This Month
| July 2006 |
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
|
|
|
|
|
|
|
1
|
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
|
30
|
31
|
RSS Newsfeeds
Main Page RSS
Guest Column RSS
This work is licensed under a Creative Commons Attribution 2.5 License.
|
Tuesday, July 25
Security Challenges of RFID - Muni Tripathi
by
RaviC
on Tue 25 Jul 2006 11:54 PM PDT
Security Challenges of RFID by Muni Tripathi, CISSP
Radio Frequency Identification (RFID) technology is popular with many retailers and the consumer-products manufacturers. However, RFID technology is not very secure at present. So far, there have been no known reports of security breaches, but how long can we remain complacent? Lack of security and high cost to incorporate it is a big hurdle in further making this technology popular.
The main security concerns with RFID are the interception of information in the clear as it travels from RFID reader to the network, reprogramming of chips to alter the information contained and the high impact of breaches. A hack in RFID network may potentially have far bigger impact in the supply chain than an isolated event of manual errors. The breaches can happen at the RFID tag, network or data level. A major problem in putting latest security technology on the chip is its limited processing power. The existing security solutions demand too much CPU power. Although technology and systems exist that can perform the necessary security tasks efficiently (such as IPSEC and SSL accelerators), these systems are expensive. So development of security technology, which can fit in the space, and cost requirements of supply chain systems is necessary to provide peace of mind to users.
There have been rumors in the law enforcement circles that hijackers of cargo trucks are using RFID readers to locate high value items to steal. Supply chain data could be corrupted by rogue RFID tags, change its data to random in a denial of service attack. Not everything is as bad as it sounds though, RFID does provide higher level of security but it’s mostly security by obscurity. Once the use of technology reaches a turning point, there will be more incentive for people with malicious intent to launch attacks and then obscurity no longer will work. Unlike bar codes RFID tags are harder to counterfeit. One needs knowledge and right set of tools to counterfeit RFID. Imagine what happens when RFID becomes a common use technology and it is using insecure wireless channels. Potential for damage is huge and supply chains of the companies who depend on RFID can be compromised resulting in huge losses. This is no longer a pipe dream; many of the world’s retail chains are routinely using RFID in their supply chain.
RFID systems mainly have three components, RFID tags, RFID readers, and RFID servers that process the data and store it. Securing RFID server requires same level of security as any other server. Access to servers should be authenticated and communication channel should be secure to have security guarantee. Solving both of these problems points us in the direction of RFID readers, readers are the devices which read the data from tags and send back relevant information to server over a network. This communication channel whether it’s wired or wireless can be secured with the use of SSL or SSH. The weak link in the chain of security is RFID tag. The RFID tags allow reading the information off of them to a reader. There is no authorization check or authentication to prevent leaking the information to a drive by RFID reader. Similarly, information on RFID tags can also be modified by unauthorized entities.
There are few potential solutions to fix the security issues surrounding tags but none of them is foolproof. One of the ways is to kill the tags, the tags are de-activated at the checkout, and thus users of the merchandise do not broadcast information about where they bought their items. However, it does not solve the problem of using the tags within the supply chain. Another solution is to use light weight authentication methods which are suitable for the low processing power environment. This is an active area of research. We can hope to see some innovative new solutions coming to the market in next few years that will solve the security issues and will make the use of RFID more popular.
References:
http://www.informationweek.com/story/showArticle.jhtml?articleID=52601030&tid=13690
http://www.ccmsectorinvest.com/detailednews.asp?intReleaseID=8704&d=11*2005&n=36
Friday, June 23
Some Security Ramblings by Muni Tripathi, CISSP
by
RaviC
on Fri 23 Jun 2006 09:35 PM PDT
Some Security Ramblings by Muni Tripathi, CISSP
As long as you have never been mugged or threatened for your life, security is a very boring topic. I keep trying to make it interesting to myself; otherwise imagine how I can survive with all this cryptic stuff for so long. How do I do that? Beats me. Imagine thinking of CIA (Central Intelligence Agency) all day long…ooh… scary… oh come on. Are you really scared? I am just talking about CIA (confidentiality, integrity, availability), three most common services of security.
Think of opening the garage door of every house in your neighborhood; imagine you don’t need the keys to anyone’s house? What will I do with so many keys? Nothing, it’s just fun to think about it. Think, how will you design a garage door opener that can not be broken? (It is a real question that is asked if you are interviewing for security positions).
Think of designing a protocol that does a secure exchange over a network. There are so many already, almost one for each network layer and one for each application, then why do I think about it? It’s just fun to keep looping in my mind and trying to get a loop hole in a design which everyone else thinks is superb. How hard is it? Hardly, its piece of cake, it’s been done already, use other people’s brains, duh…, I am no cryptographer, so who will trust my protocol anyways.
Think of beating a bank’s security system, putting keyboard loggers at the keyboard of bank’s tellers, gets you a treasure trove of customer information. Did I think about it myself? No, you bet, it is the latest craze in bank robbery technique.
Think of stealing all the credit cards numbers in the world. Should I intercept all the traffic from going back and forth on the network? Nah, there are easier ways. I shall buy an executive’s second hand laptop on ebay and descramble its memory. It will be so much fun.
Think of finding a weakness in software. You think I need the code to do that or play with the software. Beep, wrong again, I shall use a de-scrambler on the binary and generate assembly. Is it hard? You bet, but it’s more fun this way.
Think when you are bored to death? What you will do? I shall write this gem of a piece. Whatd’ya think?
Monday, May 8
Why is it hard to implement security projects? – part 4 - Muni Tripathi
by
RaviC
on Mon 08 May 2006 08:25 AM PDT
Why is it hard to implement security projects? – part 4 by Muni Tripathi, CISSP
Once you have planned for a project as well as you can, its time for execution. A project manager relies on a team to complete the project; therefore there is not much hands on implementation (security design and coding) work. Though, one may argue that project manager should be hands-on. For a large project, a project manager has enough of project management tasks that he or she cannot do justice to both project management and implementation at the same time. Therefore, it is important to have trust in the team and follow the processes.
