Research Priorities in Information and Computer

3 downloads 13742 Views 379KB Size Report
Cloud-based conference management systems like ... develop hardware modules to provide a security service at the network and enterprise level is going.
Research Priorities in Information and Computer Networks Security in Palestine Hasan N. Qunoo1, Aiman A. Abu-Samra , Wazen M. Shbair Department of Computer Engineering, Faculty of Engineering Islamic University of Gaza Gaza, Palestine.

Ahmed Abdalaal University College of Applied Sciences, Gaza, Palestine.

Abstract In Palestine, 44.7% of the population is under 16 with literacy rate of 91.9% over all of the population. More than half of Palestinian youth own computers and have access to the Internet. With such prospect, ensuring information security and spreading awareness of it is one of the main challenges facing researchers on a national level. In this paper, we will identify three challenges which researchers in Palestine can attack. In each one, we will state the motivation, the background and possible outlooks and research directions.

1. Introduction Social forces are changing the role of computing in our society. Wikipedia, a crowd sourcing encyclopedia, is the largest of its kind [6]. Wikileaks, a crowd-sourcing-inspired whistle blowing website, was behind the biggest leak in military history [7, 8, 9, 10]. Social networks like Facebook and Twitter have been the catalyst for wide-spread multination revolutions [11]. Access to collaborative document development tools like Google docs has been the subject of high-profile international and corporation conflicts [6]. Cloud-based conference management systems like EasyChair and EDAS are changing the way we manage academic research and conferences [12]. Our society as a result is increasingly dependent on these systems for their transformational empowerment, efficiency and accessibility. Thus, we are sharing our personal information and trusting computer systems with them like never before. Failure to meet the security objectives of software systems increasingly result in grave dangers, to individuals, corporations and societies at large. Replacing paper-based systems with software systems has introduced new security challenges. Software systems do not enjoy the built-in social control mechanisms that paper-based systems have. The accessibility of software systems makes them vulnerable to automated attacks. The portability of those systems’ data makes them a valuable target. Security breaches often result in global effects on the system’s end users. It comes as no surprise then, that designing efficient and secure software systems remains a daunting task At the moment software and network security is enforced using a combination of security anti-virus and physical firewall. This combination often fails. This failure is caused by a number of factors: 1. the lack of a universal security and privacy solution. 2. the issue of open systems where new systems are added to the system where a universal policy on these devices is hard to enforce.

1

Contact author at [email protected]

1

This was caused mainly by the lack of foresight when designing network and enterprise solutions. Data are often transferred in plain text over unsecure channels. Also, users must trust the software providers to transport their data securely. In addition, guest devices must be trusted when joining the network. This level of blind trust is proven lethal and can result in harmful results both socially and financially in social and financial terms. This paper aims to discuss directions towards using emerging technologies for security and privacy solution for institutional and domestic use.

2. The First Challenge: Developing Hardware Enabled Unit Using Emerging Technology for Security and Privacy Solution for Institutional and Domestic Use Information security has become essential to society-wide security. Social networks like Facebook and Twitter are part of the everyday life style. The use of third party applications on mobile smart phones is a characteristic of this world. These applications collect and transfer a huge amount of personal data over the network, often without the user explicit consent. The user has to trust the application developer’s decisions and live with them. Often that blind trust is dangerous. For example, a user A is using two applications X and Y. X transfer the location of the device while Y transfer the name of the user to a remote server. These two pieces of information can be harmless individually but combined together allows an eavesdropper to monitor the user movement and track it. This is only one example. Other examples exist and can lead to scary scenarios. The ability to develop hardware modules to provide a security service at the network and enterprise level is going to help us enforce high level expressive policy. Other solutions may exist but they are either closed source or very expensive. This research will provide the society with affordable and easy solution to security issues. To do that we will be using new technology like Raspberry pi combined with security solutions to achieve our goals. The Raspberry Pi[15] was seeded out as an early developer release, with hopes of gaining early support from the development community. It is the size of a credit card-sized programmable computer that costs about 25$. Sporting a 256MB of RAM and a 700MHz ARM-11 processor, the Pi is a modest piece of kit. The Model B also sports two USB ports, HDMI out and a 10/100 Ethernet port. For audio needs, It has a 3.5mm audio jack and that HDMI output, which also supports audio transmission. The Raspberry Pi's GPU boasts 1 Gpixel/s, 1.5 Gtexel/s or 24 GFLOPs of general purpose compute power and is OpenGL 2.0 Compliant. In other words, it's got the graphics power of the original Xbox. All this combined gives us the ability to program such a device for security purposes. While this can seem as a restriction, the emerging of affordable technologies is a research challenge that is worth attacking. The ability to design economic yet secure solutions on a technology like Raspberry Pi is a worthy research challenge.

