Get wireless: a mobile technology spectrum

Mobile computing applications allow anytime, anywhere access to the Internet and corporate intranets. For several reasons, the market for wireless data services has grown at a much slower rate than wireless voice. Until recently, portable data devices were bulky, required heavy batteries, and didn't have integrated networking. Wireless services have also had to contend with narrow bandwidths, high access latency, and frequent disconnection. Added to this were inadequate coverage, expensive services, and perceived security problems. Finally, few applications were specifically designed with mobility in mind. New mobile technologies address these problems, making wireless data transmission an attractive alternative for individuals and enterprises. The next few years will see wireless data networks come into their own. Next year (year 2000), the market for wireless data networks is predicted to grow to six to eight million users with seven percent of the total wireless revenues. In fact, wireless data service is projected to be a multibillion-dollar market within five years. The combination of portable gadgets and wireless data services provides exciting opportunities for mobile computing applications     

基于云计算的数据安全风险及防范策略探讨

云计算依托计算机网络系统,目前已经成为人们生活的重要部分,随着网络化、虚拟化生活的加速发展,诸如Google、Microsoft、Apple、Amazon、IBM等互联网IT和手机、网络运营商巨头开始重新定位企业发展的战略核心.云计算作为IT商业计算模型,它将计算任务分布在各种类型的广域网络和局域网络组成计算机网络系统,使用户能够借助网络按需获取计算力、存储空间和信息服务.云计算的用户通过PC、手机以及其他终端连接到网络使用云资源;随着云计算的广泛应用,云计算的环境安全环境、数据安全成为突出问题,如何保障云计算的安全成为当前急需解决的问题.本文介绍了云计算相关概念,以及对云计算数据安全风险进行分析,并提出了防范策略.     

Design of secure operating systems with high security levels

Numerous Internet security incidents have shown that support from secure operating systems is paramount to fighting threats posed by modern computing environments. Based on the requirements of the relevant national and international standards and criteria, in combination with our experience in the design and development of the ANSHENG v4.0 secure operating system with high security level (hereafter simply referred to as ANSHENG OS), this paper addresses the following key issues in the design of secure operating systems with high security levels: se- curity architecture, security policy models, and covert channel analysis. The design principles of security architecture and three basic security models: confidentiality, integrity, and privilege control models are discussed, respectively. Three novel security models and new security architecture are proposed. The prominent features of these proposals, as well as their applications to the ANSHENG OS, are elaborated. Cover channel analysis (CCA) is a well-known hard problem in the design of secure operating systems with high security levels since to date it lacks a sound theoretical basis and systematic analysis approach. In order to resolve the fundamental difficulties of CCA, we have set up a sound theoretical basis for completeness of covert channel identification and have proposed a unified framework for covert channel identification and an efficient backward tracking search method. The successful application of our new proposals to the ANSHENG OS has shown that it can help ease and speedup the entire CCA process.     

分布式云的研究进展综述

云计算作为全新的计算模式,将数据中心的资源包括计算、存储等基础设施资源通过虚拟化技术以服务的形式交付给用户,使得用户可以通过互联网按需访问云内计算资源来运行应用.为面向用户提供更好的服务,分布式云跨区域联合多个云站点,创建巨大的资源池,同时利用地理分布优势改善服务质量.近年来分布式云的研究逐渐成为学术界和工业界的热点.文中围绕分布式云系统中研究的基本问题,介绍了国际国内的研究现状,包括分布式云系统的架构设计、资源调度与性能优化策略和云安全方案等,并展望分布式云的发展趋势.     

Magic boxes and boots: security in hardware

Computer users tend to think of computation - even the globally distributed computation that constitutes the Internet - in terms of what we see: the browser user interface, the text editor, the Gnome or OS X or Windows desktop. Similarly, we tend to think of computer security problems solely in terms of what users see: the application software, perhaps the OS underneath it, or perhaps even the "end to end" environment from one application installation to another. We discuss how hardware can be used to change the security game. From a security perspective, the first idea that comes to mind is to add a "magic box" to the computer - one that can hide secrets and computation even from an adversary with direct physical access.     

Remote Video Monitoring Over the WWW

Remote video monitoring has become increasingly important for monitoring the security of destined locations. Traditional security monitoring systems using coaxial cables and VCR recording systems are expensive and ineffective. With the rapid growth of the Internet, it is now possible to use it as an intermediate transmission medium to support real-time video transmission. This paper proposes a web-based remote monitoring system known as iSecure. Apart from the essential live or stored video transmission, intelligent monitoring and web-based monitoring are also supported. As the transmission of live video data through the packet switched network environment of the Internet can result in packet loss and quality degradation, the iSecure system has implemented an adaptive transmission and recovery mechanism to enhance the quality of real-time video transmission. Intelligent monitoring for elevator security and face-based door access control applications has been incorporated. The iSecure system can be used as a framework for developing other intelligent remote monitoring applications.     

