Remote booting in a hostile world: to whom am I speaking? [Computer security]

“This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder." “Copyright IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.”Today's networked computer systems are very vulnerable to attack: terminal software, like that used by the X Window System, is frequently passed across a network, and a trojan horse can easily be inserted while it is in transit. Many other software products, including operating systems, load parts of themselves from a server across a network. Although users may be confident that their workstation is physically secure, some part of the network to which they are attached almost certainly is not secure. Most proposals that recommend cryptographic means to protect remotely loaded software also eliminate the advantages of remote loading-for example, ease of reconfiguration, upgrade distribution, and maintenance. For this reason, they have largely been abandoned before finding their way into commercial products. The article shows that, contrary to intuition, it is no more difficult to protect a workstation that loads its software across an insecure network than to protect a stand-alone workstation. In contrast to prevailing practice, the authors make essential use of a collision-rich hash function to ensure that an exhaustive off-line search by the opponent will produce not one, but many candidate pass words. This strategy forces the opponent into an open, on-line guessing attack and offers the user a defensive strategy unavailable in the case of an off-line attack.Peer reviewe

File Synchronization Systems Survey

Several solutions exist for file storage, sharing, and synchronization. Many of them involve a central server, or a collection of servers, that either store the files, or act as a gateway for them to be shared. Some systems take a decentralized approach, wherein interconnected users form a peer-to-peer (P2P) network, and partake in the sharing process: they share the files they possess with others, and can obtain the files owned by other peers. In this paper, we survey various technologies, both cloud-based and P2P-based, that users use to synchronize their files across the network, and discuss their strengths and weaknesses.Comment: The Sixth International Conference on Computer Science, Engineering & Applications (ICCSEA 2016

Infrastructureless wallet backed up with P2P technology

Con el aumento de la popularidad de la nube, en los últimos años se han desarrollado muchas nuevas aplicaciones. Un ejemplo son los almacenes de datos, que se utilizan para almacenar de forma segura los archivos más preciosos de los usuarios en servidores basados en la nube. El uso de este tipo de aplicaciones requiere un alto grado de confianza por parte del usuario, ya que si existe alguna vulnerabilidad los archivos se podrían filtrar o si el servicio no está disponible es posible que los usuarios no puedan acceder en los archivos. Este proyecto propone una alternativa al uso de servidores centralizados mediante redes P2P. Las redes P2P consisten en un grupo de ordenadores que comparten recursos entre sí con los mismos permisos y responsabilidades. Mediante este tipo de redes, por ejemplo BitTorrent, los usuarios pueden acceder a estos recursos desde un dispositivo remoto sin necesidad de almacenarlos en servidores remotos, ofreciendo una alternativa a otras soluciones basadas en la nube.Amb l'augment de la popularitat del núvol, en els darrers anys s'han desenvolupat moltes aplicacions noves. Un exemple són els magatzems de dades, que s'utilitzen per emmagatzemar de manera segura els fitxers més preciosos dels usuaris en servidors basats en el núvol. L'ús d'aquest tipus d'aplicacions requereix un alt grau de confiança per part de l'usuari, ja que si hi ha alguna vulnerabilitat els fitxers es podrien filtrar o si el servei no està disponible és possible que els usuaris no puguin accedir als fitxers. Aquest projecte proposa una alternativa a l'ús de servidors centralitzats mitjançant xarxes P2P. Les xarxes P2P consisteixen en un grup d'ordinadors que comparteixen recursos entre ells amb els mateixos permisos i responsabilitats. Mitjançant aquest tipus de xarxes, per exemple BitTorrent, els usuaris poden accedir a aquests recursos des d'un dispositiu remot sense necessitat d'emmagatzemar-los en servidors remots, oferint una alternativa a altres solucions basades en el núvolWith the rise in popularity of the cloud, many new applications have been developed in recent years. An example are data vaults, used to securely store user's most precious files in cloud-based servers. The use of this type of applications requires a high degree of trust from the user, because if there is any vulnerability the files containing highly sensitive information could be leaked or if the service is unavailable users may not be able to access the files. This project proposes an alternative to using central servers by using P2P networks. P2P networks consist on a group of computers that share resources among them with the same permissions and responsibilities. By using this type of networks, BitTorrent for example, users are still able to access these resources from a remote device without the need to store them in remote servers, offering an alternative to other cloud-based solutions