It is essential during the execution phase to keep track of overall goals of the project, communicate that with team members, and verify that team is working on the right set of priorities, solving right set of issues and implementing a design that fulfils the goals. It is very easy for people working in the trenches to lose track of the big picture and get mired into details. Any project has its set of unknowns (security projects more so) and team members can get lost in solving those unknowns which may be good to know, but can perhaps be worked around or mitigated in some other way. It is easy for people to lose focus over time and drift away from the original direction if communication is not regular. Communication need not be one-on-one. It can be made regular by weekly status reports and weekly team meetings. Team meetings should give everyone a chance to briefly describe previous week’s accomplishments and next week’s plans. When whole team’s input is combined, this gives a fair idea of where project is going and how far along it is towards achieving the goal. Team meeting can also be a forum to resolve common issues (technical or non-technical), receive feedback and propagate new information about the project. Feedback from team members is important to take corrective actions, if there are problems or to improve the processes.
As the execution phase progresses; new information comes to light and team develops new insights into problem solving. These may trigger changes that lead us to control phase of a project. Briefly, control phase refers to monitoring of the project status, managing risks and putting the feedback into planning process. Thus, most projects go in the cycle of execution, control and planning where project plan may be changed several times. Change in the plan feeds back into execution and cycle continues until the stated goal of the project is achieved.
Project management discipline is well developed in theoretical concepts and practical knowledge base. In this series, attempt has been to touch upon practical issues in the project management and put them in the perspective of security domain. It may appear that a lot of the discussion is applicable to any kind of project and it is true. Project management techniques and skills are applicable to a wide variety of projects although it helps if a project manager has a background in the project domain. In many cases, when project managers are outsiders to a domain, success of the project depends on their analytical approach and being able to build mutual trust with the team. As a closing statement it is worthwhile to note that there is no substitute for knowledge and experience that comes with time. More mistakes one makes in current projects, greater the chances of learning and greater the chances of being successful next time.
Monday, April 24
Why is it hard to implement security projects? – part 3 - Muni Tripathi
by
RaviC
on Mon 24 Apr 2006 07:00 AM PDT
Why is it hard to implement security projects? – part 3 by Muni Tripathi, CISSP
Once the project scope has been determined appropriately, next phase is planning. Planning requires breaking down the tasks to complete the project. The formal document that records the tasks, deadlines and who is assigned to tasks is called WBS (work breakdown structure). Creating WBS forces project manager to think about the project in terms of timelines, individual tasks and personnel resources. Creating WBS for security project can be a challenging task and it is harder than it seems.
One of the issues that require focus is task estimation. How do you estimate the time a task shall take to complete? If estimate is too low, project schedule is at risk. If estimate is too high, cost overrun may occur. This is where the experience and knowledge of project manager is useful. Estimations are based on experience of accomplishing similar tasks and on knowledge of how long a task should take. It is advisable to keep some buffer time in schedule to account for unavoidable delays. A rule of thumb, which I have seen for good estimates, is to account for 6-hour workday instead of typical 8 hour. It is because people work 8 hours a day and not all of it is spent directly working on project. Many of the daily activities include status reports, meetings, company events, socializing and such. If project schedule depends on people to put in more than 6 hours day and weekends, it’s a wrong start. No matter how motivated people are, and no matter how many extra hours historically they have been putting in, it is wrong to make a schedule that depends on it. A project that does so is doomed for delay from the beginning. There are many projects that succeed without following this guideline, but that speaks more about the culture (ex. start-up) of the organization and is not sustainable over long periods of time.
Planning task is made harder for security projects, since it’s a moving target and therefore dynamic in nature. An IT team working on a project can be pulled into an incident response any time. This disrupts the rhythm and progress of the project and may not be completely accounted for in advance. In those cases, right communication with stakeholders becomes crucial. If stakeholders are effectively communicated about the impact due to other ongoing activities, they are likely to support change in plans (schedule, resources etc.).
Task estimations are sometimes incorrect because persons estimating the tasks are not familiar with team members. A new employee may take longer to complete a task compared to a person who has been in team longer and hence knows more about the system. Therefore, project manager should be familiar with team member’s skill set. A formal skill matrix is a useful tool for large projects where it may be too time consuming for project manager to know everyone personally.
Most of us have a story about how the project goals and priorities keep changing even after the project is well under execution. It is frustrating while working on the project to disrupt current activities, shift priorities and move on to something else. There is not much a project plan can do to account for such radical shifts. So do best planning and leave rest to business people. When a project successfully completes as per plan, it is a very satisfying feeling.
Monday, April 10
Why is it hard to implement security projects? – Part 2 - Muni Tripathi
by
RaviC
on Mon 10 Apr 2006 07:31 AM PDT
Why is it hard to implement security projects? – Part 2 by Muni Tripathi, CISSP
The best-managed projects are finished under budget, in time, with great quality and within scope. The seed of such a successful project is sowed when defining the scope. Define the scope too big or vague and project is doomed for failure. Define it too narrow, and it may not satisfy the requirements it set out to meet. A good project scope requires a clear vision of what is expected out of the security posture of the company, although only vision is not sufficient to determine the scope.
An example of a security vision of a company is “secure all company and customer data from potential breaches and unauthorized disclosure”. This is a good vision, but it is a bad project scope. There can be many security projects to fulfill this vision, each with its own scope. The scope of a project to create a security perimeter for the company is very different from a project to secure data at rest, although each partially fulfills the company’s security vision. A good project scope is specific and creates an image of the desired goal. To take the above example of “securing data at rest“ project scope; this scope is still too broad. What at rest data is to be secured? Is it database, a file system, user’s PCs, removable media such as DVDs, USB devices? One may conclude that it is not possible to secure every possible media, therefore restrict the scope to database, and put other mechanisms in place to prevent compromise of data. Point is, in order for a security project to be successful; scope should be very clear and should have buy in from stakeholders.
As happens with many projects, security projects are expected to be complete yesterday, not tomorrow. Therefore, it is extremely important to set the right expectations from the start with all stakeholders. Follow the mantra of under promise and over deliver. In long run, this builds credibility with management and engenders trust. If it appears that there are too many things to do and scope is big, take a deep breath and follow divide and conquer. There is no rulebook that says that everything has to be done as part of one project. Divide the security objectives you are trying to achieve and make them different projects. Implement security in a phased manner and make use of third party vendors to offload your work wherever necessary. Of course, all this requires buy in from stakeholders, so keep them in the loop.
