MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

MyCERT 3 rd Quarter 2011 Summary Report1IntroductionThe MyCERT Quarterly Summary Reportprovides an overview of activities carriedout by the Malaysian Computer EmergencyResponse Team (hereinafter referred to asMyCERT), a department within CyberSecurityMalaysia. These activities are related tocomputer security incidents and trendsbased on security incidents handled byMyCERT. The summary highlights statisticsof incidents according to categories handledby MyCERT in Q3 2011, security advisoriesand other activities carried out by MyCERTprofessionals. The statistics provided inthis report reflect only the total numberof incidents handled by MyCERT andnot elements such as monetary value orrepercussions of such incidents. Computersecurity incidents handled by MyCERT arethose that occur or originate within theMalaysian domain or IP space. MyCERT worksclosely with other local and global entitiesto resolve computer security incidents.Figure 1 illustrates incidents received inQ3 2011 classified according to the type ofincidents handled by MyCERT.Figure 1: Breakdown of Incidents by Classification in Q2 2011Figure 2 illustrates incidents received inQ2 2011 classified according to the typeof incidents handled by MyCERT and itscomparison with the number of incidentsreceived in the previous quarter.QuarterIncidents Trends Q3 2011Categories of IncidentsQ32011Q22011PercentageIncidents were reported to MyCERT byvarious parties within the constituency aswell as from foreign, which include homeusers from local as well from foreign, privatesectors, government sectors, security teamsfrom abroad, foreign CERTs, Special InterestGroups including MyCERT’s proactivemonitoring on specific incidents such asIntrusions. From July to September 2011,MyCERT, via its Cyber999 service, handleda total of 4526 incidents representing 17.83percent increase compared to the previousquarter. In Q3 2011, incidents such asIntrusion, Malicious Code, Intrusion Attemptand Spam had increased compared to theprevious quarter.Intrusion Attempt 189 155 21.93Denial of Service 14 17 -17.65Spam 1646 854 92.74Fraud 1355 1547 -12.41Vulnerability Report 17 63 -73.02Cyber Harassment 80 128 -37.5Content Related 14 19 -26.32Malicious Codes 233 189 23.28Intrusion 978 869 12.54Figure 2: Comparison of Incidents between Q2 2011 and Q32011e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

we advise users to practice good passwordmanagement to prevent their account frombeing compromised. Users may refer to theURL below on good password managementpractices:http://www.auscert.org.au/render.html?it=2260http://www.us-cert.gov/cas/tips/ST04-002.htmlFraud incidents had decreased to about12.41 percent in this quarter compared tothe previous quarter. The majority of fraudincidents handled was on phishing attacksinvolving foreign and local brands with therest of fraud incidents consisting of Nigerianscams, lottery scams, illegal investments, jobscams and fraud purchases. A total of 1355incidents were received on fraud activitiesin this quarter, from organisations and homeusers. A total of 241 phishing websitesinvolving domestic and foreign brands werereported to us in this quarter with a majorityof them belonging to local brands. In thisquarter, we observed an increase in localIslamic banking activities becoming a targetof phishing activities compared to previousquarters. MyCERT handled both the sourceof the phishing emails as well as the removalof the phishing sites by communicating withthe respective Internet Service Providers(ISPs).Based on our analysis, a majority of thephishing sites were hosted on compromisedmachines besides phishers hosting them onpurchased or rented domains. The machinesmay have been compromised and used tohost phishing websites and other maliciousprogrammes on it.As was in previous quarter, incidents onjob scams and fraud purchases continueto increase with fraudsters using the samemodus operandi. The majority of the jobscams involves recruitment agencies ofwell-known Oil & Gas companies to lurepotential job seekers. Fraud purchases onthe other hand, involved purchasing itemsat various websites in which victims neverreceived the items after transferring moneyto the buyer. MyCERT had released an alerton the Job Scam and it is available at:http://www.mycert.org.my/en/services/advisories/mycert/2011/main/detail/815/index.htmlIn this quarter we also received a total of111 incidents on impersonation or spoofinginvolving email and social network accounts.Normally spoofing or impersonations usescompromised accounts belonging to victimsand in several other incidents perpetratorswill use victims’ personal details suchas photos, names, addresses, telephonenumbers to impersonate these victims formalicious motives.We continued receiving incidents on cyberharassment in this quarter with a total of80 incidents representing a 37.5 percentdecrease compared to128 incidents inthe