Saturday, January 24, 2009

Can you use Encryption to Enhance your Privacy?

Continuing on from a previous article, which looked at privacy in today’s internet age, this piece continues by discussing how one can use encryption to protect privacy.

One aspect of privacy that I didn’t discuss is what information your employer holds with regard to your surfing activities. Employees are now provided with internet access and every click and typed address is tracked by your employer.

There are various monitoring tools available that account and report on employee internet usage. These tools are evolving and improving giving employers the ability to chart what a particular user does, how often and when they do it.

This monitoring is sometimes justifiable. Employees that abuse their access to the internet instead of doing the job they are employed to do are identified through these tools.

A perturbing observation still remains: organizations can create a profile of you that includes personal information such as purchases, transactions, medical status and others. This constitutes private data.

You cannot do much to control who accesses your internet or network usage information in an organization. However, as a home user, there are various security and privacy aspects you should be aware of.

The storage media you use, for example USB sticks and CDs, are easy to lose and steal. Laptops have become much sought after items by thieves.

The loss of computer hardware is incomparable to the data loss. It is therefore crucial to encrypt your files so that they are unreadable to all but the owner of the decryption key, you.

Encryption can be simply described as the conversion of ordinary language into code. This is where information (plaintext) is transformed using an algorithm (cipher) to make it unreadable to anyone except those possessing the key. The process of converting this encrypted data (sometimes called ciphertext) back into its original form is called decryption.

Encryption solutions are inexpensive and widely available whether it is for large organizations, small businesses or home users. It is a good practice to encrypt all valuable information on the portable storage devices we use. That way if your laptop or USB device is stolen, the thief will be unable to make any use of it whatsoever.

Another advantage of encryption is that it protects sensitive data against malicious code. When malicious code manages to bypass network security, encrypted data acts as an extra layer of defense. This way privacy can be ensured.

Encryption renders your personal data useless to thieves. Using the encryption solution is advisable to all corporate and individual computer users.

The Communications Act could have gone Further

Putts Law states that technology is dominated by two types of people – those who understand what they do not manage and those who manage what they do not understand. The Kenya Communications (Amendment) Act 2008 has made a spirited attempt in assisting us manage what we don’t fully understand.

From an electronic commerce, security and forensics point of view, The Act has commendably addressed various substantive issues.

A range of financial tokens that underlie e-commerce have been secured against fraudsters. Case in point is Formation and Validity of Contracts where a contract shall not be denied validity or enforceability solely on the ground that an electronic message was used for the purpose.

It is therefore possible to use digital signatures that provide reliable authentication of documents in computerized digital form. These signatures have been legally recognised. This means that where a law requires a signature of a person, this requirement can be met if an advanced electronic signature is used within the context of a relevant agreement.

The implications of this aspect on e-commerce are wide-ranging. You can electronically sign credit contracts with virtual banks and use virtual letters of credit to conduct business. Other aspects that will enhance e-commerce include Attribution/Retention of Electronic Records and Acknowledgement of Receipts.

On ICT security and forensics, The Act has fundamentally altered the electronic security landscape in Kenya. The notable inclusions include the entrenchment and substantiation of electronic records (or evidence).

Electronic records are now legally recognised and can be retained in their original form. This means that your internet history logs, for instance, can now be used as evidence. Attribution is also now legal in that an e-mail receiver can legally act on the contents of an e-mail after identifying its source.

It is now illegal to gain Unauthorised Access to a Computer System, Modifying Computer Material without Authority, Disclosing Passwords, Committing Electronic Fraud, Publishing Obscene Information and Planting Viruses/Trojans in systems.

There are however some significant omissions that should have been included in The Act. Firstly we must divorce ICT from media and publish a dedicated and detailed ICT Act. Some might argue that ICT and media are converging. My contention is that ICT, being a complicated technology with multi-faceted functions, should be recognised as an independent framework despite its use in the media and other sectors.

Electronic investigation has been given a cold shoulder by this Act. Codes of electronic investigation and evidence handling procedures should have been outlined in more detail.

Information is today’s commodity of choice. This digital property will invariably ignite conflict. It would therefore have been advisable to include an ICT intellectual property framework in this Act. Finally the Amendment Act could have meted stricter penalties for sponsors and perpetrators of child pornography, which is has become a menace in Kenya.

In sum, this Amendment Act is a commendable first step. What should be appreciated is that ICT is dynamic and more legislative and policy work needs to be constantly developed.