Despite everything one does to keep the scope under control, there will be moments when one has to make a choice and go against expectations from management. It takes lot of courage to stand up and tell the management truth that a project will take longer especially when expectations are high. But it must be done for the success of a project. It is better to keep everything in open as far any doubts or hesitations are concerned rather than thinking it can be figured out later. Every single item, that is left unclear or in doubt shall come to bite later. All stakeholders will be happy to know about any problem sooner and be grateful that you pointed them out.
(continued)
Monday, April 3
Why is it hard to implement security projects? – Part 1 - Muni Tripathi
by
RaviC
on Mon 03 Apr 2006 07:00 AM PDT
Why is it hard to implement security projects? – Part 1 by Muni Tripathi, CISSP
If you ever attempted to implement security perimeter for an organization, you know how difficult it can be to get through the project. Implementing enterprise security is very similar to any other project, only harder and requires excellent project management skills. Let us look at a security project in terms of project management lifecycle and examine one step at a time. Ideas presented here are not new, just that they are good to refresh your memory and hopefully useful when you find yourself in situations with resistance. Project management consists of five stages:
- Initiation: start of a project
- Planning: planning for a project
- Execution: implementation of a project
- Control: monitoring and risk management of a project
- Closing: close of a project
Security projects have to go through a pre initiation stage which I shall call ‘awareness’ stage. Business executives may not be aware of the need of security, therefore hard to convince about getting a project budget and a green light. A business executive may not see the ROI (return on investment) for investing hundreds of thousands of dollars on an activity which he considers not central to the development of business. It is the task of IT to convince the business folks, that security is not an option; it is a requirement for the existence and survival of the organization. Security is like an insurance policy, the benefit of which is realized only when bad events happen. If all is going well, it may become hard to see the benefit. Loss of business data and resulting consequences are a convincing argument to ask for security budget. These days, it is easier to make your case by mentioning SOX. Business understands legal implications faster than they grasp security implications. So bring legal implication of SOX compliance, loss of consumer and business data and anything else which your industry justifies. Quantify the dollar amount, which may be lost in case of security breaches. In many cases quantification can become a separate risk analysis project. May be, results of risk analysis will convince the business, if all else fails. If results of risk analysis say there are not enough risks, then security is a moot point.
(continued…)
Tuesday, March 28
Revocation Checks for Digital Certificates – part 2 - Muni Tripathi
by
RaviC
on Tue 28 Mar 2006 07:00 AM PST
Revocation Checks for Digital Certificates – part 2 by Muni Tripathi, CISSP
Previous write up discussed CRLs and delta CRLs in the context of certificate revocation processing. Use of delta CRL mitigates the problem of scalability to a great extent. But it can still be large in size and consume more bandwidth than necessary. Delta CRL is issued at periodic intervals; hence a client querying a delta CRL will cache the old response until the next delta CRL or CRL is issued. This is still a scalability issue and consumes the bandwidth by loading every CRL or delta CRL update. It is desirable to have a central server where all clients can go and ask for status. The task of managing and updating revocation information is left to this central server.
OCSP (online certificate status protocol) solves this issue. OCSP allows clients to request certificate revocation status in real time to an authorized OCSP responder. OCSP responder is typically certified by issuing CA (which is same CA that issued the certificate whose status is being checked), hence client can trust it. In some cases, where issuing CA does not certify OCSP responder directly, an explicit trust relationship must exist between client and OCSP responder. OCSP response only contains status information about the certificate(s) in the OCSP request; it does not carry extra information, thus leading to bandwidth savings in comparison to delta CRL (or CRL) which contains list of revoked certificate since last update.
To check the status with OCSP, certificate verification process issues an OCSP request for an OCSP responder and passes the information about certificate whose status it wants to check. OCSP responder receives the query and responds with the status (good, revoked, unknown). Responses are signed with OCSP responder’s key, thus guaranteeing the authenticity and integrity of response. To reduce the amount of requests, a client can combine multiple revocation queries in a single request.
Revocation for certificates is now becoming more main stream due to increased security threats. Firefox and IE both support the configuration to enable revocation check. It is therefore good to be aware of what are revocation methods and enable them for higher level of security where ever possible.
Monday, March 20
Revocation Checks for Digital Certificates - Muni Tripathi
by
RaviC
on Mon 20 Mar 2006 06:02 AM PST
Revocation Checks for Digital Certificates by Muni Tripathi, CISSP
When logging onto a secure site (https url) web server sends a digital certificate to browser. Many of us will be familiar with security related browser pop-ups that complain about some error in a certificate. In one of the previous write ups I mentioned about the checks browser perform to validate the authenticity of web server. Those checks include, verifying hostname in certificate against the name of the server user is visiting, verifying that certificate has not expired and that it is issued by a trusted CA. Even after all these checks; potential of a security hole in certificate verification process remains. What if the certificate has been revoked by issuing CA? Unless certificate verification process checks with a CA for revocation information, there is no guarantee that web server certificate is still valid even though all other verifications were successful.
Although it is a known problem, most of the existing browsers do not perform revocation check by default because of the difficulty of maintaining and collecting revocation information. Let us look at a simplistic view of revocation process. Typically, revocation information is distributed in the form of CRL (certificate revocation list) which is hosted on a known web server. CRL can be downloaded from web server periodically and installed with revocation checking turned on. But, the process is tedious and error prone, hence not very scalable. However, in an environment of stringent security requirements, it still provides a workable solution.
An improvement over the process is to include the revocation server information (called CRL server) in the certificate itself. Server information is extracted from certificate at the time of verification and CRL is downloaded automatically and certificate is verified against it. This is better, but it leads to scalability problems for huge CRLs. What if the CRL is large (ex. 10MB, it is not an unrealistic number, some environments do have CRLs this big)? Downloading complete CRL for all certificate verifications is not practical anymore. Therefore, CRL information is also distributed in partial chunks called delta CRLs, which is updated on a periodic basis. Delta CRL contains information about certificates revoked since last delta CRL or CRL, as the case might be, it is smaller in size and can be downloaded more efficiently.
There is one more issue which is not handled by CRL and delta CRL scheme. What is it? How is it solved? Stay tuned until next week.
