A general model for MAC generation using direct injection

This paper presents a model for generating a MAC tag by injecting the input message directly into the internal state of a nonlinear filter generator. This model generalises a similar model for unkeyed hash functions proposed by Nakano et al. We develop a matrix representation for the accumulation phase of our model and use it to analyse the security of the model against man-in-the-middle forgery attacks based on collisions in the final register contents. The results of this analysis show that some conclusions of Nakano et al regarding the security of their model are incorrect. We also use our results to comment on several recent MAC proposals which can be considered as instances of our model and specify choices of options within the model which should prevent the type of forgery discussed here. In particular, suitable initialisation of the register and active use of a secure nonlinear filter will prevent an attacker from finding a collision in the final register contents which could result in a forged MAC.

Reforming FOI : time for a new model?

The article discusses the recent developments on Freedom of Information or FOI in Queensland. It mentions the recent calls for a new FOI model, pointing to a radical departure from the old FOI template and the emergence of a significantly different FOI regime. Two of these reforms are the Right to Information Bill 2009 or RTI and the Information Privacy Bill 2009 or IP. It also mentions the new FOI Public Interest Test under the RTI Act.

The Growing Pains of Data Breach Notification Law

Mandatory data breach notification laws are a novel statutory solution in relation to organizational protections of personal information. They require organizations which have suffered a breach of security involving personal information to notif'y those persons whose information may have been affected. These laws originated in the state based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. Despite their perceived utility, mandatory data breach notification laws have several conceptual and practical concems that limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns, and in doing so, we contend that while mandatory data breach notification laws have many useful facets, their utility as an 'add-on' to enhance the failings of current information privacy law frameworks should not necessarily be taken for granted.

‘I always look under the bed for a man’. Needs and barriers to the expression of sexuality in residential aged care: the views of residents with and without dementia

Objectives: This qualitative study canvassed residents' perceptions of the needs and barriers to the expression of sexuality in long-term care. Methods: Sixteen residents, including five with dementia, from six aged care facilities in two Australian states were interviewed. Data were analysed using a constant comparative method. Results: Four categories describe residents' views about sexuality, their needs and barriers to its expression: ‘It still matters’; ‘Reminiscence and resignation’, ‘It's personal’, and ‘It's an unconducive environment’. Discussion: Residents, including those with dementia, saw themselves as sexual beings and with a continuing need and desire to express their sexuality. The manner in which it was expressed varied. Many barriers to sexual expression were noted, including negative attitudes of staff, lack of privacy and limited opportunities for the establishment of new relationships or the continuation of old ones. Interviewees agreed that how a resident expressed their sexuality was their business and no one else's.

Attitudes and expectations of technologies to manage high risk wandering and elopement in persons with dementia : an Australian perspective

Wandering is aimless and repetitive locomotion that may expose persons with dementia (PWD) to elopement, getting lost and death. This study is an Australian replication of a US study. Cross-disciplinary consensus- based analysis was applied to data from five focus groups (N =47: cognitively intact LTC residents (5), carers of PWD (11), home care workers (13) allied health professionals and health-focused engineers (7) and RNs (11). Groups received briefing about wandering monitoring and elopement management systems. Consistent with US attitudes, participants in all groups agreed on what a wandering technology should do, how it should do it, and necessary technical specifications. Within each group participants raised the need for a continuum of care for PWD and the imperative for early recognition of potentially dangerous wandering and getting lost when they occur. Global Positioning System elopement management was the preferred option. Interestingly, the prospective value of GPS to recover a lost or eloped wanderer far outweighed privacy concerns, as in the US. A pervasive theme was that technologies need to augment, but cannot replace, attentive, compassionate caregiver presence. A significant theme raised only by Australian carers of PWD was the potential for development of implantable GPS technologies and the need for public debate about attendant ethical issues. Given that 60% or more of over 200,000 Australians and 4.5 million Americans with dementia will develop wandering, there is a pressing need to develop effective locator systems that may delay institutionalization, help allay carer concern and enhance PWD safety.

Gated and Guarded Community (GACOS) in Malaysia : worth or not?