How to Catch a Cyber Criminal by Staging

The traditional village market has been replaced by the global digital market. The internet has transformed trading of goods, services and commodities fundamentally. Kenyans have swiftly embraced technology and once the national fiber and submarine cable infrastructure is in place, expect a boom in electronic commerce.

However the same problems of fraud that were witnessed in the village market have crept into the digital realm. Fraudulent schemes continue unabated even in the internet. Digital thugs are busy attempting to defraud online customers by misrepresentation and deception. These online criminals try to present goods and services that look, as much as possible, like those that legitimate e-commerce merchants offer.

Their access point is usually the website. The website today’s bank counter, the first access point. An e-commerce trader has to be more vigilant than the brick and mortar bank manager. This is because a cyber criminal can easily breach an e-commerce website, commit fraud and leave undetected.

It is therefore vital to counter these web attacks by understanding and using various profiling techniques. One of the most effective is Staging (or posing). This is a profiling technique that can be used to obtain a profile of a financial intruder.

Staging is the manner of website defacement or the way particular files or resources are left once penetrated by the intruder. The habit of leaving deliberate ‘calling cards’, is not common among cyber fraudsters. This is because their motive is to breach e-commerce websites and obtain the data. This can only be achieved by employing a sustained covert connection to the system.

They therefore go to great lengths to cover their tracks. The alteration of a crime scene to confuse or mislead is common and is a good example of staging. The forensic investigator looks for signs that not only indicate the presence of an online fraudster but also of cover-up signs.

Intruders attempt to hide or remove evidence of an intrusion by deleting logs, altering date-time stamps, and installing their own utilities to subvert the operating system. They also use strong encryption to cloak their activities by encrypting data before stealing it, encoding communications between compromised hosts and obfuscating executables.

It is therefore important to identify the absence of the obvious as well as the presence of the obvious online financial intruder tracks. The presence of encrypted packets within a network is evidence of an intrusion. The absence of router network logs is indicative of an intrusion.

Staging is, therefore, a useful profiling technique that can assist our budding local e-entrepreneurs.

Cover Up – Your Privacy is Important

It is often claimed that most of the luxuries in life are now affordable and only one remains - privacy. Maintaining individual and business privacy in this era of pervasive technology has become increasingly difficult.

Business privacy is a concept that needs to be addressed with urgency due to the potential for serious breaches in the public’s expectations of privacy. Any organization that is a data owner (or holder) should commit itself to protecting its customers’ privacy up front and not as a back burner concern.

Your privacy is under threat from various sources. One of the most potent is the search engine. An internet search engine is a tool that can scour the global web for the results you want at the snap of your fingers.

This powerful technology can be used for good and bad purposes, just as weapons can protect or harm us. The downside is that search engines threaten personal and business privacy.

Google, a popular search engine, can be easily used to unearth information about you and your business that you don’t want people to know.

Anyone who is in the market for illicit corporate, or individual data, can take advantage of search engines’ power to acquire data to which the authors or originators of the data never intended them to have access, but which have inadvertently been left exposed.

It is unfortunately quite easy to unearth data. Google, for instance, provides special tools which are known as ‘advanced operators’. They are query words that have special meaning when used with Google.

They allow a regular user to conduct an extensive ‘drill down’ search. For example, ‘link:’ is one such advanced operator that yields all web pages that have links to a web site. For example [link:www.eastandard.net]. These operators can be found on www.google.com/help/operators.html.

As tools for obtaining private data, these advanced operators are effective. Hackers exploit the fact that companies, when designing their websites believe they have locked their front door but in fact have left a window open. These websites therefore publicize information they would want to keep secret.


There are various mechanisms and controls that should be used to safeguard privacy. Encryption, for example, should be used to protect client data on storage media. Company data should only be availed to personnel on a ‘need to know’ basis. Regular internal audits should also be conducted to ensure there aren’t any breaches of the laid out privacy policies.

Organizations must also desist from delegating responsibility for privacy issues to junior members of staff. Privacy should be championed by the Board and a senior decision maker, with the power to make important changes, should provide coordination.

In sum, organizations must embrace a higher commitment for ensuring data privacy. Any issues that are associated with privacy breaches must be addressed by those planning, designing and implementing new IT systems.

Preventing the Crime will help avoid Laborious Forensic Investigations

The process of obtaining and processing computer evidence and taking suspects to court is usually a long and expensive task. This process involves four primary stages. These being the acquisition, identification, evaluation and presentation.