Revocation Checks for Digital Certificates - Muni Tripathi
by
RaviC
on Mon 20 Mar 2006 06:02 AM PST
Revocation Checks for Digital Certificates by Muni Tripathi, CISSP
When logging onto a secure site (https url) web server sends a digital certificate to browser. Many of us will be familiar with security related browser pop-ups that complain about some error in a certificate. In one of the previous write ups I mentioned about the checks browser perform to validate the authenticity of web server. Those checks include, verifying hostname in certificate against the name of the server user is visiting, verifying that certificate has not expired and that it is issued by a trusted CA. Even after all these checks; potential of a security hole in certificate verification process remains. What if the certificate has been revoked by issuing CA? Unless certificate verification process checks with a CA for revocation information, there is no guarantee that web server certificate is still valid even though all other verifications were successful.
Although it is a known problem, most of the existing browsers do not perform revocation check by default because of the difficulty of maintaining and collecting revocation information. Let us look at a simplistic view of revocation process. Typically, revocation information is distributed in the form of CRL (certificate revocation list) which is hosted on a known web server. CRL can be downloaded from web server periodically and installed with revocation checking turned on. But, the process is tedious and error prone, hence not very scalable. However, in an environment of stringent security requirements, it still provides a workable solution.
An improvement over the process is to include the revocation server information (called CRL server) in the certificate itself. Server information is extracted from certificate at the time of verification and CRL is downloaded automatically and certificate is verified against it. This is better, but it leads to scalability problems for huge CRLs. What if the CRL is large (ex. 10MB, it is not an unrealistic number, some environments do have CRLs this big)? Downloading complete CRL for all certificate verifications is not practical anymore. Therefore, CRL information is also distributed in partial chunks called delta CRLs, which is updated on a periodic basis. Delta CRL contains information about certificates revoked since last delta CRL or CRL, as the case might be, it is smaller in size and can be downloaded more efficiently.
There is one more issue which is not handled by CRL and delta CRL scheme. What is it? How is it solved? Stay tuned until next week.
Thursday, March 2
Should Skype be banned? - Scott Johanson
by
RaviC
on Thu 02 Mar 2006 09:58 PM PST
Thirty-Three percent of Skype's 53 million registered users are using the popular VoIP service for business purposes. An enterprise that has already banned peer-to-peer (P2P) applications, such as instant messaging (IM), should add Skype to its list of unsanctioned software programs.
Why Ban Skype?
Since it was released in 2003, the freely available IP telephony program has been downloaded over 151 million times. Since Skype usage is growing rapidly both in and out of the enterprise, IT professionals must think about security from the outset. The reasons for banning Skype are nearly identical to those cited for banning IM:
1. Too firewall-friendly. Skype's proprietary closed-source VoIP protocol - which does not employ accepted VoIP standards like H.323 and Session Initiation Protocol (SIP) - allows it to traverse corporate firewalls and symmetric NATs. An unknown and unsanctioned VoIP protocol freely roaming the network - without IT's approval or assessment - poses an unacceptable transgression of IT's authority over the corporate network and computing resources.
2. Too many vulnerabilities. Buffer overflow vulnerabilities are known to exist in Skype. And since Skype travels the network as data packets, conversations are prone to capture. Problems also exist with Skype's encryption format:
* First, the encryption does not prevent a man in the middle attack.
* Second, if Skype becomes infected with a worm (which it one day will), the worm could hide in the encryption during transmission, undetected by anti-virus software. Because the encryption is closed source, there are some unanswered questions about how well the keys are managed.
* Finally, Skype recently announced that all of its VoIP clients – including Windows, Linux, Mac OS X, and Pocket PC – suffer from bugs that leave PCs prone to crashes and open computers to takeover by a hacker.
3. Poses a communication barrier with other countries or institutions. Oman and the rest of the United Arab Emirates have already banned Skype, with China likely to follow suit. Many post-secondary institutions in North America have banned Skype as well, in addition to most other P2P and file sharing applications.
4. Violates established legal requirements. For example, securities brokers operate under a mandatory requirement to record and track all telephone calls. Unsanctioned usage of an application like Skype would put a brokerage at severe risk of prosecution if caught using telephony that is undetectable, untraceable, and unauditable.
5. It's one more type of communication to secure, monitor, store, and archive. Enterprises are already struggling with records retention rules imposed by HIPAA, Sarbanes-Oxley, and other laws. In addition, the question of whether VoIP calls constitute a business record or not is a legal quagmire in and of itself. Throwing Skype into the communications mix will only further cloud the issue.
Either Ban Skype...
Enterprises that have already implemented anti-IM policies must integrate anti-Skype clauses. However, avoid introducing any policy until it is certain that it can be enforced. Although most enterprises have privacy, e-mail, and data protection policies, few police them. Diligently enforce all security and communications policies, and implement stiff penalties for non-compliance.
...Or Secure It
Start by assessing the enterprise's business need for Skype, keeping in mind that it can be used as a legitimate communications tool. Develop and implement an acceptable use policy that clearly communicates what IT will or will not support. Warn against using it to send sensitive or confidential information. Also, outline rules for client-side Skype settings (such as refusing file transfers) and enforce them.
Bottom Line
Don't allow unsanctioned Skype deployments to leave the enterprise network vulnerable to the first mediocre hacker that comes along. Crack down on Skype usage immediately.
Monday, February 13
Economic Impact of Cyber Attacks - Muni Tripathi
by
RaviC
on Mon 13 Feb 2006 07:00 AM PST
Economic Impact of Cyber Attacks by Muni Tripathi, CISSP
Determining economic impact of cyber-attacks is one of the toughest tasks because comprehensive data for cyber attacks are hard to come by. Most of the organizations do not make the security breach information public until it is required by the law or may compromise customer information. This makes the task of determining the real cost of cyber attacks and security breaches extremely hard. Based on some previous research and empirical numbers, several computer security firms produce estimate of total worldwide losses. The 2003 estimates pegged the loss ranging from $13 billion (from worms and viruses only) to $226 billion (from all forms of overt attacks). Length of the attacks contributes to the costs of the cyber attacks. Short lived attacks have small impact while longer lasting attacks increase the cost in terms of lost productivity, downtime and time spent in incident response.
One of the ways, risk can be mitigated is to buy cyber-attack insurance. There are not many insurers who provide this service due to the inexact nature of determining cost of cyber-attacks. Insurance industry has been trying to develop policies for covering cyber attacks. But there task is made harder by the lack of statistical data; organizations have strong incentives to hide information about cyber-attacks, and there are significant uncertainties and measurement difficulties that limit the ability to specify the dollar amount at risk from information security breaches. Organizations have many reasons not to report security breaches that range from limiting financial market impact, avoiding bad reputation, avoiding litigations, and liability concerns. Another strong reason not to make security breach public is to reduce chances of further attacks; if attackers know about breach, they can conclude that cyber defenses of the organization are weak and launch more attacks.
