Säkerhetstestning av webbapplikationer och CMS plattformen EPiServer

Arbetet behandlar säkerhetstestning av webbapplikationer och CMS plattformen EPiServer. För att Know IT Dalarna ska kunna fortsätta leverera säkra webblösningar efterfrågar de en säkerhetsanalys över plattformen EPiServer men även över sina egenutvecklade applikationer. Syftet med arbetet var att höja säkerheten kring Know ITs webbaserade projekt och samtidigt göra utvecklarna mer medvetna om säkerheten vid utvecklingsfasen. Resultatet var att EPiServer som plattformen tillhandahåller en fullgod säkerhet. De direkta brister som identifierades var upp till antingen Know IT eller kunden att åtgärda och ansvaret lades på den som hade hand om driften av webbplatsen. Säkerhetstesterna som utfördes var bland annat tester emot åtkomsthantering, avlyssningsattacker, lösenordsattacker, SQL-injections och XSS-attacker.För att förenkla säkerhetstestningen skapades en checklista innehållandes steg för steg för att göra en grundläggande säkerhetstestning. Den innehöll även rekommendationer till Know IT Dalarna på områden som ska belysas och undersökas i framtiden. Checklistan kan användas av utvecklarna för att säkerställa att ett pågående projekt håller en bra nivå säkerhetsmässigt. Listan måste i framtiden uppdateras och hållas i fas med den ständiga tekniska utvecklingen som sker på området.

A comparative study of speed expressed by the number of throws between heavier and lighter categories in judo

Objective. - The objective of this work was to verify if there was a difference in throwing speed performance between heavier and lighter weight categories in judo. Methods and subjects. - Sixteen (16) judoists 18 +/- 3 years old, eight considered in the lightweight category (< 66 kg) and eight considered in the heavyweight (> 73 kg) category, participated in the study after signing a term of informed consent. A force-velocity test was used to determine the anaerobic power, strength, and pedal speed for each subject. In addition, three trials of Nage-komi exercise, each comprised of a set of Osoto-gari (15s), Uchi-mata (15s) and Seoi-nage (15s) throws were performed by each subject to ascertain throwing speed. Throws within the sets were intersected by one period of three minutes passive rest, while the trials were separated by one period of 10 minutes passive rest. Heart rate and the greatest number of throws within each set were measured for three trials. One-way analysis of variance (Anova) was used to compare the number of throws between the two weight categories and a ""Student"" test when the difference was significant. A correlation was used to examine the link between the different parameters. Results. - The force-velocity test did not show a significant difference in pedal speed between the two categories. However, there was a significant difference between the two categories when throwing speed was measured by the number of throws (p < 0.05) executed during the Seoi-nage (p < 0.01) and Uchi-mata (p <0.05) techniques. There was however, no significant difference between the two categories in Osoto-gari technique. Conclusion. - The throwing speed of judoists represented by the number of throws is significantly different between the two categories. The lighter category has more speed than the heavier category using the arm technique (Seoi-nage), while the heavier category has more speed using the leg technique with half turn of the attacker`s body (Uchi-mata). As a result, throwing speed is related to the type of technique used and not weight category. (C) 2007 Elsevier Masson SAS. All rights reserved.

Safety high accuracy Context-Aware Matrix (CAM) making based on X.509 proxy certificate

Human Computer Interaction (HCl) is to interaction between computers and each person. And context-aware (CA) is very important one of HCI composition. In particular, if there are sequential or continuous tasks between users and devices, among users, and among devices etc, it is important to decide the next action using right CA. And to take perfect decision we have to get together all CA into a structure. We define that structure is Context-Aware Matrix (CAM) in this article. However to make exact decision is too hard for some problems like low accuracy, overhead and bad context by attacker etc. Many researcher has been studying to solve these problems. Moreover, still it has weak point HCI using in safety. In this Article, we propose CAM making include best selecting Server in each area. As a result, moving users could be taken the best way.