previous quarter. Harassment reportsmainly involved cyber stalking, cyberbullying and threats. Many of these cyberharassment victims are people known to theperpetrators such as their friends, relativesand colleagues. Threats via emails, blogsand social networking sites are prevalent inthis quarter in which victims are threatenedto pay money by person they just got knowon the net otherwise their pictures will beexposed or uploaded on porn websites.MyCERT advise users to be very careful withwhom they befriend with and never providetheir personal details or photos to a thirdparty on the net as the details can be usedfor malicious activities.In Q3 2011, MyCERT had handled 233incidents on malicious codes, whichrepresents 23.28 percent increase3e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

4compared to the previous quarter. Some ofthe malicious code incidents we handledare active botnet controller, hosting ofmalware or malware configuration fileson compromised machines and malwareinfections on computers.Advisories and AlertsIn Q3 2011, MyCERT had issued a total ofsix advisories and alerts for its constituency.Most of the advisories in Q3 involvedpopular end-user applications such asAdobe PDF Reader, Safari web browser andMultiple Microsoft Vulnerabilities. Attackersoften compromise computers of endusersby exploiting vulnerabilities in theirapplications. Generally, these attackers tricka user in opening a specially crafted file (i.e.a PDF document) or web page. Readers canvisit the following URL below on advisoriesand alerts released by MyCERT.http://www.mycert.org.my/en/services/advisories/mycert/2011/main/index.htmlOther ActivitiesIn this quarter, MyCERT had conductedseveral trainings and presentations relatedto incident handling, malware analysis andInternet security awareness. Several of thetrainings that we conducted recently wereIncident Handling for Critical NationalInfrastructure and also for participants ofMalaysian Cyber Drill. We also conductedpresentations at the Hack in TaiwanConference, the DEFCON Conference inthe USA and at OWASP Day. DEFCON isthe world’s longest running and largestunderground hacking conference. OWASPstands for Open Web Application SecurityProject, a non-profit worldwide charitableorganisation focused on improving thesecurity of software applications.ConclusionBasically, in Q3 2011, the number ofcomputer security incidents reported to ushad increased compared to the previousquarter. In addition, most categories ofincidents reported to us had also increased.The increase is also a reflection that moreInternet users are aware of the importance ofreporting security incidents to the relevantparties. In addition, it must be noted thatthere are other factors contributing to theincrease in security incidents, not onlyin Malaysia but worldwide. However, nosevere incidents were reported to us thisquarter and we did not observe any seriouscrisis or outbreak in our constituencies.Nevertheless, users and organisations mustbe constantly vigilant of the latest computersecurity threats and are advised to alwaystake measures to protect their systems andnetworks from these threats.Internet users and organisations may contactMyCERT for assistance at the below contact:E-mail: mycert@mycert.org.myCyber999 Hotline: 1 300 88 2999Phone: (603) 8992 6969Fax: (603) 8945 3442Phone: 019-266 5850SMS: Type CYBER999 report & SMS to 15888http://www.mycert.org.my/Please refer to MyCERT’s website for latestupdates of this Quarterly Summary. ■e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

CyberCSI 3 rd Quarter 2011Summary Report5IntroductionThe CyberCSI Third Quarter SummaryReport provides an overview of activitiesundertaken by the Digital ForensicsDepartment (hereinafter referred to as DFD)of CyberSecurity Malaysia for the month ofJuly, August and September in 2011. Theseactivities are related to case analysis receivedfrom law enforcement agencies (hereinafterreferred to as LEAs) and regulatory bodies(hereinafter referred to as RBs) such asRoyal Malaysian Police (PDRM), MalaysianAnti-Corruption Commission (MACC),Malaysian Communications and MultimediaCommission (MCMC) and the SecuritiesCommission Malaysia (SC). This summarywill also highlight the training sessions andtalks given to LEAs, RBs and public basedorganisations on modules encompassingdigital forensics.Digital Forensics and DataRecovery StatisticsDigital Forensics Case StatisticsFrom July to September 2011, DFD handled105 cases in digital forensics. DigitalForensics cases comprised cases concerningcomputer forensics, mobile forensics, audioforensics and video or image forensicssubmitted by LEAs and RBs.Figure 1: Illustrates cases on Digital Forensicsreceived from July to September 2011.Figure 1: Cases Breakdown by Month 2011The chart in Figure 2 shows the categorybreakdown of cases received by DFD inthe period between July – September 2011.There are three (3) major categories thathave been