Practical Software Engineering

Security

Security is a matter that has to be decided upon and dealt with by managers.

The management of an organization must take an active role in setting policies and creating standards and procedures to be followed by the users and the administrators of the systems.

The managers must divide the tasks of maintaining the system among several people in order to prevent one person from having too much power and control over the system.

In developing in house systems the management must take steps to create security standards to which all software developed internally must comply.

An organization must assess how sensitive and valuable their information is, and how much security and assurance they are willing to pay for.

The systems that are going to be purchased must meet these security standards. It is often possible to install a systems with different security features activated or not. The management must decide on activating or not activating these security features.

Security Inside Organizations

Computer (In)security: Infiltrating Open Systems

I.H. Witten Abacus, 4, 1987 pp.7-25.

It is very easy to infiltrate computer systems.

Security is a fundamentally human issue:

One way of maintaining security is to keep things secret, trusting people.
The other alternative is to open the system and rely on technical means of ensuring security.

Trend Toward Openness:
Unix is open in that any user can look at the password file, and the source code is widely available.

One way functions: irreversible, although the output can be calculated from the input, the input cannot be calculated from the output. These provide a sense of security but in fact the security of a system is severely compromised by people who have intimate knowledge of the system -- i.e.. those people that you rely on to provide the security.

A Potpourri of Security Problems: security may be compromised by/when:

guessing a particular user's password -- < 15% users have a hard-to-guess password
finding a valid password for any user
Select a password, encrypt it, and search the password file
To attempt to avoid this use a salt (small random number created when you change the password), perhaps base it on the time of day, and save it with the encrypted password when the user defines their password. Then every user has a different salt which makes it more difficult to search the password file.
forced-choice passwords: forcing people to change passwords regularly, and not allowing them to select the same ones repeatedly also fail
(e.g. people might use the current month)
wiretaps: someone watching you login to physical wire tap of line
search paths: executing other people's programs can help spread a virus
programmable terminals: program key presses to execute other programs as well as mimic their original function.

Trojan Horses

Getting under the skin -- implants code that secretly reads or alters files in an unauthorized way.

actions range from disastrous rm * to annoying "I want a cookie"
One good way is to write a popular utility program that everyone will want to use
Other prime targets are utilities that have ultimate privilege (login, passwd, ps, lquota ...)
Bugs may lurk in compilers: bugs may be planted to detect what program is being compiled and then add code to the object code at the suitable time.

Viruses

Spreading infection like an epidemic

They work by sitting with executable files so that the virus part acts before the original purpose of the program.
Able to spread through file permissions.
Difficult to detect because cause and effect are impossible to fathom when faced with randomness and long time delays.

Exorcising a virus: how do you get rid of it once you found it?

recompile all programs that might have been infected, making sure NOT to execute any of them
design an antibody.

Worms

Consists of several segments, each is a program running on a separate workstation on the network which is idle.
If a workstation is shut down, the other segments reproduce it on another.
Every workstation must be rebooted simultaneously to eradicate the worm.

Technical mechanisms cannot limit the damage done by infiltrators.

Defenses:

mutual trust between users of a system, coupled with physical security
multitude of checks and balances -- educate users.
secrecy -- do not make information available
talented programmers have power.
cultivate a supportive trusting atmosphere so that those with power are not tempted.

Privacy

"The right to be left alone"
"One should have control over his/her own information"

Four factors that contribute to growing public concern about communication privacy:

The rapid growth of electronic transactions
The accelerated collection of personal information
The dramatic increase in the number of communications carriers and service providers.
The growing use of technically unsecured channel, such as mobile communication.

On the communication network, the right of privacy can be divided into three categories:

Confidentiality: The existence of the communication should be known only by the parties involved, without disclosure to a third party.
Anonymity: The individual's right to disclose his/her identity in a network.
Data protection: The collection and use of personal data.

Exception of privacy protection:

Criminal investigation
Consent is given by the owner of the information
For the maintenance of the network

The five principles of personal record keeping:

There must be no personal data record-keeping systems whose very existence is secret
There must be a way for an individual to find out what information about him/her is in a record and how it is used
There must be a way for an individual to prevent information about him/her that was obtained for one purpose from being used or made available for other purposes without his/her consent
There must be a way for an individual to correct or amend record of identifiable information about him/her
Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

The Clipper Chip

This chip uses a sophisticated encryption algorithm that ensures data remains private.