A study on the authentication method for TAmI in ambient intelligence (secure group decision making toolkit)

It is difficult to get the decision about an opinion after many users get the meeting in same place. It used to spend too much time in order to find solve some problem because of the various opinions of each other. TAmI (Group Decision Making Toolkit) is the System to Group Decision in Ambient Intelligence [1]. This program was composed with IGATA [2], WebMeeting and the related Database system. But, because it is sent without any encryption in IP / Password, it can be opened to attacker. They can use the IP / Password to the bad purpose. As the result, although they make the wrong result, the joined member can’t know them. Therefore, in this paper, we studied the applying method of user’s authentication into TAmI.

Utilization of different encryption schemes for securing SCADA component communication

A vital role is being played by SCADA Communication for Supervisory Control and Data acquisition (SCADA) Monitoring Ststems. Devices that are designed to operate in safety-critical environments are usually designed to failsafe, but security vulnerabilities could be exploited by an attacker to disable the fail-safe mechanisms. Thus these devices must not onlybe designed for safety but also for security. This paper presents a study of the comparison of different Encryption schemes for securing SCADA Component Communication. The encryption schemes such as Symetric Key Encrypton in Wireless SCADA Environment, Assymmetric-key Encryption to Internet SCADA, and the Cross Crypto Scheme Cipher to secure communication for SCADA are analysed and the outcome is evaluated.

Segurança de Redes em Sistemas de Experimentação Remota

O crescimento dos sistemas de informação e a sua utilização massiva criou uma nova realidade no acesso a experiências remotas que se encontram geograficamente distribuídas. Nestes últimos tempos, a temática dos laboratórios remotos apareceu nos mais diversos campos como o do ensino ou o de sistemas industriais de controlo e monitorização. Como o acesso aos laboratórios é efectuado através de um meio permissivo como é o caso da Internet, a informação pode estar à mercê de qualquer atacante. Assim, é necessário garantir a segurança do acesso, de forma a criar condições para que não se verifique a adulteração dos valores obtidos, bem como a existência de acessos não permitidos. Os mecanismos de segurança adoptados devem ter em consideração a necessidade de autenticação e autorização, sendo estes pontos críticos no que respeita à segurança, pois estes laboratórios podem estar a controlar equipamentos sensíveis e dispendiosos, podendo até eventualmente comprometer em certos casos o controlo e a monotorização de sistemas industriais. Este trabalho teve como objectivo a análise da segurança em redes, tendo sido realizado um estudo sobre os vários conceitos e mecanismos de segurança necessários para garantir a segurança nas comunicações entre laboratórios remotos. Dele resultam as três soluções apresentadas de comunicação segura para laboratórios remotos distribuídos geograficamente, recorrendo às tecnologias IPSec, OpenVPN e PPTP. De forma a minimizar custos, toda a implementação foi assente em software de código aberto e na utilização de um computador de baixo custo. No que respeita à criação das VPNs, estas foram configuradas de modo a permitir obter os resultados pretendidos na criação de uma ligação segura para laboratórios remotos. O pfSense mostrou-se a escolha acertada visto que suporta nativamente quaisquer das tecnologias que foram estudadas e implementadas, sem necessidade de usar recursos físicos muito caros, permitindo o uso de tecnologias de código aberto sem comprometer a segurança no funcionamento das soluções que suportam a segurança nas comunicações dos laboratórios remotos.

Implementação de sistemas de encriptação AES advanced encryption standard em hardware para segurança

Dissertação de mestrado integrado em Engenharia Electrónica Industrial e Computadores

La privacitat de les connexions dels usuaris d'una xarxa social

Aquest projecte mostra com les connexions dels usuaris d'una xarxa social suposen un risc afegit per a la privacitat dels usuaris que hi formen part. Aquestes connexions ofereixen informació suficient per a poder dur a terme processos d'agregació d'informació entre diferents xarxes socials, permetent a un atacant millorar el seu coneixement inicial sobre les xarxes. El projecte és un recorregut per totes les fases necessàries per dur a terme aquest procés, des de la recollida de la informació fins a l'agregació de les dades obtingudes.

A conserved transcript pattern in response to a specialist and a generalist herbivore.