A 'Gated and Guarded Community' has become a popular trend in the recent years, particularly for housing areas. The increasing in population and income has lead to the increase in housing demand. The 1991 Population Census Report showed that Malaysian population has increased with an average yearly rate of 2.7% per year, that is, from 13.74 million people in 1980 to 19.35 million in 1991, followed by 20.69 million in 1995 and increase to 23.27 in year 2000. This is followed by consistent increase in the average population monthly income. Started from 1995 to 1999, the average annual growth rate of mean monthly income in Malaysia is about 5.2 %, from RM2,020.00 in 1995 to RM2,472.00 in 1999 and increasing constantly. This shows that the human growth usually have correlation between demand, income and housing. This paper presents the factors that involved in determined the Gated and Guarded Community Investment in Malaysia either it is worth to invest or otherwise. Hopefully, the results will also indicate that there may be other factors affecting their investment decision besides security and privacy. This paper is actually to draw attention to some practitioner and collect more information in establishing my research analysis.

Standing up and finding my voice through positive digital storytelling

‘Positive Stories’ is a digital storytelling initiative that took place in Adelaide in 2010–2011.1 This article describes participants’ experiences of creative self-representation and the thorny complications of mediating voice, particularly in situations where privacy and publicity are significant issues.

Establishing initial trust in autonomous delay tolerant networks without centralised PKI

A Delay Tolerant Network (DTN) is one where nodes can be highly mobile, with long message delay times forming dynamic and fragmented networks. Traditional centralised network security is difficult to implement in such a network, therefore distributed security solutions are more desirable in DTN implementations. Establishing effective trust in distributed systems with no centralised Public Key Infrastructure (PKI) such as the Pretty Good Privacy (PGP) scheme usually requires human intervention. Our aim is to build and compare different de- centralised trust systems for implementation in autonomous DTN systems. In this paper, we utilise a key distribution model based on the Web of Trust principle, and employ a simple leverage of common friends trust system to establish initial trust in autonomous DTN’s. We compare this system with two other methods of autonomously establishing initial trust by introducing a malicious node and measuring the distribution of malicious and fake keys. Our results show that the new trust system not only mitigates the distribution of fake malicious keys by 40% at the end of the simulation, but it also improved key distribution between nodes. This paper contributes a comparison of three de-centralised trust systems that can be employed in autonomous DTN systems.

A framework for automated identification of attack scenarios on IT infrastructures

Due to increased complexity, scale, and functionality of information and telecommunication (IT) infrastructures, every day new exploits and vulnerabilities are discovered. These vulnerabilities are most of the time used by ma¬licious people to penetrate these IT infrastructures for mainly disrupting business or stealing intellectual pro¬perties. Current incidents prove that it is not sufficient anymore to perform manual security tests of the IT infra¬structure based on sporadic security audits. Instead net¬works should be continuously tested against possible attacks. In this paper we present current results and challenges towards realizing automated and scalable solutions to identify possible attack scenarios in an IT in¬frastructure. Namely, we define an extensible frame¬work which uses public vulnerability databases to identify pro¬bable multi-step attacks in an IT infrastructure, and pro¬vide recommendations in the form of patching strategies, topology changes, and configuration updates.

Internet and e-commerce law, business and policy

Over the last two decades, the internet and e-commerce have reshaped the way we communicate, interact and transact. In the converged environment enabled by high speed broadband, web 2.0, social media, virtual worlds, user-generated content, cloud computing, VoIP, open source software and open content have rapidly become established features of our online experience. Business and government alike are increasingly using the internet as the preferred platform for delivery of their goods and services and for effective engagement with their clients. New ways of doing things online and challenges to existing business, government and social activities have tested current laws and often demand new policies and laws, adapted to the new realities. The focus of this book is the regulation of social, cultural and commercial activity on the World Wide Web. It considers developments in the law that have been, and continue to be, brought about by the emergence of the internet and e-commerce. It analyses how the law is applied to define rights and obligations in relation to online infrastructure, content and practices.

Towards a secure human-and-computer mutual authentication protocol

We blend research from human-computer interface (HCI) design with computational based crypto- graphic provable security. We explore the notion of practice-oriented provable security (POPS), moving the focus to a higher level of abstraction (POPS+) for use in providing provable security for security ceremonies involving humans. In doing so we high- light some challenges and paradigm shifts required to achieve meaningful provable security for a protocol which includes a human. We move the focus of security ceremonies from being protocols in their context of use, to the protocols being cryptographic building blocks in a higher level protocol (the security cere- mony), which POPS can be applied to. In order to illustrate the need for our approach, we analyse both a protocol proven secure in theory, and a similar proto- col implemented by a �nancial institution, from both HCI and cryptographic perspectives.