One of the biggest drawbacks to using the Clipper chip for privacy is that the US government plans to regulate the keys that can decrypt any encrypted messages.

Under the proposed plan, two government agencies would have access to the decrypting keys and should law enforcement agencies have probable cause that a crime was being committed, they can get access to these keys to decrypt any files or communication that they feel they need to.

Information Technology and Dataveillance

R.A. Clark, Communications of the ACM, 31(5), 1988 pp. 498-512.

Concern about freedom from tyranny is a trademark of democracy. Surveillance is one of the elements of tyranny.

Nevertheless, some classes of people, at least when they undertake some classes of activity, are deemed by society to warrant surveillance.

The computer has been accused of harboring a potential for increased surveillance of the citizen by the state, and the consumer by the corporation.

Surveillance

is the systematic investigation or monitoring of the actions or communications of one or more persons.

Its primary purpose is generally to collect information about them, their activities, or their associates.

Dataveillance

is the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons.

Personal surveillance is the surveillance of an identified person.

In general, a specific reason exists for the investigation or monitoring.

Mass surveillance is the surveillance of groups of people, usually large groups.

In general, the reason for investigation or monitoring is to identify individuals who belong to some particular class of interest to the surveillance organization.

Computer matching

is the merging of data held on separate data systems of large numbers of individuals.

Dangers of personal dataveillance

Wrong identification
Low data quality
Acontextual use of data
Low quality decisions
Lack of subject knowledge of data flows
Lack of subject consent to data flows
Blacklisting
Denial of redemption

Dangers of mass dataveillance

To the individual

Arbitrariness
Acontextual data merger
Complexity and incomprehensibility of data
Witch hunts
Ex ante discrimination and guilt prediction
Selective advertising
Inversion of the onus of proof
Covert operations
Unknown accusations and accusers
Denial of due process

To society

Prevailing climate of suspicion
Adversarial relationships
Focus of law enforcement on easily detectable offenses
Inequitable application of the law
Decreased respect for the law
Reduction in meaningfulness of individual actions
Reduction in self-reliance, self-determination
Stultification of originality
Tendency to opt out of the official level of society
Weakening of society's moral fiber and cohesion
Destabilization potential for a totalitarian government

Surveillance is not, of itself, evil or undesirable. Its nature must be understood, and society must decide the circumstances in which it should be used, and the safeguards that should be applied to it.

There are benefits tosociety in terms of security, tax and social welfare, finance and insurance.

IT professionals and academics alike have a moral responsibility to appreciate the power of the technology in which they play a part.

Both groups must publicize the nature and implications of their work for affected individuals and for society as a whole. This applies to the negative consequences as well as the potential benefits.

Dispersion of authority and power, and hence, of information, has long been regarded as vital to the survival of individualism and democracy.

Until and unless comprehensive information privacy protection is in place, effective controls over the techniques of dataveillance will not be possible.

Bill C-60 Copyright Legislation

Phase 1 of Bill has been in place since June 8/89.

Major points of the Bill

Protection of programs as literary works. The owner, not possessor of program has right to make a single backup copy for security purposes.
And may translate it into another language.
Copyright piracy is subject to heavy fines, possibly jail time. Summary offense: $25000, 6 months. Indictable offense: $1 million, 5 years.
Clarification of what materials are protected under copyright, and what is protected under industrial design law.
Copyright boards, to be established, will have jurisdiction over fees for collectives, and nonlocatable owners of copyright
Copyright collectives will be set up which will result in less competition. They will provide means through which to obtain licenses/permission to reproduce copyrighted material.
Moral rights of creators are enhanced. Including distortion, modification, use of material in association with products, services, or institutions which infringe on the integrity of the author.
Choreography is protected under copyright.
Rights for mechanical reproduction are abolished and replaced by negotiated settlement.

Implications of Bill C- 60 for educators.
Remember that copyright law protects the expression of ideas, while patent law protects the structural and operational processes.

Copyright collectives will provide freer use of copyrighted material, and will probably involve some cost to each educational institution on basis of volume of reproduction.
Enhancements of moral rights will cause authors to evaluate the context in which they are writing and how they are using other people's material.
A new level of awareness among individuals and institutions will arise.
Has brought intellectual property law from the 1920s to the 1980s.

Does NOT touch on some issues: "fair use", ownership of work done by employee

Practical Software Engineering, Department of Computer Science

mildred@cpsc.ucalgary.ca 11-Jan-96