The businesses, which primarily rely on cyber world such as online retailers and service providers, are worst hit by the occurrence of cyber-attack. The extent to which a business is affected by cyber-attacks depends on the type of attack. One of the many attacks is "DOS" (denial of service) attack. This kind of attack causes a firm's Internet business portal to be unavailable resulting in significant revenue loss. Other kinds of attacks that are even more destructive include theft or destruction of secure information. The more dependent a firm is on the Internet, and the more intrusive attack is, the more likely it is that an attack will have significant consequences for the financial health of that firm.
Over the years, research has brought out the interesting observation that firms, which are victims of publicly known cyber-attacks, end up losing value (by 2.1 %) as compared to unaffected firms. Studies have found that there was a significant decline in stock prices of affected firms in the days immediately following a cyber-attack. Actual cost of the attacks has been also wildly varying for different kind of attacks. The real cost of an attack can be perhaps be only judged by the organizations suffering from attacks.
Attribution: Above write up borrows from "CRS report for congress: The Economic Impact of Cyber-Attacks”. For more interesting details and numbers, refer the aforementioned document at: http://www.cisco.com/web/about/gov/downloads/779/govtaffairs/images/CRS_Cyber_Attacks.pdf
I would like to thank Ravi for pointing me to this report.
Monday, January 30
Goals of Network and Data Security – Pa rt 2 - Muni Tripathi
by
RaviC
on Mon 30 Jan 2006 07:00 AM PST
Goals of Network and Data Security – Pa rt 2 by Muni Tripathi, CISSP
It is time to analyze the banking transaction scenario. You went to bank without revealing to anyone, why you are going there whether to deposit or withdraw money and how much. Hence, your transaction is private, only you and anybody you told about it are the people who know about it. This is achieving the goal of ‘privacy’, also called ‘confidentiality’. Notice that privacy does not end with you not revealing the transaction. Bank also has to keep all the transactions private. Privacy is a two way street. It will do no good, if bank is publishing all your information and transactions in public.
When you present your id to the teller, he/she verifies that you are the same person as the account holder. This is called ‘authentication’. Bank is authenticating you, verifying that you are who you claim to be. An important thing to notice here is the method of authentication is your id that is issued by a trusted third party (DMV in most cases) that bank (and everybody) is willing to trust. We shall again encounter trusted third party concept when we talk about authentication in context of network security protocols. There, however trusted third party will be ‘root certifiate authority’ (Root CA) instead of DMV.
When you count the money to check that you got the same amount as asked, you are verifying correctness of the amount. In network security domain, verifying correctness of the data received at destination is called ‘integrity’ check. If you got wrong amount of money, your bank transaction is incorrect (teller may have made a mistake). While transferring data over network, it is worse due to lack of human interaction. Unless there is a mechanism to perform integrity checks, you can never be sure that online data has not been modified in transit. If you were depositing money in your online bank account, without integrity check it may be possible to change it to withdrawal or alter your transaction in other ways. (What happens when data is at rest? How does bank know that no one has modified it after the transaction was performed?)
Another consideration was that bank should be solvent when you go to bank to make a transaction. In other terms, bank is ‘available’ at the time of transaction. This concept is called ‘availability’ in network security domain. Bank’s working hours also determine its availability. Outside of working hours, you can not go to a bank (well, you can drive up to the building, but it’s futile as far as your big transaction is concerned). With online systems however; expectations of availability are higher, typically 24/7. Imagine, if amazon or ebay sites were not available for an hour. How much impact does it have on their revenue?
Finally, bank was able to prove that you made the aforesaid transaction and no one else. How they do it? By asking you to sign on papers, your signature is a written proof that you personally came into the bank. If you deny it later on, they can call handwriting experts and prove that it was only you who was at the bank. This, in security parlance is called ‘non repudiation’ i.e. you can not deny your actions. This is also one of the security goals of many networking security protocols, but optional many times. All applications do not need to have non-repudiation functionality. Who cares if you buy some stuff on ebay and later deny that it was not you? (if FBI cared, they will find other ways to prove it). Non-repudiation is required in cases where two parties are entering into a binding agreement or in matters of accountability.
To summarize, confidentiality is one of the primary goals of online transactions for data in transit and data at rest. Authentication mechanisms are used to establish trust between online entities and integrity mechanisms are used to verify correctness of online exchanges and/or data. Then there are goals of availability and non-repudiation. One more security goal, which may be useful in specific applications, is called perfect forward secrecy (PFS). Need to find more? Time to log onto Google.
Monday, January 23
Goals of Network and Data Security – Part 1 - Muni Tripathi
by
RaviC
on Mon 23 Jan 2006 07:00 AM PST
Goals of Network and Data Security – Part 1 - Muni Tripathi, CISSP
When you think about security, what comes to your mind? You probably think about protecting yourself, your family, your assets and your reputation. Now, extend that thought for your online existence and what is it you want to protect? You will probably say yourself (meaning your identity because that is who you are online), family (kids from watching inappropriate material), your assets (bank and brokerage accounts etc.) and your reputation (others should not be able to do bad things in your name). You may come up with different words to describe the same things, but essentially requirements of security do not change regardless of whether it is in physical world or online. However, it is much easier to satisfy the security requirements in day-to-day life. Take an example; you want to withdraw $10,000 from your account. You go to the bank, present your id and account number, sign a piece of paper, get the money and come back home. Now, analyze this transaction, this transaction was private (since you did not stand on your rooftop and announced that you are about to withdraw money), it provided bank with assurance that it is only you who got the money (hopefully, they verified your id) and you got precisely $10,000 (because teller or a machine counted, then you counted. You would certainly raise the issue with teller if he gave you $9900, what would you do if teller gave you $10100?). This scenario does not end here; there are more things before and after the transaction that you need to think about. Bank should exist and be solvent when you want to withdraw money. If banks folds up after you put your money there, above transaction may never happen. Similarly bank should be able to prove that it was you who withdrew the money from your account and not some charlatan who posed as you and ran away. Also, you should trust the bank that it is not publishing your information on a public forum.
Scenario above contains the ideas about goals of network and data security. I shall introduce them one by one and then explain how it relates to above scenario. In the meantime, try to think about it yourself.