Mobile FTP Client: An Android Application

This project sets out to design and implement a mobile FTP client application for Android OS that accompanies a home media server using the Nas4Free operating system. The application utilizes Apache Commons’ .net Java library to perform three functions: connect remotely to an FTP server, browse through directory listings, and download single files or entire directories to the Android device. This senior project encompasses multiple concepts including the configuration of a network to allow external access to a server behind a firewall, understanding of SSL/TLS security including private key encryption and self-signed certificates, the FTP protocol and its associated commands, and centers on Android development and the creation of an Android application. This application is for personal use only, and will not be released on the Google Play Store

Addressing telecommuting in cyber security guidelines

Cyber security threats are becoming more common than before. New phenomena in society include new cyber security threats which organisations and society should prepare for. One of these phenomena is telecommuting. Telecommuting has its roots already in the 1970s, but it has become increasingly popular during the last years. Especially the pandemic caused by Covid-19 has changed the way of working drastically. Pandemic and the social distancing forced many organisations to have their employees working from home. Information technology has abled telecommuting, but it has also brought some problems such as security issues. Cyber security threats have increased and become more diverse during the mass telecommuting caused by Covid-19. Telecommuting has some special features that can increase cyber security threats and risks. In this research the following cyber security threats relating to telecommuting were identified to be most relevant: cyber attacks, social engineering, unauthorized access and physical security. Previous literature has identified that there exist cyber security threats in telecommuting, but it has remained unclear how organisations manage and mitigate these in practice. Many of the identified threats relate to employees’ unwanted behaviour. Employees are unaware of the threats facing the organisation in telecommuting. Some employees have not been provided with proper guidelines and instruction on secure way of working. Information security policies and guidelines are important for maintaining cyber security in organisations. Policies can be even seen as the basis for organisation’s cyber security. This research studied which guidelines could be applicable in a telecommuting environment in order to mitigate the common cyber security threats. Most prominent cyber security guidelines for telecommuting identified in this research were guidelines for personal and mobile devices, guidelines for social engineering, guidelines for physical security, network guidelines, password guidelines and guidelines for online meetings. Case study of multiple cases was used as a method for this study. The cases are seven Finnish universities. The empirical data consists of cyber security and telecommuting guidelines from the universities. These guidelines were analysed by reflecting to the theoretical framework. The analysis showed that especially guidelines for physical security and online meetings were lacking. The presence of outsiders in the telecommuting environment was addressed poorly. Outsiders are a threat both to physical and online meeting security as outsiders may see or hear confidential things. In addition, guidelines were not addressing data labelling and information release. Threats specific to Covid-19 were also addressed poorly even though cyber criminals have exploited the pandemic. Guidelines seemed to be otherwise comprehensive. Threats that were addressed poorly have been especially relevant during the pandemic which suggests that organisations’ guidelines are not quite up to date even though otherwise applicable. Organisations should review and update their guidelines periodically and if a major change occurs in the operation environment.Kyberturvallisuusuhat ovat yleistymässä. Uudet ilmiöt tuovat mukanaan uusia kyberturvallisuusuhkia, joihin organisaatioiden ja yhteiskunnan tulee varautua. Yksi näistä ilmiöistä on etätyö. Etätyön juuret ovat jo 1970-luvulla, mutta sen suosio on kasvanut viime vuosina. Erityisesti Covid-19 ja sen aiheuttama pandemia ovat muuttaneet työn toimintatapoja radikaalisti, sillä pandemia pakotti monet työntekijät etätyöhön. Tietotekniikka on mahdollistanut etätyön, mutta se on tuonut myös ongelmia liittyen kyberturvaan. Kyberturvallisuusuhat ovat lisääntyneet ja monipuolistuneet pandemian aiheuttaman laajalle levinneen etätyön myötä. Etätyössä on joitain erityispiirteitä, jotka voivat lisätä kyberturvallisuusuhkia ja -riskejä perinteiseen työntekoon verraten. Tässä tutkimuksessa tärkeimmiksi etätyöhön liittyviksi kyberuhiksi tunnistettiin kyberhyökkäykset, sosiaalinen manipulointi, valtuuttamaton pääsy ja huono fyysinen turvallisuus. Aikaisemmassa kirjallisuudessa on havaittu, että etätyöhön liittyy kyberturvallisuusuhkia, mutta on jäänyt epäselväksi, miten organisaatiot hallitsevat ja vähentävät niitä käytännössä. Monet tunnistetuista uhista liittyvät työntekijöiden ei-toivottuun käyttäytymiseen. Työntekijät eivät välttämättä ole tietoisia etätyön uhista organisaatiolle. Osalle työntekijöistä ei ole myöskään annettu asianmukaisia ohjeita kyberturvallisista työskentelytavoista. Tietoturvapolitiikat ja - ohjeet ovat tärkeitä organisaatioiden kyberturvallisuuden ylläpitämisessä. Politiikkoja voidaan pitää jopa organisaation kyberturvallisuuden perustana. Tässä tutkimuksessa selvitettiin, minkälaisia ohjeita tarvitaan etätyössä yleisten kyberturvallisuusuhkien lieventämiseksi. Tässä tutkimuksessa tunnistetut kyberturvallisuusohjeet etätyöhön liittyivät henkilökohtaisten ja mobiililaitteiden käyttöön, sosiaaliseen manipulointiin, fyysiseen turvallisuuteen, turvattomiin verkkoihin, salasanoihin ja online-kokouksiin. Tutkimusmetodina tässä tutkimuksessa käytettiin usean tapauksen tapaustutkimusta. Tapauksina toimivat seitsemän suomalaista yliopistoa. Empiirinen data koostuu Suomessa toimivien yliopistojen kyberturvallisuus- ja etätyöohjeista. Nämä ohjeet analysoitiin teoreettiseen viitekehyksen avulla ja siihen viitaten. Analyysi osoitti, että erityisesti fyysistä turvallisuutta ja online-kokouksia koskevat ohjeet ovat puutteellisia. Ulkopuolisten läsnäolo etätyöympäristössä on huomioitu huonosti. Ulkopuoliset ovat uhka sekä fyysiselle että online-kokousten turvallisuudelle, koska ulkopuoliset voivat nähdä tai kuulla luottamuksellisia asioita. Lisäksi datan merkitsemiseen ja tiedon jakamiseen liittyvät ohjeet puuttuivat. Covid-19 oli myös huomioitu huonosti, vaikka pandemian aikana on ollut useita kyberhyökkäyksiä, jotka ovat hyödyntäneet Covid-19 tuomaa epävarmuutta. Yliopistojen ohjeet näyttivät muuten olevan kattavat. Huonosti huomioon otetut ohjeet ovat sellaisia, jotka ovat olleet esillä etenkin pandemian aikana. Vaikuttaa siltä, että organisaatioiden ohjeet eivät ole täysin ajan tasalla, vaikka ne muuten olisivat tarkoituksenmukaiset. Organisaatioiden tuleekin tarkistaa ja päivittää ohjeitaan säännöllisesti ja aina, jos toimintaympäristössä tapahtuu suuria muutoksia

The Clarens Web Service Framework for Distributed Scientific Analysis in Grid Projects

Large scientific collaborations are moving towards service oriented architecutres for implementation and deployment of globally distributed systems. Clarens is a high performance, easy to deploy Web Service framework that supports the construction of such globally distributed systems. This paper discusses some of the core functionality of Clarens that the authors believe is important for building distributed systems based on Web Services that support scientific analysis