Transcript patterns elicited in response to attack reveal, at the molecular level, how plants respond to aggressors. These patterns are fashioned both by inflicted physical damage as well as by biological components displayed or released by the attacker. Different types of attacking organisms might therefore be expected to elicit different transcription programs in the host. Using a large-scale DNA microarray, we characterized gene expression in damaged as well as in distal Arabidopsis thaliana leaves in response to the specialist insect, Pieris rapae. More than 100 insect-responsive genes potentially involved in defense were identified, including genes involved in pathogenesis, indole glucosinolate metabolism, detoxification and cell survival, and signal transduction. Of these 114 genes, 111 were induced in Pieris feeding, and only three were repressed. Expression patterns in distal leaves were markedly similar to those of local leaves. Analysis of wild-type and jasmonate mutant plants, coupled with jasmonate treatment, showed that between 67 and 84% of Pieris-regulated gene expression was controlled, totally or in part, by the jasmonate pathway. This was correlated with increased larval performance on the coronatine insensitive1 glabrous1 (coi1-1 gl1) mutant. Independent mutations in COI1 and GL1 led to a faster larval weight gain, but the gl1 mutation had relatively little effect on the expression of the insect-responsive genes examined. Finally, we compared transcript patterns in Arabidopis in response to larvae of the specialist P. rapae and to a generalist insect, Spodoptera littoralis. Surprisingly, given the complex nature of insect salivary components and reported differences between species, almost identical transcript profiles were observed. This study also provides a robustly characterized gene set for the further investigation of plant-insect interaction.

Detección Robusta por Grupos de Señales Primarias

La radio cognitiva es una tecnología inalámbrica propuesta para usar eficientemente los recursos del espectro radioeléctrico permitiendo así reducir la carga existente en las bandas de frecuencia de uso libre.Las redes de radio cognitiva son capaces de escanear el espectro y adaptar sus parámetros para operar en las bandas no ocupadas. Para evitar interferir con usuarios con licencia que operan en un determinado canal, la sensibilidad de las redes tiene que ser muy alta. Ello se consigue con métodos de detección cooperativos. Los métodos de detección cooperativa actuales tienen una carencia de robustez ya sea frente a ataques puntuales o continuos.En este artículo presentamos un método de fusión por grupos que tiene presente el comportamiento de los usuarios a corto y largo plazo. Al realizar la fusión de los datos, el método se basa en dar mayor peso a los grupos de usuarios con mayor unanimidad en sus decisiones.Los resultados de las simulaciones prueban que en presencia de atacantes el método de fusión por grupos propuesto consigue una detección superior a otros métodos, cumpliendo los requisitos de sensibilidad mínimos de las redes de radio cognitiva incluso con un 12 de usuarios reiteradamente maliciosos o un 10 de atacantes puntuales.

Les facteurs liés au cheminement judiciaire des incidents commis en contexte conjugal