classified as of ‘highest priority’which is Bribery, Illegal Business and CCTV/Video Extraction. Other minor cases whichalso contributed to the statistics wereThreat, Fraud, Smuggling, Harassment andOthers.Figure 2: Breakdown by Categories of Digital Forensics CasesBribery cases were the highest contributorwith 22 cases reported. When dealing withthese types of cases, DFD provides supportto LEAs by analysing emails, text messages,multimedia messages, calls via electronicgadgets such as mobile phones, notebooks,hard disks and thumb drives that were usedas case evidences. DFD was also involvedin the task force units consisting of variousLEAs for Ops 3B. During this operation, theDFD teams focused solely on corruptionand bribery elements within each case. Thisoperation was led by BNM (Bank NegaraMalaysia).The Illegal Business category was at secondplace for this period with 16% share of thetotal cases recorded. This category showedan increase in its trend as compared to DFD’shalf year statistic (Jan-Jun) which was onlyat 5%.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

6Based on the statistics, there was a20% reduction in numbers compared toprevious quarters. This is might due to theestablishment of digital forensics laboratoryby some LEAs, for example PDRM’s ForensicCheras Facility and the MACC facility. Whenit involves high profile cases, these LEAsnormally will be referred to by the DFD.In doing so, these LEAs can validate theirfindings by having a trusted second party tocarry out the necessary analysis. This is alsoproof that the LEAs practises impartiality.Most of the LEAs and RBs were trained byDFD’s professionals. This would indirectlystrengthen the cooperation between thetwo sides enable the sharing of expertise intheir respective fields. The establishment ofdigitals forensics labs by LEAs showed thatour aim to empower our LEAs has started toproduce results. DFD can now focus moreon cases which requires more technicaland advance technology. This type of casesneeds more in-depth research since thecriminals are more IT savvy and more up-todatetools are used.Data Recovery Case StatisticsData recovery is the process of salvagingdata from damaged, failed, corrupted,or inaccessible secondary storage mediamediums when it cannot be accessednormally. Often, data is salvaged fromstorage mediums such as internal orexternal hard disk drives, solid state drives(SSD), USB flash drives, storage tapes, CDs,DVDs, Redundant Array of Independent(or Inexpensive) Disks (RAID), and otherelectronics storage mediums. Recovery maybe required due to physical damage to thestorage device or logical damage to the filesystem that prevents it from being mountedby the host operating system.Another scenario involves a disk-levelfailure, such as a compromised file systemor disk partition or a hard disk failure. Inany of these cases, the data cannot be easilyread. Depending on the situation, solutionsinvolve repairing the file system, partitiontable or master boot record, or utilisinghard disk recovery techniques ranging fromsoftware-based recovery of corrupted datato hardware replacement on a physicallydamaged disk. If hard disk recovery isnecessary, typically, the disk itself has failedpermanently and the focus is rather on aone-time recovery, salvaging whatever datathat can be read.In a third scenario, files have been “deleted”from a storage medium. Theoretically,deleted files are not erased immediately;instead, references to them in the directorystructure are removed, and the space theyoccupy is made available for overwriting.In the meantime, the original file may berestored.Figure 3 shows the breakdown of casesreceived under Data Recovery (Jul-September2011) from Public, Private and GovernmentAgencies in Quarter 3 of 2011.Figure 3: Breakdown of cases received by Sector under DataRecovery (Jul-Sept 2011)It can be concluded that cases receivedfrom the government sector constituted thehighest majority with 16 cases, followedby the public sector with nine cases andthe private sector with two cases. Effectivefrom October 2011, Data Recovery serviceswill be taken over by CyberSecurity Clinics.CyberSecurity Clinic is another initiative byCyberSecurity Malaysia with the aim to helpe-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Malaysians with the following objectives:1. To provide an avenue for consumers toobtain assistance and to resolve issuesin relation to cyber security, cyber safetyand data privacy from a trusted serviceprovider at a competitive price.2. To serve as a citizen ‘touch-point’and to demonstrate the government’scommitment to the people by meetingand satisfying their needs.Others ActivitiesDuring this period, DFD has conductedseveral training sessions and lectures, whichinvolved participants from governmentbodies and enforcement authorities aswell as local universities. The objectivesof the training programmes were to shareknowledge between DFD experts andparticipants so