The acquisition stage is mainly concerned with forensic capture of the device and its resident data. This is where the digital device that was involved in a cyber crime is secured. A record is made of the location where it was found and seized. For example an external hard disk that was hidden under a pile of newspapers provides a clue about the intent of the suspected offender.

During this stage of acquisition, data must be copied from the original hard disk using a write-blocking device. This device sits between the offender’s disk and the investigating computer. It stops all write signals being passed from the computer to the disk, hence preserving the data contained in the disk.

The second stage is identification. Here we recognize that digital evidence from an offender’s device can be interpreted from a number of perspectives. You can, for instance, examine the physical sectors of a disk and the logical partitions and files system. This can give you an idea on the technical expertise of the offender.

At this stage we also consider the context within which any digital evidence is found. This is especially crucial in financial forensic investigations where context will help the forensic investigator relate and untangle complex financial transactions.

Useful sources of evidence include records of internet activity, local file accesses, cookies, e-mail records among many other sources. Evidence should be handled with utmost care and a chain of evidence must be made. The investigator must also make notes at the time he takes any action regarding an offender’s device. These notes are more likely to be accepted by a court rather than a witness who is relying on his memory of a past event.

The third stage is evaluation where a decision on the digital evidence found is made. To achieve this, the investigator must have understood how the data was produced, by whom and when.

The fourth, and final stage, is where the interpretation of the raw data and the reconstruction of events that occurred on the offender’s disk prior to its seizure are undertaken.
You can avoid this process by implementing information security measures. For example you can place monitoring equipment on the perimeter of your network. This will allow you check for new access points and devices.

My point is that individuals and companies must aim to avoid a lengthy computer forensic investigation by investing on security controls, educating staff and developing policies that bolster information security in the organization.

Is the Photocopier a forgotten Weak Security Link?

The photocopier is an often ignored periphery in a corporate network. It has evolved from the single function device that used to sit in some obscure dusty corner to the multifunctional, networked document processing hub found at the heart of the business.

Modern photocopiers are termed as multifunctional devices that use digital print engines and combine several functions like copying, scanning, printing and faxing. Due to their multiple functions, copiers have become common devices in the corporate Local Area Network.

Digital copiers have the same power as PCs and can also be used to email documents, store confidential data and reproduce sensitive information. These copiers also have hard disks that store images of copied documents. Think about this the next time you copy personal documents using a company or commercial copier.

Another security risk is their ability to scan and email. What would be the impact of strategic company plans been scanned and emailed to competitors or sensitive documents been copied and their images accessed through the network?

Organizations should identify the risks associated with a networked digital copier. A starting point would be for System Administrators to ask themselves if access to the copier is controlled by authentication. Are the print files and stored images encrypted? Can the administrator remotely enable or disable the copier’s ports to control its usage?

Can the digital images on the hard disk be overwritten? Does the copier track usage, providing an audit trail of each user from monitoring purposes? If the answer to any of these questions is no, then it is time to re-evaluate your company’s multifunctional device security.

As with most aspects of information security, organizations should adopt a combination of staff education, policies and technology so as to secure their networked copiers.

Staff should be made aware of potential risks and the role they play in maintaining information security. Policies must dictate the use of all multifunctional devices. They must also outlaw inappropriate practices such as the unauthorized access of a copier’s hard disk.

Simple technological security checks should be introduced. For example, authentication should require staff to input their log-in details and password just as they would to access their PC. Traffic from the desktop to the copier should also be encrypted.

Ultimately, however, we can no longer ignore the crucial role photocopiers play in today’s business environment. This should encourage organizations to treat them with the same priority as any other aspect of ICT security.

M-Pesa - Legislative Safeguards Should be in Tandem with Electronic Ones

The recent announcement that the Government will introduce a Microfinance Act and regulate money transfer services is commendable. It has been acknowledged in many quarters that technology has outpaced legislation and regulation in Kenya and something needs to be done about it.

The government should however ensure that wireless money transfer providers are obligated to implement basic electronic security technologies in their networks.

There are various wireless technologies in existence today. They include Wireless Data Networks (WDNs), GSM (Global System for Mobile Communications), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), UMTS (Universal Mobile Telecommunication System) among many others.

