Web Vulnerability Study of Online Pharmacy Sites

Consumers are increasingly using online pharmacies, but these sites may not provide an adequate level of security with the consumers’ personal data. There is a gap in this research addressing the problems of security vulnerabilities in this industry. The objective is to identify the level of web application security vulnerabilities in online pharmacies and the common types of flaws, thus expanding on prior studies. Technical, managerial and legal recommendations on how to mitigate security issues are presented. The proposed four-step method first consists of choosing an online testing tool. The next steps involve choosing a list of 60 online pharmacy sites to test, and then running the software analysis to compile a list of flaws. Finally, an in-depth analysis is performed on the types of web application vulnerabilities. The majority of sites had serious vulnerabilities, with the majority of flaws being cross-site scripting or old versions of software that have not been updated. A method is proposed for the securing of web pharmacy sites, using a multi-phased approach of technical and managerial techniques together with a thorough understanding of national legal requirements for securing systems

Randomness Quality of CI Chaotic Generators: Applications to Internet Security

Due to the rapid development of the Internet in recent years, the need to find new tools to reinforce trust and security through the Internet has became a major concern. The discovery of new pseudo-random number generators with a strong level of security is thus becoming a hot topic, because numerous cryptosystems and data hiding schemes are directly dependent on the quality of these generators. At the conference Internet`09, we have described a generator based on chaotic iterations, which behaves chaotically as defined by Devaney. In this paper, the proposal is to improve the speed and the security of this generator, to make its use more relevant in the Internet security context. To do so, a comparative study between various generators is carried out and statistical results are given. Finally, an application in the information hiding framework is presented, to give an illustrative example of the use of such a generator in the Internet security field.Comment: 6 pages,6 figures, In INTERNET'2010. The 2nd Int. Conf. on Evolving Internet, Valencia, Spain, pages 125-130, September 2010. IEEE Computer Society Press Note: Best Paper awar

A novel pseudo-random number generator based on discrete chaotic iterations

Security of information transmitted through the Internet, against passive or active attacks is an international concern. The use of a chaos-based pseudo-random bit sequence to make it unrecognizable by an intruder, is a field of research in full expansion. This mask of useful information by modulation or encryption is a fundamental part of the TLS Internet exchange protocol. In this paper, a new method using discrete chaotic iterations to generate pseudo-random numbers is presented. This pseudo-random number generator has successfully passed the NIST statistical test suite (NIST SP800-22). Security analysis shows its good characteristics. The application for secure image transmission through the Internet is proposed at the end of the paper.Comment: The First International Conference on Evolving Internet:Internet 2009 pp.71--76 http://dx.doi.org/10.1109/INTERNET.2009.1

Computational Soundness for Dalvik Bytecode

Automatically analyzing information flow within Android applications that rely on cryptographic operations with their computational security guarantees imposes formidable challenges that existing approaches for understanding an app's behavior struggle to meet. These approaches do not distinguish cryptographic and non-cryptographic operations, and hence do not account for cryptographic protections: f(m) is considered sensitive for a sensitive message m irrespective of potential secrecy properties offered by a cryptographic operation f. These approaches consequently provide a safe approximation of the app's behavior, but they mistakenly classify a large fraction of apps as potentially insecure and consequently yield overly pessimistic results. In this paper, we show how cryptographic operations can be faithfully included into existing approaches for automated app analysis. To this end, we first show how cryptographic operations can be expressed as symbolic abstractions within the comprehensive Dalvik bytecode language. These abstractions are accessible to automated analysis, and they can be conveniently added to existing app analysis tools using minor changes in their semantics. Second, we show that our abstractions are faithful by providing the first computational soundness result for Dalvik bytecode, i.e., the absence of attacks against our symbolically abstracted program entails the absence of any attacks against a suitable cryptographic program realization. We cast our computational soundness result in the CoSP framework, which makes the result modular and composable.Comment: Technical report for the ACM CCS 2016 conference pape