that both parties can benefitand discuss latest issues and technologies.The summaries obtained will focus onDFD’s research and development and theircollaboration with local higher institutions.TalkDFD has conducted several talks as requestedby LEAs, RBs and other institutions suchas Department of Pharmacy, Judicial andLegal Training Institute (ILKAP), CompaniesCommission of Malaysia (SSM), RoyalMalaysian Customs Academy (AKMAL)and Universiti Teknologi Mara (UITM).Favourite topics requested were related todigital forensics and information securityin Malaysia. The sessions aimed to createawareness on the importance of digitalforensics to employees at these agenciesand the need to practice it in their dailytasks. Besides training professionals atLEAs, stakeholders and other governmentagencies, these sessions also help to ensuresustainability and effective dissemination ofinformation and resources.Research and DevelopmentCurrently, the R&D Unit of DFD collaborateswith Universiti Kebangsaan Malaysia (UKM)in obtaining the Exploratory Research GrantScheme (ERGS). The purpose of ERGS is topromote research and the early discoveryof knowledge that can contribute to anincrease in the level of intellectualism, thecreation of new technologies and a dynamiccultural enrichment environment in line withMalaysia’s national aspirations.One research was conducted in July 2011,named “A 2.5D Facial Identification by UsingFuzzy Bees Algorithm for Video ForensicsAnalysis”. The Process Flow for this researchis as below:3. Equipment Purchasing4. Assembly and Test5. Data Collection6. Researching methodology for 2D and 3Dface recognition7. Project expected to be completed byAugust 2012ConclusionIn conclusion, the field of digital forensicswill continue to grow in line with currentinformation technology developments whichare in tandem with the awareness level of themasses on the use of such technology. Thepublic, LEAs and RBs are now more aware onthe increase in threats for cyber-crimes andthat it requires more effort to combat them.Therefore, training sessions, talks and R&Dare important elements to be balanced withnew and growing information technologydisciplines and cyber-crimes. ■7e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

8Legal Restriction on CryptographyBY | Liyana Chew Binti Nizam Chew, Abdul Alif Bin ZakariaIntroductionHistorically, a number of countries haveattempted to restrict the export or importof cryptography tools. This article aimsto give a general view on the existingrestrictions on cryptography tools.Export restrictions are totally differentfrom imports. Restrictions on exportsare referring to restrictions on exportingcryptographic tools out of countries thatproduce them. Meanwhile restrictions onimports refer to a country that receivescryptography tools for their needs. Thisarticle will also discuss the reasons whycertain countries do apply these restrictionswhile other doesn’t.Restriction On ExportThe export of cryptography is a transferof devices and technology related tocryptography from one country to anothercountry. In the early days of the Cold War,the U.S government developed an elaborateseries of export control regulationsdesigned to prevent a wide range ofWestern technology from falling into thehands of others. U.S non-military exportsare controlled by Export AdministrationRegulations (EAR). Encryption itemsspecifically designed, developed,configured, adapted or modified formilitary applications (including command,control and intelligence applications) arecontrolled by the Department of State onthe United States Munitions List.U.S government set a restriction on exportof cryptography product with strict limiton the key size. In general, products andtechnologies with exportable cryptographyprovide much less security than the nonexportableversion of the same productsand technologies. Non-exportable versionof cryptography product use longer keylength (128 bits) than exportable (40 bits or56 bits) version. Communication betweenthese two versions is limited to the longestkey length supported by the exportableversion. As reported in The New York Timeson December 1998, U.S and European Union(EU) officials have reached an agreement onexport controls for cryptography software.Both blocs agreed to restrict the export ofencryption software that uses keys of 64 bitsor more. U.S law currently forbids companiesfrom exporting software that uses that levelof encryption. That’s why US versions ofWeb browsers contain 128-bit encryptionto encode e-commerce transactions, butEuropean versions use a much lower levelof security (40 bits key). The agreement,reached by the 33 members of the WassenaarArrangement, will impose those exportrestrictions on European software suppliers.The more bits in the key, the harder it is tocrack. The US government claims 64-bit keysare sufficient for almost all uses. However,research proves that it is possible to breaka 56-bit code, albeit using a network ofhundreds of PCs operating in parallel. Muchtougher keys, including the 128-bit keyscommonplace in e-commerce applications,are thought to be virtually impossible tocrack using today’s technology through thenext few generations of processor.Until January 2000, the export restrictionsof Cryptography in the U.S becomemore relaxed. Export to end-users isapproved under a license except to foreigngovernments or embargoed destinations thelikes of Cuba, Iran, Iraq, Libya, North Korea,Serbia, Sudan, Syria, and Taliban-controlledareas of Afghanistan.