Enhancing security of linux-based android devices

Our daily lives become more and more dependent upon smartphones due to their increased capabilities. Smartphones are used in various ways from payment systems to assisting the lives of elderly or disabled people. Security threats for these devices become increasingly dangerous since there is still a lack of proper security tools for protection. Android emerges as an open smartphone platform which allows modification even on operating system level. Therefore, third-party developers have the opportunity to develop kernel-based low-level security tools which is not normal for smartphone platforms. Android quickly gained its popularity among smartphone developers and even beyond since it bases on Java on top of "open" Linux in comparison to former proprietary platforms which have very restrictive SDKs and corresponding APIs. Symbian OS for example, holding the greatest market share among all smartphone OSs, was closing critical APIs to common developers and introduced application certification. This was done since this OS was the main target for smartphone malwares in the past. In fact, more than 290 malwares designed for Symbian OS appeared from July 2004 to July 2008. Android, in turn, promises to be completely open source. Together with the Linux-based smartphone OS OpenMoko, open smartphone platforms may attract malware writers for creating malicious applications endangering the critical smartphone applications and owners� privacy. In this work, we present our current results in analyzing the security of Android smartphones with a focus on its Linux side. Our results are not limited to Android, they are also applicable to Linux-based smartphones such as OpenMoko Neo FreeRunner. Our contribution in this work is three-fold. First, we analyze android framework and the Linux-kernel to check security functionalities. We survey wellaccepted security mechanisms and tools which can increase device security. We provide descriptions on how to adopt these security tools on Android kernel, and provide their overhead analysis in terms of resource usage. As open smartphones are released and may increase their market share similar to Symbian, they may attract attention of malware writers. Therefore, our second contribution focuses on malware detection techniques at the kernel level. We test applicability of existing signature and intrusion detection methods in Android environment. We focus on monitoring events on the kernel; that is, identifying critical kernel, log file, file system and network activity events, and devising efficient mechanisms to monitor them in a resource limited environment. Our third contribution involves initial results of our malware detection mechanism basing on static function call analysis. We identified approximately 105 Executable and Linking Format (ELF) executables installed to the Linux side of Android. We perform a statistical analysis on the function calls used by these applications. The results of the analysis can be compared to newly installed applications for detecting significant differences. Additionally, certain function calls indicate malicious activity. Therefore, we present a simple decision tree for deciding the suspiciousness of the corresponding application. Our results present a first step towards detecting malicious applications on Android-based devices.

Design and modeling of collaboration architecture for security

Threats against computer networks evolve very fast and require more and more complex measures. We argue that teams respectively groups with a common purpose for intrusion detection and prevention improve the measures against rapid propagating attacks similar to the concept of teams solving complex tasks known from field of work sociology. Collaboration in this sense is not easy task especially for heterarchical environments. We propose CIMD (collaborative intrusion and malware detection) as a security overlay framework to enable cooperative intrusion detection approaches. Objectives and associated interests are used to create detection groups for exchange of security-related data. In this work, we contribute a tree-oriented data model for device representation in the scope of security. We introduce an algorithm for the formation of detection groups, show realization strategies for the system and conduct vulnerability analysis. We evaluate the benefit of CIMD by simulation and probabilistic analysis.

An Android application sandbox system for suspicious software detection

Smartphones are steadily gaining popularity, creating new application areas as their capabilities increase in terms of computational power, sensors and communication. Emerging new features of mobile devices give opportunity to new threats. Android is one of the newer operating systems targeting smartphones. While being based on a Linux kernel, Android has unique properties and specific limitations due to its mobile nature. This makes it harder to detect and react upon malware attacks if using conventional techniques. In this paper, we propose an Android Application Sandbox (AASandbox) which is able to perform both static and dynamic analysis on Android programs to automatically detect suspicious applications. Static analysis scans the software for malicious patterns without installing it. Dynamic analysis executes the application in a fully isolated environment, i.e. sandbox, which intervenes and logs low-level interactions with the system for further analysis. Both the sandbox and the detection algorithms can be deployed in the cloud, providing a fast and distributed detection of suspicious software in a mobile software store akin to Google's Android Market. Additionally, AASandbox might be used to improve the efficiency of classical anti-virus applications available for the Android operating system.

A generic framework and runtime environment for development and evaluation of behavioral biometrics solutions

Increasing use of computerized systems in our daily lives creates new adversarial opportunities for which complex mechanisms are exploited to mend the rapid development of new attacks. Behavioral Biometrics appear as one of the promising response to these attacks. But it is a relatively new research area, specific frameworks for evaluation and development of behavioral biometrics solutions could not be found yet. In this paper we present a conception of a generic framework and runtime environment which will enable researchers to develop, evaluate and compare their behavioral biometrics solutions with repeatable experiments under the same conditions with the same data.