway the other item which has caught out my parents twice in the past year is this Scareware trend in malware which for me is just the lowest of scams and a real pain to remove once a machine has been caught. Unfortunately it looks like a trend that is not going to go away for 2009.
    As for the shift to IPv6, well its interesting to see what’s happening in the current IPv4 world and according to this report by Gordon Cook were it is outlined how IPv4 numbers are becoming transferable and consequently property, a case is laid out as to how there is a new opportunity to “own” IPv4 addresses, and the report wonders how incumbent services and infrastructure providers are likely to respond. According to the report it looks like it is the beginning of the end for the current “open Internet”.
    Pear-2-Pear by Fab:o Fo:s
    And finally the percentage of peer-to-peer file sharing traffic on the Internet is between 1.2% to 93%, mostly from your home network … or maybe on an academic campus network … or maybe just inconclusive, who knows?

    New email standard DKIM approved to fight spam

    May 25th, 2007

    So news has hit that a “Promising antispam technique gets the nod” at the IETF through RFC4871.
    However the comments added to the piece on Lifehacker: New email standard approved to fight spam and Slashdot: Bye Bye Spam and Phishing with DKIM? paints a different picture of how much people really do care about spam in todays world!
    Want to learn more technically then DomainKeys Identified Mail (DKIM) is the place to go.

    A mighty number falls, which may lead to changes in encryption techniques

    May 23rd, 2007

    Looking at this article A Mighty Number Falls and a follow up article on this record factorization into prime numbers may make the case for sweeping changes to encryption techniques.