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Rationale to Export ControlSome countries have restrictions in theexport of cryptography because of thegovernment’s fear that their intelligenceactivities are hampered by the useof cryptography by scoundrel states.Governments in these countries tried toblock the access of these foreign entitiesto cryptography systems or cryptographycodes. It’s clear that these governmentswanted to deny their enemies the potentialsof cryptography technology. Monitoringdiplomatic communications will be difficultif no restrictions are in place. The reasonsfor controlling cryptography exports arebecause governments are worried aboutthe misuse of cryptography, where if itis misused it may be detrimental to theinterests of a country.The Controls That Are Contrary toWassenaar AgreementThe Wassenaar Arrangement wasestablished in order to contribute toregional and international security andstability, by promoting transparencyand greater responsibility in transfersof conventional arms and dual-usegoods and technologies, thus preventingdestabilising accumulations. Participatingstates seek, through their national policies,to ensure that transfers of these itemsdo not contribute to the developmentor enhancement of military capabilitieswhich undermine these goals, and are notdiverted to support such capabilities.The Wassenaar Arrangement is aninternational agreement between 33participating nations with the followingbeing one of its main objectives (copiedverbatim from the Initial Elements):“It is stated that the arrangement will notbe directed against any state or group ofstates and will not impede bona fide civiltransactions. Nor will it interfere with therights of states to acquire legitimate meanswith which to defend them pursuant toArticle 51 of the Charter of the UnitedNations.”This aim stated that it is not prohibited ifthe purpose is for self-defence. However,immediate emphasis will happen if anydevelopment which threaten regional orinternational stability and security. This aimclearly stated that the Wassenar Agreementis not to be used legitimately to obstructgenuine civil transactions. This means thatproducts that are designed for civil useshould not be restricted by control.There are several issues that relate toexport controls on cryptography under theWassenaar Agreement. The most importantissue is even if cryptography is assessed asimportant in military terms; it is a purelydefensive technology with no offensiveuses. Cryptographic products are entirelypassive products with a single purposeof defending and protecting informationassets from an aggressor who, for theirown reasons, seeks to gain access to them.Given its passive and entirely defensivenature, it is thus hard to see any case forthe control of cryptographic products underthe Wassenaar Arrangement – they simplyare not capable of being used offensively inany manner.Export controls over cryptographic productsalso affect public civil transactions andapplications. The protection of nationalinformation assets, the developmentof secure electronic commerce and theprotection of the privacy of citizens all nowdepend on civil cryptographic productsthat are subjected to existing exportcontrols. Export controls on cryptographicproducts have a severe impact on such civiltransactions. This is in direct contraventionof the aims that clearly stated that the9e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

10Wassenaar Agreement “will not impedebona fide civil transactions”. In fact, thisclause, when combined with the impact thatcryptographic export controls are having onthe civil market, might allow such controls tobe legally challenged where the WassenaarArrangement is being used to justify them.Restriction on ImportsImport of cryptography can be defined as goodor services of cryptography brought into onecountry from another country. Cryptographyis subject to import restrictions. Severalgovernments place import restrictions onencryption technology. The availability ofthese encryption technologies depends onthe actual strength of the encryption thatyou are allowed to use for security. Thisvaries according to import restrictionsfor a specific geographical area. Not allcountries apply the restrictions on importingcryptography tools. It reflects on what is theoutcome that a particular government mayface if they simply allow import activities