Operating System Security

A computer's operating system controls all major functions of the computer. It uses algorithms to determine which process gets access to the processor and handles all memory transfers. A secure operating system must be capable of determining which requests are safe to process and which are not.

Since many computers are connected to a network of some kind, the operating system is also in charge of all network traffic. If the operating system is poorly designed, a malicious hacker or malicious script will be able to force the host computer into doing something that the user did not intend to happen. Operating system security is so important that the United States Department of Defense created the Trusted Computer System Evaluation Criteria, which sets basic requirements that every operating system must have in order to be considered secure.

Database Security

Every single online business keeps databases. These databases hold sensitive information about their customers, including contact information, social security numbers, driver license numbers and credit card data. Since these databases hold sensitive data, keeping them secure is a top priority. This security is ensured in several ways. The first crucial aspect of its security is by controlling access to the database. This can be done physically, such as keeping the medium holding the database in a locked room and limiting access to only those who need it. This can also be done with software, such as only allowing certain computers or users access. This is is accomplished with authentication. Essentially it is a way of ensuring that the person who is accessing the database is authentic, or in other words this person should have access to the database. Since many people can have access to the database, auditing the database becomes necessary. This means that records should be kept about who entered the database and what was changed so fallacies can be corrected. Of course, someone unauthorized may be able to gain access to the database, therefore all data stored should be encrypted to prevent its contents from being read by unauthorized parties. The final part of database security is to ensure the integrity of the data. This can be accomplished with a CRC algorithm. This algorithm is a mathematical calculation that generates a CRC value for a certain set of data. This CRC value is attached to the end of the data. When the data is read, the CRC value is recalculated. If the new CRC value doesn't match the recorded one then the data has been corrupted and hence the integrity of the database has been comprimised.

Passwords: How Are They Secured?

Just how do passwords work? Perhaps the average user hasn’t given it much thought, however the password has to be digitally stored somewhere within a computer system so that the password-protected program can check the entered password against the correct one. Obviously, this can cause security issues. If the password is stored on a computer or in a database for a company, what will stop a person from simply searching for the file in which the password is stored and reading it?

This solution to this problem is hashing. Hashing uses a mathematical formula to convert the original password into something that is impossible to read by a human. This formula is designed so that it is a one-way process. A password can be converted into a hash but it is almost impossible to convert a hash back into the password. This leads us to another problem. If the hash cannot be converted into a password, how does the program verify the password entered? It doesn’t actually compare the passwords, it compares the hash to the passwords. If the two hashes don’t match, then the password was incorrect. However, this leads us to yet another problem. Certain mathematical formulas can give the same hash value for two completely different passwords. Therefore, before the mathematical formula is used, a formal proof is necessary to ensure that it will produce a different hash for every single password. Once hashing is implemented, even if someone is able to obtain the list of hashes they will not be able to extract the actual passwords.

RFID Chips In Credit Cards: Are They Secure?

Often people do not realize that virtually everything somehow relies on a computer chip. What people also do not realize is the security issues involved when a computer chip is used to control a device, particularly one that deals with sensitive data. When a computer chip becomes integrated into a credit card, security issues become paramount.
An experiment done by The Univerisity of Massachussets proved such vulnerabilities. Even though the protocols and commands used by Radio frequency identification chips, or RFID, could not be found publicly, the team of researchers were able to reverse engineer both the readers and the credit cards themselves. They stated that "The experiments indicate that all the cards are susceptible to live relay attacks, all the cards are susceptible to disclosure of personal information, and many of the cards are susceptible to various types of replay attacks. In addition, we successfully completed a cross-contamination attack against the magstripe of one card. All but one of the other cards tested appear to be susceptible to the cross-contamination attack as well." Unfortunately, people are led into a false sense of security when they used credit cards with an embedded RFID chip. If people knew of these vulnerabilities, would they be so willing to use these credit cards? If they also knew that these cards could also be read from a distance of 33 feet away with the proper equipment, would they be so quick to accept them? I know I wouldn't.
For more information, visit the University of Massachussets study here.

