Security analysis of the non-aggressive challenge response of the DNP3 Protocol using a CPN Model

Distributed Network Protocol Version 3 (DNP3) is the de-facto communication protocol for power grids. Standard-based interoperability among devices has made the protocol useful to other infrastructures such as water, sewage, oil and gas. DNP3 is designed to facilitate interaction between master stations and outstations. In this paper, we apply a formal modelling methodology called Coloured Petri Nets (CPN) to create an executable model representation of DNP3 protocol. The model facilitates the analysis of the protocol to ensure that the protocol will behave as expected. Also, we illustrate how to verify and validate the behaviour of the protocol, using the CPN model and the corresponding state space tool to determine if there are insecure states. With this approach, we were able to identify a Denial of Service (DoS) attack against the DNP3 protocol.

Cryptology and network security

This book constitutes the refereed proceedings of the 11th International Conference on Cryptology and Network Security, CANS 2012, held in Darmstadt, Germany, in December 2012. The 22 revised full papers, presented were carefully reviewed and selected from 99 submissions. The papers are organized in topical sections on cryptanalysis; network security; cryptographic protocols; encryption; and s-box theory.

AISC '11 Proceedings of the Ninth Australasian Information Security Conference

The Australasian Information Security Conference (AISC) 2011 was held on 18th-19th January 2011 in Perth, Australia, as a part of the Australasian Computer Science Week 2011. AISC grew out of the Australasian Information Security Workshop and officially changed the name to Australasian Information Security Conference in 2008. The main aim of the AISC is to provide a venue for Australasian and other researchers to present their work on all aspects of information security and promote collaboration between academic and industrial researchers working in this area.

AISC '12 Proceedings of the Tenth Australasian Information Security Conference

The Australasian Information Security Conference (AISC) 2012 was held at RMIT University in Melbourne, Australia, as a part of the Australasian Computer Science Week, January 30 - February 3, 2012. AISC grew out of the Australasian Information Security Workshop and officially changed the name to Australasian Information Security Conference in 2008. The main aim of the AISC is to provide a venue for researchers to present their work on all aspects of information security and promote collaboration between academic and industrial researchers working in this area.

A dynamic Web agent for verifying the security and integrity of a Web site's contents

To harness safe operation of Web-based systems in Web environments, we propose an SSPA (Server-based SHA-1 Page-digest Algorithm) to verify the integrity of Web contents before the server issues an HTTP response to a user request. In addition to standard security measures, our Java implementation of the SSPA, which is called the Dynamic Security Surveillance Agent (DSSA), provides further security in terms of content integrity to Web-based systems. Its function is to prevent the display of Web contents that have been altered through the malicious acts of attackers and intruders on client machines. This is to protect the reputation of organisations from cyber-attacks and to ensure the safe operation of Web systems by dynamically monitoring the integrity of a Web site's content on demand. We discuss our findings in terms of the applicability and practicality of the proposed system. We also discuss its time metrics, specifically in relation to its computational overhead at the Web server, as well as the overall latency from the clients' point of view, using different Internet access methods. The SSPA, our DSSA implementation, some experimental results and related work are all discussed

On governance structures for the cloud computing services and assessing their effectiveness

This research suggests information technology (IT) governance structures to manage the cloud computing services. The interest in acquiring IT resources as a utility from the cloud computing environment is gaining momentum. The cloud computing services present organizations with opportunities to manage their IT expenditure on an ongoing basis, and access to modern IT resources to innovate and manage their continuity. However, the cloud computing services are no silver bullet. Organizations would need to have appropriate governance structures and policies in place to manage the cloud computing services. The subsequent decisions from these governance structures will ensure the effective management of the cloud computing services. This management will facilitate a better fit of the cloud computing services into organizations’ existing processes to achieve the business (process-level) and the financial (firm-level) objectives. Using a triangulation approach, we suggest four governance structures for managing the cloud computing services. These structures are a chief cloud officer, a cloud management committee, a cloud service facilitation centre, and a cloud relationship centre. We also propose that these governance structures would relate directly to organizations cloud computing services-related business objectives, and indirectly to cloud computing services-related financial objectives. Perceptive field survey data from actual and prospective cloud computing service adopters suggest that the suggested governance structures would contribute directly to cloud computing-related business objectives and indirectly to cloud computing-related financial objectives.

Examining corporate governance disclosures of listed companies in Fiji

In 2009, the Capital Markets Development Authority (CMDA) - Fiji’s capital market regulator - introduced the Code of Corporate Governance (the Code). The Code is ‘principle-based’ and requires companies listed on the South Pacific Stock Exchange (SPSE) and the financial intermediaries to disclose their compliance with the Code’s principles. While compliance with the Code is mandatory, the nature and extent of disclosure is at the discretion of the complying entities. Agency theory and signalling theory suggest that firms with higher expected levels of agency costs will provide greater levels of voluntary disclosures as signals of strong corporate governance. Thus, the study seeks to test these theories by examining the heterogeneity of corporate governance disclosures by firms listed on SPSE, and determining the characteristics of firms that provide similar levels of disclosures. We conducted a content analysis of corporate governance disclosures on the annual reports of firms from 2008-2012. The study finds that large, non-family owned firms with high levels of shareholder dispersion provide greater quantity and higher quality corporate governance disclosures. For firms that are relatively smaller, family owned and have low levels of shareholder dispersion, the quantity and quality of corporate governance disclosures are much lower. Some of these firms provide boilerplate disclosures with minimal changes in the following years. These findings support the propositions of agency and signalling theory, which suggest that firms with higher separation between agents and principals will provide more voluntary disclosures to reduce expected agency costs transfers. Semi-structured interviews conducted with key stakeholders further reinforce the findings. The interviews also reveal that complying entities positively perceive the introduction of the Code. Furthermore, while compliance with Code brought about additional costs, they believed that most of these costs were minimal and one-off, and the benefits of greater corporate disclosure to improve user decision making outweighed the costs. The study contributes to the literature as it provides insight into the experience of a small capital market with introducing a ‘principle-based’ Code that attempts to encourage corporate governance practices through enhanced disclosure. The study also assists policy makers better understand complying entities’ motivations for compliance and the extent of compliance.