2

3. The Second Challenge: Privacy and Security for Wireless Networks Domestic and Institutional 3.1 Motivation A wireless network lets computers easily access the web using radio frequencies and without using any cables or wires. Wireless networks integrated into more and more devices such as laptops, PDAs and mobile phones. The Palestinian government expanding the telecommunications networks for citizen use, including expanding wireless capabilities‎[1]. Recently, a project implements a wireless network to link 114 of UNRWA Schools in Gaza and 210 Schools in west bank ‎[2]. Another project implements a wireless network to link governmental sites in Gaza, as well as Wireless interconnection for many sites in Municipality of Gaza. However, many studies show that most of wireless networks in Palestine rely on weak encryption protocol such as WEP ‎[3], while approximately fifth are protected by WPA or WPA2 protocols, and fifth are unprotected at all. It is important to explain to decision makers that WEP encryption is always insecure. WEP can be cracked within two minutes. Many cracker tools are available online and can be used by anybody. Key findings from our observations view point, serious weaknesses and vulnerabilities at the strategic, policy and operational levels in almost all organizations and end-users that deploy wireless networks. Background research Wireless networks are generally based on radio, infrared or microwave transmissions using a range of mechanisms such as:  Bluetooth.  IEEE 802.11 standard for WLANs.  Infrared Data Association (IrDA). Many Wireless technologies support security objectives such as:  Confidentiality: ensure that data cannot be read by illegal parties.  Integrity: identify any intentional or accidental changes to data that occur in the transmission.  Availability: guarantee that devices and users can access a network and its resources at any time.  Access Control: control the rights of devices or users to access a network or resources within a network. While the security objectives for wireless and wired networks are the same, a cracker can easily enter to the network. Therefore, the wireless network needs to be secured against the normal attacks as well as for threats that are particular to wireless.

3.2 Research directions The security status of wireless networks mainly Wireless Local Area Networks (WLAN) used by citizens and companies in Gaza needed to be considered to study the security weaknesses and threats that may affect the usage of WLAN by the public in Gaza city, also to give an outline of the current practices in the security mechanisms used in the commercial Wireless Networks. Data can be collected from different sites. Then a systematic analysis needed to be applied to extract the wireless security awareness.

3

The study will try to discuss all types of Wireless Networks from the 802.11 standards for WLAN to the WiMAX and 3G standards for mobile telecommunications technologies. Instead of discussing the details of each technology it will provide a high level view of the solutions used to protect each technology. Ministry of Information Technology and Communications should consider and implement the recommendations laid out from this work for new or existing wireless networks.

4. The Third Challenge: Machine-to-Machine security 4.1 Motivation M2M (Machine-to- Machine) has come of age, it has been almost a decade since the idea of expanding the scope of entities connected to "the network" (wireless, wire line: private , public) beyond mere humane and their preferred communication gadgets has emerged around the notions of "Internet of Things", the "Internet of Objects "or M2M. The initial vision was that of myriad of new devices, largely unnoticed by humans, working together to expand the footprint of end-user services . This will create new ways to care for safety or comfort, optimizing a verity of goods-delivery mechanisms, enabling efficient tracking of people or vehicles, and at the same time creating new system and generating new value [26].

Figure 1- M2M is about communication between devices, objects, things,

Considering figure 1, large number of M2M devices expected to be deployed, in a highly distributed network, global enforcement of security will not be practically feasible due to the low cost of many of these devices and cost of implementation. As the conventional centralized IT security network model, protected by a firewall, becomes challenged by the need for a dispersed model, de-centralized methods for establishing security are being explored. The growing trend towards de-centralized systems produces numerous situations in which enforcement, by practical necessity, has to be complemented by controlled risk. The principles of enforcement embraced by traditional concepts of access control and policy enforcement are being supplemented by a paradigm shift to incorporate “trust.” An entity can be “trusted” if it predictably and observably behaves in the expected manner

4

for its intended purpose. By delegating parts of the enforcement tasks to trusted elements dispersed in a system, transitive trust relationships can be established.[27]

4.2 Research background

M2M devices have unique characteristics and subscription and deployment contexts [26]. M2M devices are typically required to be small, low cost, inexpensive, able to operate unattended by humans for extended periods of time, and to communicate over the wireless WAN or WLAN. M2M devices are typically deployed without having to require much direct human intervention and, after deployment; they tend to require remote management of their functionality. They also require flexibility in terms of subscription management. In addition, in many use cases, it is likely that M2M devices will be deployed in very large quantities, and many of them will also be mobile, making it unrealistic or impossible for operators or subscribers to send personnel to manage or service them.

4.2 Outlooks/Research directions Gaza contains a lot of facilities and factories fully automated and controlled by computer system, for example municipality of Gaza announce at may/2011 it will deploy a remote control system for 27 water wells in Gaza city , which will make all the water service controlled by computer[28], making the service to be better but on the other hand it has high risk in security of the system and communication between machines controlled the system. One of the most recent attack of M2M was Stuxnet worm attack reportedly aimed at Iranian programmable Logic Controller system (PLC) , this attack illustrates the vulnerability of M2M. In Palestine, the evaluation of all used and developed M2M systems need to be evaluated and provided with solution to protect this system from massive attack.

