IT for Decision Makers
Security and Networking Issues
GROUP DISCUSSION AND QUESTIONS
Discussion Topic 1: Future security
Computers and networks originally were built to ease the exchange of information. Early
information technology (IT) infrastructures were built around central computers or
mainframe solutions while others were developed around the personal computer. What
some thought impossible became reality and today businesses are being driven by the
power of the personal computer that users access with just a user name and password.
But as the information revolution opened new avenues for IT, it also opened new
possibilities for crime. Attackers used these opportunities to steal passwords and gain
access to information or to create disastrous effects on networks and computers.
The nature of computing has changed over the last few years. Networks are designed and
built to facilitate the sharing and distribution of data and information. Controlling access to
these resources can become a problem because you need to balance the requirement for
access to free information with the value of the content of that information.
Some information is more sensitive in nature than other information; this leads to the need for
security requirements. Today, IT security has progressed to more than just user names and
passwords. It involves digital identities, biometric authentication methods, and modular
security strategies.
Questions:
1. Do home dialup users need to worry about security?
2. How much responsibility should software vendors take for the security of their
software?
3. What will information security be like in the 21st century?
Discussion Topic 2: SMART CARDS
Smart cards are credit card-size devices that carry an
embedded microprocessor and memory and can store and
often process information. Smart cards are growing in
popularity for a number of applications, including
transportation, telecommunications, debit purchasing, and
health care. Smart cards, which are now accepted
significantly in Europe are now gaining momentum in the
United States. The most known delaying factor that have
slowed down the pace of adoption of smart cards in the United States and in some developed
countries is mainly because of the widespread usage of magnetic-stripe credit cards (eg.
VISA, MASTER cards etc). Other major barriers to the success of these cards, despite the
ongoing promotion and trials of the use in most countries, are customer habits, limited
infrastructure and costs of deployment. But of all these issues and other concerns, smart
cards are gaining popularity in the world because they are tamper-resistant, they have high
levels of data control and accountability; the most secure way to handle private
information and they are easy to carry - no cash or coins.
A smart card unlike a credit card, can accept, store, and send information. It can hold as
much as 80 times more data than magnetic-stripe cards (credit cards), and the embedded
semiconductor chip can be either a memory chip with non-programmable logic or a
microprocessor with internal memory. With Cash values, smart cards can be used for all type
of transactions or even money transfers without leaving any electronic trail.
There are 2 main different categories of smart cards - contact and contactless. A contact
smart card can communicate directly through a physical interface by inserting the card into a
smart card reader. A contactless smart card on the other hand can communicate remotely
with the smart card reader via an electromagnetic interface. These non-battery cards are
powered by microwave frequencies and they need to come within 2 to 3 inches of the card
reader to be powered. "Fast card" interfaces, such as those used by transportation fare cards,
have greatly benefited from the contactless interface, which allows a customer to quickly
wave the card near the device, instead of inserting and removing a card, which can slow
down lines.
In addition to the different card interfaces mentioned above, there are also two different types
of smart cards; memory-chip cards and smart cards with microprocessor chips. Memory-chip
cards are cheaper and can only store but can not process information. These smart cards
similar to magnetic-stripe cards in this respect, are used mainly for basic application such as
telephone cards, public transport or shopping - leaving no electronic trail.
Smart cards with microprocessor chips are more secure and can do far more than memorychip cards. The microprocessor lets a card not only store information, but also add, delete,
and manipulate data in its memory. These cards are programmed with more algorithms
capable of more complex task: for example, a health care card can offer a doctor and a
pharmacist different levels of data access while allowing anyone to read basic information,
such as name and emergency contact number. One might think of a microprocessor smart
card as a miniature computer on a plastic plate. It can support applications that offer
advanced services with a high degree of data security.
A smart card basically consists of three parts: a plastic card with or without a magnetic stripe,
an electronic module supporting the electrical contacts and a silicon integrated circuit. All of
the components -- central processing unit, memory, and I/O (Input & Output)-- are in the same
integrated circuit chip with electrical connections tying them together. Thus it is difficult for
foreign signals to tamper with the interconnections of the components inside the chip; this
enhances the security of the smart card.
The need for security and protection of privacy is growing as electronic forms of identification
multiply in our computing-pervasive world. The increasing popularity of the Internet and the
expansion of corporate networks have accelerated the demands to prevent unauthorized data
access. The basic value of smart cards lies in their capability to store personal information
with a high degree of security and portability. They provide hacker-resistant storage for
protecting private keys (unique Identification known to the owner only), account numbers,
passwords, and other forms of personal data. Smart cards also isolate security-critical
computations involving authentication (access verification), digital signatures, and key
exchange from other parts of the system.
Smart cards have already been used to enhance authentication between sites by controlling
access to Intranets and Extranets from outside, and protect the privacy of data, files, and email. And smart cards provide portability for securely moving private information among
systems at work, at home, or on the road. Smart card users will not need to memorize their
passwords or employ a different password for every application - they can carry the cards with
them.
With the growing security concerns of corporate and individuals, smart cards are offering far
more security protections than magnetic-stripe cards.
Question:
Can you feel a lot more secure with a smart card?
Discussion Topic 3: Cyber attack - By Brian McWilliams
KANSAS CITY, MISSOURI, Oct 18, 2001 (Newsbytes via COMTEX) -- A Pakistani hacking
group has defaced a Web server operated by the U.S. government and threatened to hit
American and British military sites unless its demands are met.
A Web server operated by the National Oceanic & Atmospheric Administration (NOAA) was
attacked this morning by a group known as GForce Pakistan, according to records at Alldas, a
Web site defacement archive.
The attackers replaced the site's homepage with their own, which bore the title "GForce
Strikes Back" and contained a 350-word text message. The message said the group would
target "major US military and major British Web sites" in coming days and jeopardize their
internal security. GForce claimed to have "some very high confidential US data" that it would
hand over to officials of Al Qaeda unless the U.S. met several demands. The group's
confusing ultimatum included the removal of U.S. troops from Saudi Arabia, the cessation of
bombing in Afghanistan, and the production of "evidence," among other demands. Al Qaeda
is the terrorist organization blamed for the Sept. 11 attacks on America.
NOAA officials were not immediately available for comment.
The compromised site, located at the Web address http://anburs.kc.noaa.gov, appears to be
part of a network operated by the organization's Aviation Weather Center in Kansas City, Mo.,
and may have been somehow involved in a system for data exchange between the National
Weather Service and the Federal Aviation System known as Alphanumeric Backup
Replacement System (ANBURS).
The server, which was unreachable this morning, was running the Linux operating system and
had open file transfer protocol and telnet ports, according to a scan performed by Alldas.
The message from the attackers said GForce Pakistan condemns the terrorist attacks on the
U.S. but also supports Al Qaeda.
"Usama Bin Laden is a holy fighter, and whatever he says makes sense," said the group's
message.
At the bottom of the defaced page under a heading that read "We Are In No Way Responsible
For This Message" was a section of text announcing the formation of a group called Al-Qaeda
Alliance Online. According to the text, the group will target major U.S. government sites in
coming days.
"We won't hurt any data, as it's unethical. All we want is our message conveyed," said the
message. The text also included this threat aimed at U.S. President George W. Bush and
U.K. Prime Minister Tony Blair:
"The day of judgment is very near for both of you."
On Tuesday, the FBI warned Americans to expect an increase in cyber protests. The
agency's National Infrastructure Protection Center said that besides defacements and denial
of service attacks, the "hacktivists" could also target systems supporting "the national
infrastructure."
Question:
How secure is secure?
Supporting articles from the Web: http://www.guardcentral.com/articles.shtml