Viruses: Not always what they seem

In today’s complicated world of computer security, detecting viruses and other malware has become essential in keeping your computer secure. However, often times security software requires that people use common sense. If a computer file does not contain an exe extension, meaning that it is a runnable program, it usually cannot perform any malicious acts upon your computer. Unfortunately, as blogged about by pccybertek, a new virus is able to embed itself in a gif file, which is a type of file that normally contains an image. Fortunately, the virus cannot be run unless the extension of the file is changed to exe and the user runs it. This blog states that “you don't have to worry about .gif files being a virus at this time”, however I disagree. I think that most people are uneducated in the field of computer security, and they may just unknowingly change the file extension, especially if something pops up telling them to do so. I feel that this actually does pose a significant security risk, since many anti-virus programs skip files that aren’t able to be infected, a gif being one of them, in the interest of faster scanning times. This would allow the file to reside on your computer undetected until someone finally changes the extension and the program is allowed to run. So what should be done? I agree with pccybertek when he states that “You should never have to change the extension”. If you are asked to change the extension, it is probably a virus and should be deleted immediately. Also, if the file is unable to be opened through normal means or if an error comes up when opening the file, then chances are the file extension is wrong and it should be deleted immediately.

Open Source: Is it safer?

Open source software means that the code used to create the program is publicly known, and not hidden like most software packages a person would pay for. These programs, such as the web browser Mozilla Firefox and Linux based operating systems claim to be safer than their counterparts Microsoft's Internet explorer and Microsoft Windows. What makes these programs safer, when there are teams of professionals working on Microsoft's products?
Most security issues arise because of a bug in a certain program. These bugs, such as buffer overflows, allow a ill-meaning person to exploit the error in the code and force the program to do something the developer did not intend the program to do. These bugs are common and every single program has them. Therefore, it is not how many bugs a program has the determines the security of the software but how the bugs are dealt with and how easy it is to find them. When a company hides the code of the software, it becomes difficult for the end user to find where an error in the code is if one occurs. This is where most bugs surface, because it is impossible to simulate every possible use of the program before it becomes available to the public. The user simply sends a report to the software vendor and they try to recreate the exact situation to find the bug. Unfortunately, this is not always possible because a program has an almost infinite number of directions it can go in, thereby constantly changing variable values. However, if the code is publicly available, the end user can debug the software exactly when the error occurred, increasing the probability that the bug can be found. Since more people are looking for bugs than in software where the code is hidden, the time it takes for the bug to be fixed greatly decreases. In fact, according to independent tests, Internet Explorer was unsafe for 284 days in 2006 while Mozilla Firefox was unsafe for only 9. Sometimes the best things in life really are free.

Encryption: The Backbone of Security

In order to protect sensitive data being sent across the internet, a process called encryption is used. Encryption uses some sort of mathematical function that transforms the data, making it unreadable by everyone except the person who possesses the key, which is used to transform the data back into its original state. When the data is transformed, the process is called encrypting. When the data is received and converted back into its original form, the process is called decrypting.
How well an encryption technique works depends upon several factors. First, the larger the key is the safer the data will be. What is more important is what technique is used. The transformation must create a set of data that does not seem to fit any kind of patterns, otherwise it would be simple for a computer program to simulate data and find the function that was used.
One of the problems encountered when data is encrypted is that somehow the encryption key has to be known by both parties. This creates a problem because the encryption key has to be sent unencrypted, or encrypted by some other encryption technique. However, this means that if the other encryption technique has already been cracked then the new key will be immediately know. Public key cryptography, also known as asymmetric cryptography overcomes this problem. This algorithm is employed by SSL encryption, which is used for many banking sites and to verify passwords for emails. This algorithm uses two keys; one is used to encrypt the message and the other is used to decrypt it. Therefore only one key needs to be made public, and the other can be kept private. The public key can be used by anyone to encrypt a message, but it can only be decrypted by the private key. This increases the overall security of the encryption algorithm.