Airport security screeners expertise and implications for interface design

This paper describes research investigating expertise and the types of knowledge used by airport security screeners. It applies a multi method approach incorporating eye tracking, concurrent verbal protocol and interviews. Results show that novice and expert security screeners primarily access perceptual knowledge and experience little difficulty during routine situations. During non-routine situations however, experience was found to be a determining factor for effective interactions and problem solving. Experts were found to use strategic knowledge and demonstrated structured use of interface functions integrated into efficient problem solving sequences. Comparatively, novices experienced more knowledge limitations and uncertainty resulting in interaction breakdowns. These breakdowns were characterised by trial and error interaction sequences. This research suggests that the quality of knowledge security screeners have access to has implications on visual and physical interface interactions and their integration into problem solving sequences. Implications and recommendations for the design of interfaces used in the airport security screening context are discussed. The motivations of recommendations are to improve the integration of interactions into problem solving sequences, encourage development of problem scheme knowledge and to support the skills and knowledge of the personnel that interact with security screening systems.

On the provable security of an efficient RSA-based pseudorandom generator

Pseudorandom Generators (PRGs) based on the RSA inversion (one-wayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, despite extensive study, the most efficient provably secure RSA-based generators output asymptotically only at most O(logn) bits per multiply modulo an RSA modulus of bitlength n, and hence are too slow to be used in many practical applications. To bring theory closer to practice, we present a simple modification to the proof of security by Fischlin and Schnorr of an RSA-based PRG, which shows that one can obtain an RSA-based PRG which outputs Ω(n) bits per multiply and has provable pseudorandomness security assuming the hardness of a well-studied variant of the RSA inversion problem, where a constant fraction of the plaintext bits are given. Our result gives a positive answer to an open question posed by Gennaro (J. of Cryptology, 2005) regarding finding a PRG beating the rate O(logn) bits per multiply at the cost of a reasonable assumption on RSA inversion.

Security and Privacy in Vehicular Ad-Hoc Networks : Survey and the Road Ahead

Vehicular Ad-hoc Networks (VANETs) can make roads safer, cleaner, and smarter. It can offer a wide range of services, which can be safety and non-safety related. Many safety-related VANETs applications are real-time and mission critical, which would require strict guarantee of security and reliability. Even non-safety related multimedia applications, which will play an important role in the future, will require security support. Lack of such security and privacy in VANETs is one of the key hindrances to the wide spread implementations of it. An insecure and unreliable VANET can be more dangerous than the system without VANET support. So it is essential to make sure that “life-critical safety” information is secure enough to rely on. Securing the VANETs along with appropriate protection of the privacy drivers or vehicle owners is a very challenging task. In this work we summarize the attacks, corresponding security requirements and challenges in VANETs. We also present the most popular generic security policies which are based on prevention as well detection methods. Many VANETs applications require system-wide security support rather than individual layer from the VANETs’ protocol stack. In this work we will review the existing works in the perspective of holistic approach of security. Finally, we will provide some possible future directions to achieve system-wide security as well as privacy-friendly security in VANETs.

Security in wireless sensor networks : issues and challenges

Wireless Sensor Networks (WSNs) are employed in numerous applications in different areas including military, ecology, and health; for example, to control of important information like the personnel position in a building, as a result, WSNs need security. However, several restrictions such as low capability of computation, small memory, limited resources of energy, and the unreliable channels employ communication in using WSNs can cause difficulty in use of security and protection in WSNs. It is very essential to save WSNs from malevolent attacks in unfriendly situations. Such networks require security plan due to various limitations of resources and the prominent characteristics of a wireless sensor network which is a considerable challenge. This article is an extensive review about problems of WSNs security, which examined recently by researchers and a better understanding of future directions for WSN security.

Electronic conveyancing in Australia: Is anyone concerned about security?

Three proof requirements as essential for a sustainable land registration system. These were proof of identity, proof of ownership, and authority to deal. Our attention in this paper is drawn to the latter two requirements and will ask whether the introduction of the Property Exchange of Australia (PEXA), and its underpinning regulatory regime will meet the concerns that we have in relation to proof of ownership and authority to deal. In drawing out some problems with PEXA, we then offer an innovative idea, sourced from the transfer of equities that could serve to generate discussion on how we can ensure the Torrens system of land registration is sustainable for another 160 years.

A digital watermarking framework with application to medical image security

Dealing with digital medical images is raising many new security problems with legal and ethical complexities for local archiving and distant medical services. These include image retention and fraud, distrust and invasion of privacy. This project was a significant step forward in developing a complete framework for systematically designing, analyzing, and applying digital watermarking, with a particular focus on medical image security. A formal generic watermarking model, three new attack models, and an efficient watermarking technique for medical images were developed. These outcomes contribute to standardizing future research in formal modeling and complete security and computational analysis of watermarking schemes.