A systematic approach toward security in Fog computing: Assets,vulnerabilities, possible countermeasures

Fog computing is an emerging paradigm in the Internet of Things (IoT) space, consisting of a middle computation layer, sitting between IoT devices and Cloud servers. Fog computing provides additional computing, storage, and networking resources in close proximity to where data is being generated and/or consumed. As the Fog layer has direct access to data streams generated by IoT devices and responses/commands sent from the Cloud, it is in a critical position in terms of security of the entire IoT system. Currently, there is no specific tool or methodology for analysing the security of Fog computing systems in a comprehensive way. Generic security evaluation procedures applicable to most information technology products are time consuming, costly, and badly suited to the Fog context. In this article, we introduce a methodology for evaluating the security of Fog computing systems in a systematic way. We also apply our methodology to a generic Fog computing system, showcasing how it can be purposefully used by security analysts and system designers.     

The OS Faces a Brave New World

Increasingly popular approaches such as virtualization, cloud computing, and application development frameworks are changing the importance of the traditional operating system. Virtualization lets a single server host slices of multiple operating systems, each of which can run different applications within virtual machines. This makes the installation of any single full-featured OS instance a choice rather than a necessity. Cloud computing features applications that run on servers spread across the Internet. Cloud providers push these applications to users' browsers. Users of cloud based software thus don't need an OS to do more than run the browser. Developers are increasingly using frameworks that enable the faster building of applications that work with multiple OSs, again making the use of a specific operating system less important. The just enough operating system (JeOS, pronounced "juice") movement focuses on packaging an application with only the parts of an OS necessary for it to work. Over time, these developments could affect what constitutes an operating system, what its roles and responsibilities will be, and how it will be installed and used.     

Trust-based security in pervasive computing environments

Traditionally, stand-alone computers and small networks rely on user authentication and access control to provide security. These physical methods use system-based controls to verify the identity of a person or process, explicitly enabling or restricting the ability to use, change, or view a computer resource. However, these strategies are inadequate for the increased flexibility that distributed networks such as the Internet and pervasive computing environments require because such systems lack central control and their users are not all predetermined. Mobile users expect to access locally hosted resources and services anytime and anywhere, leading to serious security risks and access control problems. We propose a solution based on trust management that involves developing a security policy, assigning credentials to entities, verifying that the credentials fulfill the policy, delegating trust to third parties, and reasoning about users' access rights. This architecture is generally applicable to distributed systems but geared toward pervasive computing environments     

基于Linux的防火墙技术

随着Ｉｎｔｅｒｎｅｔ应用的普及,其安全性总理２也日益突出,详细讨论了如何利用Ｌｉｎｕｘ操作我建防火墙和代理服务器,以实现内部网络的存取访问控制和流量统计的功能。     

Security at the Internet layer

The Internet Engineering Task Force is standardizing security protocols (IPsec protocols) that are compatible with IPv6 and can be retrofitted into IPv4. The protocols are transparent to both applications and users and can be implemented without modifying application programs. The current protocol versions were published as Internet drafts in March 1998. The article overviews the proposed security architecture and the two main protocols-the IP Security Protocol and the Internet Key Management Protocol-describes the risks they address, and touches on some implementation requirements. IPsec's major advantage is that it can provide security services transparently to both applications and users. Also, the application programs using IPsec need not be modified in any way. This is particularly important when securing application programs that are not available in source code, which is common today. This transparency sets IPsec apart from security protocols that operate above the Internet layer. At present, IPsec is likely to be used in conjunction with and complemented by other security technologies, mechanisms, and protocols. Examples include firewalls and strong authentication mechanisms for access control, and higher layer security protocols for end-to-end communication security. In the near future, however, as virtual private networking and corporate intranets and extranets mature, IPsec is likely to be deployed on a larger scale     

Data Security in the World of Cloud Computing

Today, we have the ability to utilize scalable, distributed computing environments within the confines of the Internet, a practice known as cloud computing. In this new world of computing, users are universally required to accept the underlying premise of trust. Within the cloud computing world, the virtual environment lets users access computing power that exceeds that contained within their own physical worlds. Typically, users will know neither the exact location of their data nor the other sources of the data collectively stored with theirs. The data you can find in a cloud ranges from public source, which has minimal security concerns, to private data containing highly sensitive information (such as social security numbers, medical records, or shipping manifests for hazardous material). Does using a cloud environment alleviate the business entities of their responsibility to ensure that proper security measures are in place for both their data and applications, or do they share joint responsibility with service providers? The answers to this and other questions lie within the realm of yet-to-be-written law. As with most technological advances, regulators are typically in a "catch-up" mode to identify policy, governance, and law. Cloud computing presents an extension of problems heretofore experienced with the Internet. To ensure that such decisions are informed and appropriate for the cloud computing environment, the industry itself should establish coherent and effective policy and governance to identify and implement proper security methods.     

