Interleaving Command Sequences: a Threat to Secure Smartcard Interoperability

The increasingly widespread use of smartcards for a variety of sensitive applications, including digital signatures, creates the need to ensure and possibly certify the secure interoperability of these devices. Standard certification criteria, in particular the Common Criteria, define security requirements but do not sufficiently address the problem of interoperability. Here we consider the interoperability problem which arises when various applications interact with different smartcards through a middleware. In such a situation it is possible that a smartcard of type S receives commands that were supposed to be executed on a different smartcard of type S'. Such "external commands" can interleave with the commands that were supposed to be executed on S. We experimentally demonstrate this problem with a Common Criteria certified digital signature process on a commercially available smartcard. Importantly, in some of these cases the digital signature processes terminate without generating an error message or warning to the user.Comment: 6 pages; published in the 10th WSEAS International Conference on Information Security and Privacy (ISP 2011

Waterborne Outbreak of Norwalk-Like Virus Gastroenteritis at a Tourist Resort, Italy

In July 2000, an outbreak of gastroenteritis occurred at a tourist resort in the Gulf of Taranto in southern Italy. Illness in 344 people, 69 of whom were staff members, met the case definition. Norwalk-like virus (NLV) was found in 22 of 28 stool specimens tested. The source of illness was likely contaminated drinking water, as environmental inspection identified a breakdown in the resort water system and tap water samples were contaminated with fecal bacteria. Attack rates were increased (51.4%) in staff members involved in water sports. Relative risks were significant only for exposure to beach showers and consuming drinks with ice. Although Italy has no surveillance system for nonbacterial gastroenteritis, no outbreak caused by NLV has been described previously in the country

Sistema di interscambio Catasto-Comuni I parte

Sistema di interscambio Catasto-Comuni I part

Secure user credential control

In some embodiments, a user has use a single universal text--or image-based secret for generating a service-provider specific identity credential, for example username plus password, for authentication is derived. A human (i.e., the user) must interpret an image to enter this universal text (or image) based secret. For example, an image based challenge is presented to the user, and a credential is obtained based on the user's response to the challenge

A framework for inter-organizational public administration network services

The deployment of inter-organizational network services for the Public Administration is a challenging task, due to the broad range of strict requirements of both technical and organizational nature. In this paper we present a conceptual framework to describe application cooperation for interorganization services that has already been adopted for the analysis and implementation of several existing Italian PA services

Extending abstraction-refinement methods for compliance checking of inter-organizational business processes with incomplete information

Conformance checking is a crucial challenge for modern inter-organizational business processes when critical security, privacy and workflow constraints must be satisfied to ensure the reliability of multi-party business procedures. Many of these constraints can be expressed in terms of causal dependencies, and verifying such dependencies can be fundamental to determine the correctness of transactions. But often the information required to check causal dependencies is incomplete, coarse or imprecise due to several reasons, like low maturity of event logs, corrupted data, local timestamping and privacy requirements of each organization. In previous work we presented a solution to address these issues based on abstraction, over-approximation and under-approximation of the causal dependencies, to model unavailable data and maintain the ability to prove correctness or to find anomalies in inter-organizational transactions. In that paper we made some assumptions about the structure of business processes which are reasonable for security sensitive business processes but cannot be applied in all circumstances. In this paper we relax the assumptions made in that previous work and we discuss how this affects the applicability of the theorems. We find that while some notions need to be redefined, in most cases the same techniques, especially the ones based on underapproximation, remain applicable to investigate the correctness of business processes and to find anomalies for post-mortem investigation or online operational support

Inter-Organizational E-Services Accounting Management On . . .

Accounting management is of strategic importance for a successful uptake of computational Grid technology within the user community. Computational Grid is one the most important paradigms for distributed computing and high-performance e-service provision. In this paper we present an architecture for accounting management of e-services on computational Grids which fully meets both the reliability and security requirements for accounting management architectures defined by the Internet Engineering Task Force (IETF). The presented solution, based on previous work successfully deployed in many italian public administrations, nicely fits with the overall Grid architectures and features a clear separation between management of the service and its control