Monday, January 16
Is your SSL session really a secret? - Muni Tripathi
by
RaviC
on Mon 16 Jan 2006 07:00 AM PST
Is your SSL session really a secret by Muni Tripathi, CISSP
Do you believe that SSL provides end-to-end security? Do you feel good knowing that no one can read your encrypted SSL communications and your credit card numbers are secret? If so, it may come as a surprise to know that it is possible to break end-to-end model of SSL security with proxy products. Many vendors have come up with appliances and software, which provide SSL proxy functionality. Proxy is an application, which sits on the edge (behind gateway) of your network and inspects all traffic. So far, only applications with clear text communications such as HTTP could be intercepted and inspected, but now SSL proxy can intercept SSL traffic (ex. HTTPS), decrypt it and read it like clear text. Following discussion examines why it is necessary to have SSL proxies, is it useful and how it breaks the promise of end-to-end security for SSL.
So, why does one need SSL proxy? To understand, we should know, what makes SSL secure. Besides that there is cryptography involved in it, security of SSL depends on the trust shown in the digital certificate by the end users either explicitly or implicitly (by software applications such as browsers). Every time a user connects to a secure site, site presents a digital certificate to the browser. Digital certificate identifies the site and a trusted third party certifies identity of the site. If certificate is valid, browser accepts the certificate and proceeds with further data exchange (Note: One can look at the certificate by double clicking on the lock icon at bottom right corner of the browser). If there is a mismatch in the name of the site user is logging on vs. the name presented in the certificate, browser asks the user whether to accept the certificate. This is where the problem occurs. This is the weakest link in the chain of SSL security. Most of the time, users accept the certificate without realizing the implications or may do so with awareness to hide their communication from monitoring. User Joe may get smart and log on to forbidden sites (games, casino, porno etc.) through HTTPS using SSL. He is thus bypassing the clear text monitoring of his activities and no one will be wiser that there is something wrong. Joe may be happy about his secret web surfing, but what he may not know or may not care is that when he downloads his favorite sites, he may also be downloading security threats such as viruses, worms, spy ware, key loggers and what not. On one hand SSL provides privacy to the communication, on the other hand it may also open doors for security threats to come in. User Joe’s company will not be very happy about getting security threats and not having a way to control it. Now, case for SSL monitoring does not look as bad, does it?
Next, user Joe’s company figures out that these threats are coming from SSL connections, so it deploys SSL proxy. Proxy can do some magic (details are subject of another discussion) and read all the SSL traffic going out and coming in to the network. Since, proxy can read the traffic in both directions, it can do content filtering, url blocking and scanning for viruses, worms, spy wares, and anything you want to add to the list. User Joe’s company now has the ability to do same monitoring; it was doing on clear text content before and thwart user Joe’s forbidden practices. So, this is pretty useful. It helps securing user Joe’s company network from ever increasing threats.
Does this break the promise of end-to-end security of SSL? In certain sense, it does. Proxy reads all the data in clear text that was expected to be private with SSL session and it may even modify it if configured to do so. Hence, user can no longer get a guarantee that his communications are private and if he is getting the same data sent by origin server. This opens up privacy issues. Companies can get around it by disclosing the SSL monitoring in their corporate security policy or during the establishment of SSL session. Above describes a good case. One may ask, can government also do the SSL monitoring; and answer is absolutely. Government can hide behind reasons of national security or something similar and you may never even know about monitoring. Is there anything a normal user can do about it? Not much, at best you may detect that you are not directly communicating with origin server and there is a proxy in between, but if you want to protect yourself end to end, it may no longer happen even with SSL. This is the world we live in. Welcome.
Monday, January 9
Developing Secure Applications Part 4 - Muni Tripathi
by
RaviC
on Mon 09 Jan 2006 07:00 AM PST
Developing Secure Applications Part 4 by Muni Tripathi, CISSP
10. Handle exceptions, errors and failures securely
A lot of code in any application is written to handle error conditions. This creates security holes if error handling code does not take proper care to keep the security environment consistent. It is important to leave the system in a valid and consistent security state in the event of errors and exceptions. A common mistake is to reveal too much information about the system under exception conditions. Here are some things which should be handled under exceptions.
An application handling the security keys should remove and zero out the keys under conditions of unrecoverable exception. Failing to do so may leave the keys in memory even if application is no longer using it and may lead to compromise of application security. A web interface should not reveal information about database schema or tables in the backend if illegal queries are submitted. A backend database application should commit only complete transactions and have rollback mechanisms in place to avoid inconsistent data due to partial transactions.
11. Develop a security testing strategy
It is well known that a bug found during development is cheapest to fix and a bug found in the field is costliest. Same is true for security bugs and vulnerabilities. Not only does security vulnerability create anxiety in customer’s mind for security of his systems and data, it also creates poor public perception. Security testing requires different kind of skills and mind set than regular functional testing. In order to have confidence in security of the application; security testing must be included in the project schedule. Security testing team should develop the security test suite along the lines of functional test suite. This security test suite can be run against regular builds and provides the baseline for security features. Just like broken functionality can be easily found out by functional test suites, broken security can be found out by security test suites. Once security issues are found, development team should be sensitive to those and take ownership to fix.
12. Avoid feature creep
More components and features an application has, more the likelihood of introducing security vulnerabilities. Even if all components by themselves are secure, it is harder to test all the different ways components in an application interact. If an application has large number of components, it becomes almost impossible to test all permutations. It also provides a large attack surface for an attacker, since he has more things to try to attack and get around the security. Hence, it is advisable to keep the application as simple as possible and provide only necessary features.
In this series, we saw some general principles to write secure applications. Along with those, best software engineering practices also add to security. Some of the principles are worth repeating here. Reuse as much code as possible, perform regular code reviews, do unit tests, and most of all, think about security (just like one thinks about functionality) when writing code. Security is just another implicit dimension of functionality. It is our responsibility to make it explicit in our work environments. If everyone becomes security conscious, it leads to better and secure systems and reduces the risks of living in an all connected digital world.