5. Conclusion Palestine has a young population and booming internet usage. Research in Information security is a priority as the society well being is dependent on protecting its data and privacy. In this paper, we have identified three challenges: the motivation, background research and how to advance that research forward and in the Palestinian context.

References [1] Education Development Strategic Plan 2008-2012 towards Quality Education for Development Palestine: Ministry of Education and Higher Education, Palestine (2008). [2] Computer, Internet and Mobile Phone Survey Main findings: Palestinian Central Bureau of Statistics, Palestine, (2006). [3] E-government strategic plan: Palestinian National Authority, Palestine, (2005). http://www.pcbs.gov.ps/Portals/_PCBS/Downloads/book1661.pdf [4] Palestinians in figures 2009, Palestinian Central Bureau of Statistics May 2010; p. 11. http://www.census.gov/population/international/ [5] US Census Bureau International Programs,International Data Base IDB West Bank and Gaza.

5

[6] T Gruber. Collective knowledge systems: Where the Social Web meets the Semantic Web. Web Semantics Science Services and Agents on the World Wide Web, 6(1):4–13, 2007. [7] Christian Caryl. Why Wikileaks changes everything. The New York Review of Books, 58(1):9–13, January 2011. [8] Alexander Nicoll. WikiLeaks: the price of sharing data. Strategic Comments, 17(1):1–3, 2011. [9] Toby Miller and Pal Ahluwalia. Wikileaks looks up. Social Identities, 17(2):167–167, 2011. [10] Ben Parr. Biggest Military Leak in History: WikiLeaks Releases 390,000 Iraq WarDocuments, October 2010. [11] Zahera Harb. Arab revolutions and the social media effect. MC Journal, 14(2), 2011. [12] Mark D Ryan. Cloud computing privacy concerns on our doorstep. Communications of the ACM, 54(1):36, 2011. [13] Qunoo, H. & Ryan, M. Modelling Dynamic Access Control Policies for Web-Based Collaborative Systems, In proceedings of 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, S. Foresti and S. Jajodia (Eds.): Data and Applications Security XXIV, LNCS 6166, pp. 295-302, 2010. [14] Koleini M, Qunoo, H. & Ryan, M. Towards Modelling and Verifying Dynamic Access Control Policies for Web-based Collaborative Systems, W3C Workshop on Access Control Application Scenarios 17 and 18 November 2009, Luxembourg [15] Tiny USB-Sized PC Offers 1080p HDMI Output". Available http://www.tomshardware.com/news/Raspberry-Pi-David-Braben-Ubuntu-9-OLPCRailroad-Tycoon,12709.html) Retrieved 1 February 2012 .

at

[16] Book Title : Ultra-Secure Protection for Data Communication, ISBN 978-3-639-37734-7 , 2011 VDM Verlag Dr. Müller GmbH & Co. KG (www.vdm-verlag.de( [17] Ross J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley Publishing, Edition, 2008. [18] Moritz Y. Becker and Peter Sewell. Cassandra: flexible trust management applied to electronic health records (.pdf). 17th IEEE Computer Security Foundations Workshop (CSFW), 2004. [19] Edmund M. Clarke, Orna Grumberg, and David E. Long. Model checking and abstraction. ACM Trans. Program. Lang. Syst., 16(5):1512–1542, 1994. [20] Alistair Donaldson and Phil Walker. Information governance: a view from the nhs, realizing security into the electronic health record. International Journal of Medical Informatics, Elsevier Science, Volume 73, Issue 3:281–284, 2004. [21] Michael Gelfond and Jorge Lobo. Authorization and obligation policies in dynamic systems. In Proceedings of the 24th International Conference on Logic Programming, ICLP ’08, pages 22–36, Berlin, Heidelberg, 2008. Springer-Verlag.

6

[22]T Gruber. Collective knowledge systems: Where the Social Web meets the Semantic Web. Web Semantics Science Services and Agents on the World Wide Web, 6(1):4– 13, 2007. [23] Zahera Harb. Arab revolutions and the social media effect. MC Journal, 14(2), 2011. [24] Cecilia Kang and William Wan. Google hack gives way to diplomatic, high-tech tensions. The Washington Post, 3rd of June 2011. [25] Ninghui Li, William H. Winsborough, and John C. Mitchell. Distributed credential chain discovery in trust management: extended abstract. In ACM Conference on Computer and Communications Security, pages 156–165, 2001 [26] Book Tile : "M2M Communications: A Systems Approach", David Boswarthick, Omar Elloumi, Olivier Hersent, John Wiley & Sons, Inc., 2012 ,ISBN: 978-1-1199-9475-6. [27] Inhyok Cha; Shah, Y.; Schmidt, A.U.; Leicher, A.; Meyerstein, M.V.; , "Trust in M2M communication," Vehicular Technology Magazine, IEEE , vol.4, no.3, pp.69-75, Sept. 2009 available Online http://www.mogaza.org/?page=newsdetail&id=471.

7