La violence conjugale est un phénomène criminel fréquent au Québec. En 2008, les infractions commises en contexte conjugal représentaient plus de 20 % des crimes contre la personne signalés à la police (Ministère de la Sécurité publique, 2010). L’intervention policière et judiciaire en contexte conjugal est complexe, notamment en raison du lien unissant l’agresseur et la victime. Bien que le pouvoir discrétionnaire des intervenants judiciaires en contexte conjugal ait été grandement limité au cours des dernières décennies, ceux-ci bénéficient toujours d’une certaine latitude dans leur décision de poursuivre, ou non, différentes étapes du processus judiciaire. Au fil du temps, plusieurs études se sont intéressées aux éléments influençant la prise de décision en contexte conjugal. Cependant, celles-ci ne portent généralement que sur une seule étape du processus et certains facteurs décisionnels n’ont jamais été testés empiriquement. C’est notamment le cas des éléments liés aux stéréotypes de la violence conjugale. Certains auteurs mentionnent que les incidents qui ne correspondent pas au stéréotype de l’agresseur masculin violentant une victime qualifiée d’irréprochable et d’innocente font l’objet d’un traitement judiciaire plus sommaire, mais ces affirmations ne reposent, à notre connaissance, sur aucune donnée empirique. Cette étude tente de vérifier cette hypothèse en examinant l’impact de ces éléments sur cinq décisions policières et judiciaires. À partir d’une analyse de contenu quantitative de divers documents liés au cheminement judiciaire de 371 incidents commis en contexte conjugal sur le territoire du Centre opérationnel Nord du Service de police de la Ville de Montréal en 2008, la thèse examine l’utilisation du pouvoir discrétionnaire dans le traitement judiciaire de ces incidents. Elle comporte trois objectifs spécifiques. Le premier objectif permet la description du cheminement judiciaire des incidents commis en contexte conjugal. Nos résultats indiquent que ceux-ci font l’objet d’un traitement plus punitif puisqu’ils font plus fréquemment l’objet de procédures à la cour que les autres types de crimes. Cette judiciarisation plus systématique pourrait expliquer le faible taux de condamnation de ceux-ci (17,2 %). Le second objectif permet la description des principales caractéristiques de ces incidents. La majorité implique des gestes de violence physique et les policiers interviennent généralement auprès de conjoints actuels. La plupart des victimes rapportent la présence de violences antérieures au sein du couple et le tiers veulent porter plainte contre le suspect. Finalement, 78 % des incidents impliquent un agresseur masculin et une victime féminine et 14,29 % des victimes sont soupçonnées d’avoir posé le premier geste hostile ou violent lors de l’incident. Le dernier objectif permet l’identification des principaux éléments associés aux décisions prises en contexte conjugal. Les résultats confirment l’hypothèse selon laquelle les incidents n’impliquant pas un agresseur masculin et une victime féminine ou ceux dont les policiers soupçonnent la victime d’avoir posé le premier geste hostile ou violent font l’objet d’un traitement judiciaire plus sommaire. En outre, la majorité des facteurs décisionnels étudiés perdent de leur influence au cours du processus judiciaire et les décisions prises précédemment influencent fortement les décisions subséquentes. Finalement, le désir de porter plainte de la victime n’influence pas directement les décisions des intervenants judiciaires.

1st Kassel Student Workshop on Security in Distributed Systems

With this document, we provide a compilation of in-depth discussions on some of the most current security issues in distributed systems. The six contributions have been collected and presented at the 1st Kassel Student Workshop on Security in Distributed Systems (KaSWoSDS’08). We are pleased to present a collection of papers not only shedding light on the theoretical aspects of their topics, but also being accompanied with elaborate practical examples. In Chapter 1, Stephan Opfer discusses Viruses, one of the oldest threats to system security. For years there has been an arms race between virus producers and anti-virus software providers, with no end in sight. Stefan Triller demonstrates how malicious code can be injected in a target process using a buffer overflow in Chapter 2. Websites usually store their data and user information in data bases. Like buffer overflows, the possibilities of performing SQL injection attacks targeting such data bases are left open by unwary programmers. Stephan Scheuermann gives us a deeper insight into the mechanisms behind such attacks in Chapter 3. Cross-site scripting (XSS) is a method to insert malicious code into websites viewed by other users. Michael Blumenstein explains this issue in Chapter 4. Code can be injected in other websites via XSS attacks in order to spy out data of internet users, spoofing subsumes all methods that directly involve taking on a false identity. In Chapter 5, Till Amma shows us different ways how this can be done and how it is prevented. Last but not least, cryptographic methods are used to encode confidential data in a way that even if it got in the wrong hands, the culprits cannot decode it. Over the centuries, many different ciphers have been developed, applied, and finally broken. Ilhan Glogic sketches this history in Chapter 6.

INFO2009 - Team 'DROP TABLE groups;

Edshare for INFO2009 coursework 2 - Team 'DROP TABLE groups;

A policy model for secure information flow

When a computer program requires legitimate access to confidential data, the question arises whether such a program may illegally reveal sensitive information. This paper proposes a policy model to specify what information flow is permitted in a computational system. The security definition, which is based on a general notion of information lattices, allows various representations of information to be used in the enforcement of secure information flow in deterministic or nondeterministic systems. A flexible semantics-based analysis technique is presented, which uses the input-output relational model induced by an attacker's observational power, to compute the information released by the computational system. An illustrative attacker model demonstrates the use of the technique to develop a termination-sensitive analysis. The technique allows the development of various information flow analyses, parametrised by the attacker's observational power, which can be used to enforce what declassification policies.