Sunday, January 1
Developing Secure Applications Part 3 - Muni Tripathi
by
RaviC
on Sun 01 Jan 2006 09:38 AM PST
Developing Secure Applications Part 3 by Muni Tripathi, CISSP
7. Follow “less the better” approach
Useful applications come with many features, some commonly used and some obscure. Typically 80% of the users use 20% features of the application. Application developers should follow the mantra of least feature installation for enhanced security. This is somewhat similar to the principle of ‘using secure default configuration’, but goes deeper. When an application is installed, only the minimum required set of components should be installed by default, user should be asked and given a choice for installation of advanced components. (To read about the recent brouhaha on installing hidden components, go to story of Sony BMG, http://www.schneier.com/essay-094.html). For most users, minimum installation will be good enough. For advanced users, they will know what extra features to install. If you are writing network applications, be extra careful. Networked applications are by definition exposed to threats; hence this principle becomes more important.
8. Follow “least privilege” principle
An application should run with only the privileges it requires. Not only this is necessary to prevent against intentional misuse by attackers but it also protects against unintentional mistakes committed by users. Within an application, not all of the code needs to run at the same privilege level. Depending on the resources used, different code segments may require different privilege levels. Application should be architected and implemented to keep this logical separation. It also provides other side benefits in ease of debugging and in adding auditing feature; ex. in a front end application, different access levels can be used for displaying read only data and read-write data (which could in turn be tied to user id).
For an application that makes calls to an external component (using DLLs or shared libraries), it should grant restricted permissions for allowed tasks only. This may require language level or Operating Systems support. Use where ever this support is provided.
9. Have multiple access levels
This is an extension of the principle of ‘least privilege’ at user level. A user should not be given more access rights than he requires. An application needs to define the access control methods it supports. Typically, role based access control is used in enterprise applications. Role based access control implies that a user is given access rights to the application based on his role in the organization; ex. in an employee management system, a regular employee can access only his records and a manager may have access to records of all his subordinates. One popular method to enforce role based access control in a centralized manner uses RADIUS/TACACS servers. Administrators of the system should be given clear instructions on how to manage application roles (create, modify, delete etc.) and application should correctly enforce the access to data based on those roles.
(Continued next week…)
Friday, December 30
Why You Should Avoid 802.11n - Scott Johanson
by
RaviC
on Fri 30 Dec 2005 06:00 PM PST
Why You Should Avoid 802.11n by Scott Johanson
You should consider next-generation wireless infrastructure to avoid implementing anything with an 802.11n label. Although a long-brewing standards war among key vendors is finally drawing to a close, a fully completed standard and actual shipping hardware will not appear until well into 2007.
Conflicting Standards and Hardware
The 802.11n standard has emerged as a faster (100 Megabits per second (Mbps) and beyond) next-generation wireless technology. Although 802.11n promises more robust connectivity compared to current 802.11a, b, and g standards, ratification of a final specification had been delayed by a fight between two conflicting groups of vendors.
Each of the two groups - TGn Sync and the World-Wide Spectrum Efficiency (WWiSE) - were unable to receive the required 75% vote from the Institute of Electrical and Electronics Engineers Task Group N (TGn) at the IEEE's bimonthly ratification meetings. TGn is accountable for managing the final ratification process.
To break the deadlock, Intel has spearheaded the creation of a new organization, the Enhanced Wireless Consortium (EWC). The 27 EWC members include most vendors from the formerly feuding groups: Broadcom, Marvel, Atheros, Cisco Systems, Linksys, D-Link, Netgear, and Symbol Technologies. Apple, Sanyo, and Sony have also joined up.
Although the EWC only came together late in September 2005, it is already working on a consolidated proposal to the TGn, and hopes to obtain final ratification in early 2007. Potential throughput for the new spec could extend all the way to the 600 Mbps range.
The Intel-led EWC represents the best hope to-date for obtaining final ratification. If this happens in early 2007, fully compliant hardware would likely follow toward the end of the year.
The Current State of Wireless
Local-area wireless technology is currently dominated by three basic flavors of the same wireless fidelity - or Wi-Fi - technology:
· 802.11a. 54 Mbps. Generally more expensive and less popular than 802.11b/g.
· 802.11b. 11 Mbps. Less expensive than the 802.11a standard. Imm
802.11g. 54 Mbps. Unlike 802.11a, it is backward-compatible with b, and is inherently more secure.
The demand for better and faster wireless is intense, and is expected to become more so in the months to come. Enterprise IT decision makers are clamoring for faster throughput for bandwidth-heavy applications like IP-based telephony and multimedia collaboration.
As a result, vendors are pushing so-called pre-n products that they promise will be compatible with whatever the IEEE eventually decides. These products will be, according to their vendors, flash-upgradeable when a final spec is released. This should, in theory, protect pre-N investments against future obsolescence.
Enterprises considering next-generation wireless standards should proceed carefully. Pre-n vendor promises of forward compatibility should be greeted with a healthy dose of skepticism. If the enterprise has a compelling need to implement pre-n-based technologies on an accelerated schedule, IT must account for the potential for earlier-than-normal obsolescence.
Recommendations
1. Document higher bandwidth needs. Anticipate future requirements by identifying which applications and functionality will require the 100 Mbps and beyond capacity of the newer generation of wireless. If the need is not clear right now, don't waste time investigating 802.11n-class technologies.
2. Assess pre-n, but don't buy. Acquiring pre-ratification wireless equipment could result in a technological dead-end if upgrade paths are not well defined by the vendor.
3. Forget the hype. No matter what a vendor says, wireless deployment strategies should not be dictated by fear, uncertainty, and doubt. Review the existing networking roadmap and the related business cases for implementing wireless infrastructure within it.
4. Update terms of use documentation. The availability of early-standard hardware could motivate unsanctioned implementation of rogue hotpots by employees. Review procedures for detecting and dealing with surreptitious installations.
Bottom Line
The light at the end of the 802.11n tunnel is finally visible. Unless operational requirements dictate higher-speed wireless in the enterprise's immediate future, hold off on pre-n implementation until the dust settles and hardware based on the final spec begins to ship.
Monday, December 26
Developing Secure Applications Part 2 - Muni Tripathi
by
RaviC
on Mon 26 Dec 2005 07:00 AM PST
Developing Secure Applications Part 2 by Muni Tripathi, CISSP
4. Protect Against Buffer Overflows
Programs manipulate data in memory buffers. When data size that is being handled, exceeds the expected size, it results in internal memory buffer overflows. A skillful attacker can carefully craft the data to exploit buffer overflows and execute malicious code. Most of these attacks can be automated with tools and non skilled attackers only need to know how to use these tools. A typical vulnerability introduced by buffer overflow is escalation of privileges (admin access on windows, root access on Unix/Linux) to the system. Once an attacker has highest level of access on a system, it’s a cakewalk to compromise it further.