Linux访问控制安全测评

信息安全已经成为关系到国家安全的关键因素,操作系统的安全是整个计算机信息系统安全的基石,而访问控制安全是操作系统安全最基本的要求。本文介绍了Linux操作系统的安全测评标准,访问控制测评方法及测试案例的设计。     

Secure Information Access Strategy for a Virtual Data Centre

With the arrival of on-demand computing, data centre requirements are extensive, with fluid boundaries. Loaded Internet applications, service-oriented architectures, virtualization and security provisioning are the major operations of a data centre. Security is an absolute necessity of any network architecture, and the virtual IT data centre is no exception. At the boundary, security is focused on securing the terminals of the data centre from external threats and providing a secure gateway to the Internet. The paradigm shift towards a new computing environment makes communications more complicated for Infrastructure Providers (InP). This complexity includes the security of the data centre’s components to protect data from malicious attacks or from being compromised. Threats/attacks are inevitable if the data are generated from a public network, such as Wi-Fi in an Airport, Railway station and other public places. Since these places create enormous amounts of data from anonymous and naive users, it is essential to store the information in a data centre. In this article, we propose an efficient, secure, and privacy-preservation information access algorithm to access data centres in public wifi networks. This algorithm is based on the primitive root approach for sending and receiving credentials through the anonymous authentication of the users and ensuring protected data access from the data centre. Security and Performance Analysis and its evaluation prove that our approach is successful with respect to security, privacy preservation and computational complexity.     

Open source security: opportunity or oxymoron?

As the computer industry focuses on system and network security, a growing number of users are taking a closer look at open source software in order to gauge whether its potential advantages outweigh its possible disadvantages. Although open source security has been around for years, it has never been as widely used as open source products like the Linux OS or Apache Web server have been. John Pescatore, Internet security research director at market-research firm Gartner Inc., said open source security tools now represent 3 to 5 percent of security-software usage but could comprise 10 to 15 percent by 2007. A key factor in this potential growth is the quality of numerous open source security packages. Open source software products include free tools that users can download from the Internet, packages that come with commercial vendor support, and tools bundled with closed source products. The most popular tools include Netfilter and iptables; intrusion-detection systems such as Snort, Snare, and Tripwire; vulnerability scanners like Nessus and Saint; authentication servers such as Kerberos; and firewalls like T.Rex. Some companies are even beginning to use open source security to protect mission-critical applications     

‘There be Dragons!’

What about this for a dramatic opener? “Greetings! Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer’s data to the entire world at this very moment!” The website from which this is taken is called Shields Up (https://grc.com) and is dedicated to researching Internet security for Windows users. There are tools here for the taking that will give you an instant picture of your current level of security — or lack of it, as the case may be.     

ProgramID

Although systems engineers have developed powerful tools for measuring, modeling, and optimizing system performance, system security is much less well understood. This paper discusses the issue of system security in the context of Internet security and introduces a simple idea called ProgramID. ProgramID is an example of a strategy based on a principle we call think globally, act locally (TGAL), a general principle for distributed, decentralized management of networks. Under the TGAL principle, a combination of simple security strategies acting at a local level can produce measurable increases in global security. ProgramID can be implemented via a simple service that users can add to their operating system to force programs to identify themselves before they can execute. This gives individual computer users an extra layer of protection against malicious programs such as the increasingly prevalent email viruses. Using epidemic-like models, we analyze how global security is impacted when some fraction of Internet users have ProgramID protection.     

SPINEware – a framework for user-oriented and tailorable metacomputers

Computing networks in enterprises are rapidly growing not only in capacity but also in complexity. The users usually get faced with networking details and with a variety of heterogeneous computing systems. In the present paper, we present SPINEware as a facility for reducing the complexity of computer network usage. SPINEware is a facility that supports the development of working environments on top of existing computer networks. Such working environment reveals itself to the user as a powerful and easy-to-use single application environment – a metacomputer – providing uniform and network-transparent access to the resources and applications available from the computer network. To further reduce the complexity, SPINEware-based metacomputers may be tailored for particular end users and application areas.     

A lightweight web-based vulnerability scanner for small-scale computer network security assessment

There appears to be a common perception amongst average computer users pointing towards a global lack of trust when using the Internet. The resolution of this lack of trust relating to the use of the Internet, particularly orientated towards its commercial use and online purchasing, requires partly from website developers to create and maintain web applications that are robust and provide a certain degree of resilience to attack from outside threats. This project intends to contribute to this particular aspect by providing site developers and system testers, as well as simple site users, with a tool for reconnaissance, vulnerability scanning and remote network mapping that is easily accessible and useable due to its web-based and visual, event-driven interface. It is anticipated that the cumbersome task of learning to use a number of command line tools and their exact functionality and parameters can be avoided through this and similar developments, and hence that this will potentially widen the access to security testing, particularly to small and medium businesses.     

The kernel craze [computer security]

The kernel is a fundamental piece of the operating system that provides and mediates access to a computer system's resources. Naturally, such a critical component plays a key role in providing users with a secure environment and should be subject to security practitioners' scrutiny. The author focuses on kernel security issues, recent vulnerabilities, and the emergence of publicly available exploit code for them.