Toward a social compact for digital privacy and security

Executive summary The Global Commission on Internet Governance (GCIG) was established in January 2014 to articulate and advance a strategic vision for the future of Internet governance. In recent deliberations, the Commission discussed the potential for a damaging erosion of trust in the absence of a broad social agreement on norms for digital privacy and security. The Commission considers that, for the Internet to remain a global engine of social and economic progress that reflects the world’s cultural diversity, confidence must be restored in the Internet because trust is eroding. The Internet should be open, freely available to all, secure and safe. The Commission thus agrees that all stakeholders must collaborate together to adopt norms for responsible behaviour on the Internet. On the occasion of the April 2015 Global Conference on Cyberspace meeting in The Hague, the Commission calls on the global community to build a new social compact between citizens and their elected representatives, the judiciary, law enforcement and intelligence agencies, business, civil society and the Internet technical community, with the goal of restoring trust and enhancing confidence in the Internet. It is now essential that governments, collaborating with all other stakeholders, take steps to build confidence that the right to privacy of all people is respected on the Internet. It is essential at the same time to ensure the rule of law is upheld. The two goals are not exclusive; indeed, they are mutually reinforcing. Individuals and businesses must be protected both from the misuse of the Internet by terrorists, cyber criminal groups and the overreach of governments and businesses that collect and use private data. A social compact must be built on a shared commitment by all stakeholders in developed and less developed countries to take concrete action in their own jurisdictions to build trust and confidence in the Internet. A commitment to the concept of collaborative security and to privacy must replace lengthy and over-politicized negotiations and conferences

A state-dependent parameterization of saturated-unsaturated zone interaction

The relevance of groundwater as an important source of root zone moisture by means of capillary rise is increasingly being recognized. This is partly reflected in many current land surface schemes, which increasingly replace a one-way (i.e., downward) drainage of water by a two-way interaction flux between the root zone and a groundwater system. A fully physically correct implementation of this two-way saturated-unsaturated interaction flux requires transient simulations using the highly nonlinear Richards' equation, which is a computationally demanding approach. We test a classic simple approximation that computes the root zone¿groundwater interaction flux as the net effect of a downward drainage flux and an upward capillary rise flux against the Darcy equation for quasi steady state conditions. We find that for a wet root zone and/or shallow groundwater, the errors within this approximation are significant and of the same magnitude as the interaction flux itself. We present a new closed-form parameterization of the Darcy equation¿based fluxes that accounts both for root zone soil moisture and depth to the water table. Parameter values for this parameterization are listed for 11 different, widely applied soil texture descriptions. The high numerical efficiency of the proposed method makes it suitable for inclusion into demanding applications, e.g., a Monte Carlo framework, or high spatial resolution

Development of an estimation model for the evaluation of the energy requirement of dilute acid pretreatments of biomass

This study aims to develop a mathematical model to evaluate the energy required by pretreatment processes used in the production of second generation ethanol. A dilute acid pretreatment process reported by National Renewable Energy Laboratory (NREL) was selected as an example for the model's development. The energy demand of the pretreatment process was evaluated by considering the change of internal energy of the substances, the reaction energy, the heat lost and the work done to/by the system based on a number of simplifying assumptions. Sensitivity analyses were performed on the solid loading rate, temperature, acid concentration and water evaporation rate. The results from the sensitivity analyses established that the solids loading rate had the most significant impact on the energy demand. The model was then verified with data from the NREL benchmark process. Application of this model on other dilute acid pretreatment processes reported in the literature illustrated that although similar sugar yields were reported by several studies, the energy required by the different pretreatments varied significantly

Patient access to complex chronic disease records on the internet

Background: Access to medical records on the Internet has been reported to be acceptable and popular with patients, although most published evaluations have been of primary care or office-based practice. We tested the feasibility and acceptability of making unscreened results and data from a complex chronic disease pathway (renal medicine) available to patients over the Internet in a project involving more than half of renal units in the UK. Methods: Content and presentation of the Renal PatientView (RPV) system was developed with patient groups. It was designed to receive information from multiple local information systems and to require minimal extra work in units. After piloting in 4 centres in 2005 it was made available more widely. Opinions were sought from both patients who enrolled and from those who did not in a paper survey, and from staff in an electronic survey. Anonymous data on enrolments and usage were extracted from the webserver. Results: By mid 2011 over 17,000 patients from 47 of the 75 renal units in the UK had registered. Users had a wide age range (<10 to >90 yrs) but were younger and had more years of education than non-users. They were enthusiastic about the concept, found it easy to use, and 80% felt it gave them a better understanding of their disease. The most common reason for not enrolling was being unaware of the system. A minority of patients had security concerns, and these were reduced after enrolling. Staff responses were also strongly positive. They reported that it aided patient concordance and disease management, and increased the quality of consultations with a neutral effect on consultation length. Neither patient nor staff responses suggested that RPV led to an overall increase in patient anxiety or to an increased burden on renal units beyond the time required to enrol each patient. Conclusions: Patient Internet access to secondary care records concerning a complex chronic disease is feasible and popular, providing an increased sense of empowerment and understanding, with no serious identified negative consequences. Security concerns were present but rarely prevented participation. These are powerful reasons to make this type of access more widely available