Wireless networking technology (including GSM) has become a very popular system for mobile communication in the world. This popularity and convenience is driven by two primary factors: convenience and cost. Mobile products have consequently been embraced at an astonishing pace.

The ability to communicate, send short messages and transfer money using your mobile, independent of a ‘physical’ infrastructure, has provided us with a convenience that we never enjoyed before.

PINs which are required to access your M-Pesa account reside in the service provider’s database. This database of passwords is, needless to say, very important and should be secure.

Apart from password data, these databases also contain customer details, call records, subscriber location and transaction histories.

Will the proposed legislation obligate service providers to ensure these databases are protected using cutting edge security technologies?

Apart from electronic safeguards the proposed regulatory framework should exhaustively deal with mobile electronic evidence. The electronic transfer of money is prone to fraud and money laundering. Obtaining, preserving and presenting technical telephony evidence in a court of law is difficult and should be buttressed by adequate legislation.

We should also not develop a framework for mobile money transfer in isolation. This framework should exist under the umbrella of the wider ICT Bill.

The concept of M-Security cannot be ignored by the proposed Microfinance Act and Regulations. M-security concerns itself with the policy, technical, managerial and legislative safeguards applied to mobile systems and data to protect organizational and personal information.

M-security should therefore be part and parcel of any legislative and regulatory framework of money transfer services in Kenya.

Are you Controlling Access to your Network?

Networks are the nervous systems of our information technology body. Networks are integrated computers and peripheries that are linked through communication facilities.

They are basically two or more computers that share resources and data, linked by cabling, telephony or wireless equipment.

You have most likely heard of the Eastern Africa Submarine Cable System (EASSy) which will connect us to the global network. You will also have noted the numerous trenches been dug in major urban centers. This is the national fiber network been laid out.

Networks primarily transmit data electronically. This data is in the form of voice, video and images.

Networks have become indispensable parts of our lives and the Internet is a good example of our dependency on networks. The Internet is a network of networks that links millions of computers globally.

Companies have networks called intranets. This corporate network is tailored to meet the specific requirements of an organization.

Controlling who accesses the company intranet is a crucial security concern. This control involves a number of aspects. It is firstly concerned with what network resources (data or periphery devices) an authenticated user can access based on his/her rank.

Network access also involves all security policies assigned to a user and the behavior of the user once he/she has accessed the network. Today network security is about controlling individual user access to services and data, and auditing their behavior to ensure compliance with policies and regulations.

Network access control is also largely based on what layers of security are applied to a network. Businesses must inspect the valuable and sensitive information carried by the network to ensure its confidentiality and integrity.

Security policies are a component of network access that involves defining a manageable yet effective set of compliance-checking, enforcement and remediation policies. Companies should determine what types of checks will be performed, how often, what types of warnings will be displayed to users and how policies vary by user. The secret is to keep these security policies simple.

Another component of network access is giving the users the option to access a limited set of resources (such as the Internet or email) so that they can work without interruption.

Finally companies should be prepared to handle exceptional user scenarios which could occur at any time. For example if a natural disaster or another unusual problem prevented users from accessing the network. Provisions for access to critical resources from remote computers must have been outlined and appropriate access privileges assigned.

Is your E-Commerce Web Site Secure?

Electronic Commerce (e-commerce) websites have two basic objectives; making money and saving money online.

Some Kenyan companies primarily go online to increase their business turnover and profile.

Not all companies can be able to profitably sell products and services online, but all companies can save money by using the internet for business research and services.

The bottom line is that we are witnessing a surge in online transactions. This has proportionally spawned more attacks on e-commerce web sites. This is due to the fact that they conduct business and hold valuable information, for example credit card numbers or other private, personal data.

Most of these attacks exploit vulnerabilities found in e-commerce websites. Your business website is vulnerable to denial of service attacks, defacement, data theft and fraud where data is manipulated or actual theft occurs.

Other common technical attacks include SQL injection, information disclosure, path disclosure, price manipulation, buffer overflows and cross-site scripting. I shall outline SQL injection and price manipulation vulnerabilities for now.

SQL injection is where an attacker determines if a site is vulnerable by sending in the single-quote (‘) character. The message generated discloses the back-end technology being used and allows the attacker to access areas of the site.

SQL injection techniques differ depending on the database. For example an SQL injection on an Oracle database is done primarily using the UNION keyword. SQL vulnerabilities are common and do potentially allow unfettered execution of malicious database queries.

