Encryption – use and control in E-commerce

The author describes how cryptography can be used to address modern business requirements such as identity protection, secure web access and digital signatures. Article by Robert Bond (Head of Innovation & Technology Group, Hobson Audley and Fellow of SALS). Published in Amicus Curiae - Journal of the Institute of Advanced Legal Studies and its Society for Advanced Legal Studies. The Journal is produced by the Society for Advanced Legal Studies at the Institute of Advanced Legal Studies, University of London

The Value of User-Visible Internet Cryptography

Cryptographic mechanisms are used in a wide range of applications, including email clients, web browsers, document and asset management systems, where typical users are not cryptography experts. A number of empirical studies have demonstrated that explicit, user-visible cryptographic mechanisms are not widely used by non-expert users, and as a result arguments have been made that cryptographic mechanisms need to be better hidden or embedded in end-user processes and tools. Other mechanisms, such as HTTPS, have cryptography built-in and only become visible to the user when a dialogue appears due to a (potential) problem. This paper surveys deployed and potential technologies in use, examines the social and legal context of broad classes of users, and from there, assesses the value and issues for those users

Giving You back Control of Your Data: Digital Signing Practical Issues and the eCert Solution

As technologies develop rapidly, digital signing is commonly used in eDocument security. However, unaddressed issues exist. An eCertificate system represents the problem situation, and therefore is being used as case study, in a project called eCert, to research for the solution. This paper addresses these issues, explores the gap between current tools and the desired system, through analysis of the existing services and eCertificate use cases, and the identified requirements, thereby presenting an approach which solves the above problems. Preliminary results indicate that the recommendation from this research meets the design requirements, and could form the foundation of future study of solving digital signing issues

Guidelines for ethical nudging in password authentication

Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context

Security and Online learning: to protect or prohibit

The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable

Hubungan antara amalan pengurusan rantaian bekalan hijau (GSCM) dan prestasi rantaian bekalan di sektor pembuatan, Batu Pahat, Johor

Pola pertumbuhan ekonomi telah meningkatkan tahap penggunaan tenaga dan bahan-bahan dan memberi kesan kepada kemampanan alam sekitar. Kemakmuran ekonomi bagi penduduk bandar yang lebih besar, lebih banyak membawa kepada pembaziran pengeluaran. Hal ini berlaku kerana penghasilan sisa dipengaruhi oleh proses perindustrian. Sisa dari sektor pembuatan boleh mendatangkan ancaman terhadap bekalan air, kesihatan awam dan alam sekitar melalui penyebaran bakteria lalu mengakibatkan pencemaran sumber air. Air yang tercemar mungkin mengandungi kepekatan bahan-bahan pencemaran yang tinggi yang dihasilkan oleh kilang-kilang dan akan datang kembali kepada pengguna melalui kitaran air sebagai sumber utama untuk kegunaan harian. Oleh itu, pengguna terdedah kepada pelbagai penyakit dan sekali gus boleh menjejaskan tahap kesihatan mereka (Khairul, Rahman & Ho, 2011). Isu alam persekitaran merupakan isu yang kian mencabar kepada organisasi perniagaan pada masa kini. Pemanasan global, pengurangan kualiti udara dan pencemaran air merupakan beberapa contoh kesan alam sekitar yang boleh dikaitkan dengan aktiviti yang selaras dengan rantaian bekalan organisasi. Pada 9 April 2009, Perdana Menteri telah mengumumkan pembentukan Kementerian Tenaga, Teknologi Hijau dan Air (KeTTHA) bagi menggantikan Kementerian Tenaga, Air dan Komunikasi. Teknologi Hijau merujuk kepada pembangunan dan aplikasi produk, peralatan serta sistem untuk memelihara alam sekitar dan alam semulajadi dan meminimumkan atau mengurangkan kesan negatif daripada aktiviti manusia

Lex Informatica: The Formulation of Information Policy Rules through Technology

Historically, law and government regulation have established default rules for information policy, including constitutional rules on freedom of expression and statutory rights of ownership of information. This Article will show that for network environments and the Information Society, however, law and government regulation are not the only source of rule-making. Technological capabilities and system design choices impose rules on participants. The creation and implementation of information policy are embedded in network designs and standards as well as in system configurations. Even user preferences and technical choices create overarching, local default rules. This Article argues, in essence, that the set of rules for information flows imposed by technology and communication networks form a “Lex Informatica” that policymakers must understand, consciously recognize, and encourage

Applying a Security Testing Methodology: a Case Study

Turvatestimine on tarkvara testimise haru, mille eesmärgiks on kontrollida, kas tarkvara on haavatav rünnete suhtes ning kas andmed, mida tarkvara töötleb, on kaitstud. Tarkvara turvalisuse standardeid töötatakse välja selleks, et tekitada ühine arusaam turvanõuetest, mida turvaline tarkvara peab täitma. Selles bakalaureusetöös kirjeldatakse ja rakendatakse tegevusi, mis on vajalikud veebirakenduse turvalisuse kindlakstegemiseks. Kombineerides OWASP ASVS veebirakenduste turvastandardit ja OWASP Top 10 riskide nimekirja, töötati välja turvanõuete nimekiri. Turvanõuete testimiseks töötati välja testjuhtumid ning testiti veebirakendust UXP Portal. Turvatestimise tulemusena tuvastati arvukalt turvaprobleeme. Juhtumiuuringu läbiviimise kogemuse põhjal vormistati õpitust lähtuvad soovitused.Security testing is a software testing discipline that aims to verify that the functionality of the software is resistant to attacks and data processed by the software is protected. To establish common requirements that the software must fulfill, software security standards are published. This thesis aims to describe and apply a process necessary to verify the security of a web application. A checklist of security requirements was gathered combining OWASP ASVS web application security standard and OWASP Top Ten project. Test cases were developed and web application UXP Portal was tested to verify the security requirements in the checklist. Numerous security vulnerabilities were identified by security testing. The recommendations based on lessons learned during the case study were presented