Buffer overflow problems can be avoided by checking the bounds for memory region where data is being written. This can be either done by programmer explicitly or provided as a language feature. A great number of security problems are caused by this category and application’s security is significantly increased by making it buffer overflow proof.
5. Use Secure Default Configuration
Insecure defaults are common cause of compromised systems and loss of security. Microsoft has been notorious in the past for shipping software (e.x. Windows) with services, which a user may never use, running by default. But bad guys certainly find out about such services and have a good time exploiting those. Things have changed for the better in recent times and newer software from Microsoft ship with relatively secure default configurations, where user is allowed to choose the services rather than running everything by default. Most of the applications ship with multiple configurations/services, hence using secure defaults is important for all application vendors, not just Microsoft.
Using secure defaults is more difficult in practice than it sounds, mainly due to insecure configurations propagated in earlier generations of software. When later version of software suddenly changes the default behavior, end user’s application may stop working or break due to hidden dependencies. It can be a time consuming task to fix those issues, and it’s certainly worth the effort. Application developers should make sure that only absolute minimum services or configuration is provided at setup time and user is prompted to explicitly enable the functionality which he wants to use, rather than enabling it by default.
6. Force to change default password
All software products without exception ship either with a default password or an empty password. If default password is not changed at the time of installation, system is a very easy target for attackers. A well intentioned administrator may simply forget or put password change in his to do list due to deadline pressures. Regardless, it opens vulnerability in the system. Therefore, application developers (vendors) must force the default password change at the time of installation or first use. Any system administrator worth his salt will prefer to be forced to change the default password and appreciate the security posture of the product.
Continued next week…
Friday, December 23
Incident Response Plan Reduces Risk - Scott Johanson
by
RaviC
on Fri 23 Dec 2005 08:10 AM PST
Incident Response Plan Reduces Risk by Scott Johanson
Due to the vast number of vulnerabilities that exist for today's enterprise technology infrastructure, having a well-defined and documented incident response plan is a best practice requirement. Implement a clear six-step response plan to effectively handle any security incident and improve the overall security awareness throughout the enterprise.
Action Plan
1. Prepare. A virus breakout in the enterprise is not the time to begin creating an incident response plan. Preparing an organization to handle a security incident is accomplished by:
· Obtaining management support and buy-in.
· Defining an Incident Response Team (IRT) and its role within the existing technology security plan and policies for your organization.
· Documenting the incident response Standard Operating Procedure (SOP).
· Creating and implementing a communications plan for the IRT.
· Assembling materials needed to successfully handle a security incident into a readily available incident response kit.
· Identifying and establishing contacts with the additional outside resources required to fill in gaps within existing IT skill sets.
2. Detect. Have tools already in place to allow IT to detect a security incident, such as:
· Log file analyzers.
· Intrusion Prevention Systems (IPSs) aka (In-line IDS)
· Network bandwidth monitors.
· Computer asset inventory programs.
3. Contain. Quickly regaining control of enterprise hosts and networks during a security incident may require an IRT to physically isolate the affected hosts from the rest of the infrastructure and the Internet.
· Isolation and containment must be accomplished quickly after the IRT has documented the security incident, including the disk/memory state of the affected hosts, server, and firewall log files.
· Ensure the IRT has access to key decision makers required to approve isolation of services within the SOP.
· Be prepared to replace a production host with a "hot spare" with limited functionality to enable the minimum requirements for the enterprise's continued operation.
4. Recover. Once the security incident is contained, the IRT must begin cleaning up or restoring the systems. In the case of a virus infection the only way to be certain of a restored system's integrity is to re-format and re-install the operating system and restore the relevant applications. At this point, the incident response SOP should begin to converge with the SOP of the existing Business Continuity Plan (BCP).
· Ensure that bridges exist between the IRT and the BCP.
· Ensure the IRT has access to the risk assessment methodologies/tools contained in the BCP.
5. Lessons learned. At each step the IRT will gather data related to the security incident and record its actions.
· This information is required to fulfill the communication/reporting obligations of the IRT as well as create continuous improvement of the enterprise security processes.
· The IRT should work with management to identify the costs of the security incident and prioritize any follow-up projects.
6. Communicate/report. All communications during a security incident are focused on the following:
· Timeline and threat activities attempted during the incident.
· Threat activities accomplished during the incident.
· Operational impact on infrastructure services.
· Detection and alert methods.
· IRT response to the incident
· IT changes made/required as a result of the incident.
An IRT communications plan will include:
· Announcing the existence of an IRT within the enterprise and its SOP.
· Communication with staff and management during a security incident.
· Communication with outside entities (media, regulators, law enforcement) during a security incident.
Bottom Line
Many IT groups rely on an ad hoc plan to resolve a computer security incident. Having a well-defined and documented incident response plan is a best practice requirement.
Monday, December 19
Developing Secure Applications - Muni Tripathi
by
RaviC
on Mon 19 Dec 2005 07:00 AM PST
Developing Secure Applications by Muni Tripathi, CISSP
Security risks in a system can come from variety of sources. It can come from a weakness in user interaction with the system, interdependencies of different components in the system, or from the implementation of the system itself. Here, we look at some of the vulnerabilities that can be introduced in the system implementation resulting in security risks. These vulnerabilities remain same across different software development paradigms and languages used for implementation.
1. Never Trust User Input
User input in an application must be validated against input rules of the application. A malformed input, if accepted unchecked in an application may provide window of opportunity for an attacker. To illustrate this with an example, an input field, accepting person’s name can only consist of alphabetic and perhaps numeric characters. Allowing special characters such as dollar ($) and star (*) can lead to very nasty attacks depending on the type of application. In many computer languages, special characters have special meanings, which if used inappropriately can compromise the integrity and availability of data.
2. Be Careful With Output
Output information that is necessary to perform a task for a user. To take the common example, passwords should never be shown on the screen when either setting it first time or later used for logging into the system. What data to display on a user interface and what not, is highly application dependent, still “need to know” can be used as a general guideline. A user should be allowed access to only information that he or she needs to know in order to complete his task and no more. A security conscious application should validate access control before outputting data.
3. Trust Experts for Crypto Implementation
Many applications use cryptographic libraries to perform |