Another common vulnerability is price manipulation where an attacker uses a web application proxy to modify the amount that is payable when this information flows from the user’s browser to the web server. It is particularly unique to online shopping carts and payment gateways.

Building and maintaining an e-commerce site, is a dynamic process. Static websites that do not constantly change their security controls are extremely vulnerable to attack.
Network level protection is not enough. Secure websites need to use advanced configurations and filtering mechanisms. Packet and application filtering firewalls provide capabilities that go a long way in securing your website.

It is also advisable to cooperate with your ISP. Most methods of defense include blocking of unwanted network traffic blocking such as fragment blocking.

The rule of thumb is not to neglect your e-commerce site. Static websites that are never improved or maintained contain obsolete technology that is insecure. A dynamic website is harder to attack.

Online Profiling can Enhance Security

The traditional village market has been replaced by the global digital market. The internet has transformed trading of goods, services and commodities fundamentally. However the same problems of fraud that were witnessed in the village market have crept into the digital realm.

Online fraud can be defined as any activity that involves the obtaining of other people’s money or assets by misrepresentation or deception. These fraudulent schemes are been propagated by online criminals who try to present goods and services that look, as much as possible, like those that legitimate e-commerce merchants offer.

To be able to further understand the complexity and magnitude of online fraud one has to examine the risks that are to be found in the e-business context. The continued presence of these risks enhances the growth of online fraud.

To surmount these risks and attendant problems, online investigators can use profiling techniques to assist them in monitoring and identifying online fraudsters.

Profiling, in the context of forensic computing, is a useful tool of investigation. Profiling can be broadly defined as the prediction of an individual’s characteristics, crime scene assessment and the provision of investigative advice based on practical detective expertise; behavioural science theory, and statistical analysis of solved case information.

Profiling in sum typically includes identifying personality traits, behavioural tendencies and demographic tendencies.

Profiling can be used to distinct online fraudsters from other online offenders like stalkers and sexual predators. By the use of profiling it would be possible to predict and outline the online fraudster’s behavioural characteristics.

This would be possible because profiling is based on Locard's Principle of Exchange which stipulates that anyone who perpetuates a crime or enters a crime scene both takes something from the scene with them and leaves something of them behind.

These clues can be used to develop a profile of an offender in both the physical and digital contexts.

Various profiling approaches can be used and they include determining the signature pattern, determining the modus operandi (method of operation), diagnostic evaluation, investigative psychology, digital crime scene analysis, and geographic profiling.

For example this technique can be used to identify the serial online sexual predators that prey on our youth especially at the Coast.

Computer Viruses and their Deadly Functions

Most computer users have come across the term “computer virus”. It conjures up a negative image that represents something horrific. The idea that computer viruses are always destructive is deeply ingrained in most people’s thinking.

A computer virus is a computer program that has the ability to destroy data and gain control of a computer. Its similarity with the biological virus is its ability to make a fully functional copy of itself (reproduce).

When a computer virus is executed it makes one or more copies of itself. These copies may later be executed, to create still more copies.

It is crucial to understand that not all computer programs that are destructive are classified as viruses because they do not all reproduce. Similarly not all computer viruses are destructive because reproduction, in itself, is not destructive.

What qualifies a program to be termed a virus is its destructive purpose, ability to gain control of a computer and its reproductive capability.

The very term “virus” is an emotionally charged epithet. The scientifically correct term for a computer virus is “self-reproducing automation (SRA)”.

A computer virus is written by someone with a purpose in mind. In this sense, a computer virus has the same two basic goals of a living organism: to survive and to reproduce.

Computer viruses have to be executed if they are to attain their functionality. To achieve this, the virus must attach itself to a COM, EXE or SYS file. If it attaches to any other file, it may corrupt some data, but it won’t normally get executed, and it won’t reproduce. A virus designed to attack COM files cannot attack EXE file.

We live in an interconnected world and computer viruses have the potential of spreading at phenomenal speed. Famous virus attacks have occurred in the past. The most memorable ones include the Melissa virus, I Love You virus and SQL slammer worm.

You can protect yourself from computer viruses by using an internet firewall. Windows XP with SP2 and Vista have an already built-in firewall and it is turned on by default.

You should also subscribe to industry standard antivirus software. This software should be constantly updated.

Finally never open an e-mail attachment from someone you don’t know. You should also avoid opening attachments from friends, unless you know exactly what the attachment is. The sender may be unaware that it contains a virus.