ofcryptography tools.Table 1 shows countries with restrictions onimporting cryptography tools (refer tablebelow), the colour green represents somecountries with no import restrictions at all.The ones in yellow shows that for countriesto import cryptography tools, a license isrequired to import them. Countries that aretotally banned from importing cryptographyare in red. The “Unknown” column statesthat these countries are encouraged toseek further advice from their governmentsbefore importing any cryptography tools.Meanwhile, those with mixed colours,represent mixed restrictive policies.Rationale to Import ControlThere are reasons why certain governmentsare really concerned about importingcryptography tools from foreign countries.They are afraid that the public might misusecryptography for negative purposes, forexample, planning a rebellion against thegovernment and the government will nothave a chance to monitor the communicationsas it is encrypted. Governments preferBahrainChinaEgyptIranIsraelKazakhstanLatviaLithuaniaArmenia Malta BelarusCzech Republic Moldova IraqHong Kong Morocco MongoliaGhana Hungary Pakistan Myanmar NepalSaudi Arabia India South Korea Russia NicaraguaMalaysia Poland Ukraine Brunei Turkmenistan RwandaSingapore South Africa Vietnam Tunisia Uzbekistan North Korea TatarstanGREEN GREEN YELLOW YELLOW YELLOW RED RED RED Unknown UnknownTable 1: Import Restriction Table(Source: Restriction on Cryptography Imports)e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

using locally developed cryptographytools because imported cryptography toolsmight have “trapdoors” or security holes.Trapdoors in this case concerns the use offoreign technology, where the producingcountry might have their own agenda tobreak into the national security of anotherbecause they know the weakness of thesystems that they have developed and theycan control the system at any time.Cryptography Restrictions inMalaysiaIn Malaysia, there are no export or importrestrictions on cryptography tools. Anytransfer of devices and technology relatedto cryptography from Malaysia to anothercountry or vice versa is allowed withoutany need for licenses. In terms of the use ofcrypto, no restrictions are in place and thepublic can use it freely.Although Malaysia has no restrictions oncryptography but we are still bound by afew Acts that are related to implications ofcryptography misuse. There were three Actsthat are worth highlighting here. These threeActs contain powers to require authoritiesto decrypt during an investigation; suchinvestigation is allowed when there isreasonable cause to believe that an offenceunder the Act at issue is being or has beencommitted. There is, therefore no generalpowers to order decryption.i. Computer Crimes Act 1997‘Art. 10 (1) (b) of the Computer Crimes Act1997 requires (likely) users and peopleotherwise concerned with the operation ofcomputers or material, during a search,to provide reasonable assistance for thepurpose of accessing programs or data ormaterial that is reasonably suspected to beused in connection with an offence under theAct, as well as to produce any informationcontained in a computer and accessiblefrom the premises to be produced in a formin which it can be taken away and in whichit is visible and legible. Refusal to cooperateis punishable with at most RM25,000 and/or three years’ imprisonment (art. 11).’A police officer conducting a search oran authorized officer conducting a searchshall be given access to computerizeddata whether stored in a computer. Theaccess may include copies of any books,accounts or other documents, includingcomputerized data, which contain orare reasonably suspected to containinformation as to any offence so suspectedto have been committed. The enactment ofappropriate laws, with the aim of protectingvictims of computer crimes and to providelegal means of prosecuting those who arefound guilty of committing such crimes. InMalaysia, the punishment may take threeyears imprisonment and/or a monetary fineof RM25,000. Note that stiffer penalties willbe meted out if it is found that the guiltyparty had the intention to cause injury whencommitting the crime.ii. Digital Signature Act 1997‘Art. 79 of the Digital Signature Act 1997requires people, during a search, to giveaccess to computerised data whetherstored in a computer or otherwise,which includes providing the necessarypassword, encryption code, decryptioncode, software or hardware required toenable comprehension of computeriseddata. Refusal to cooperate is punishablewith at most RM200,000 and/or four years’imprisonment (art. 83).’The Digital Signature Act was enforced onthe 1st October 1998. The Digital SignatureAct 1997 aims at promoting the processingof transactions especially commercial11e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

12transactions, electronically through the useof digital signatures. This Act is an enablinglaw that allows for the development of,amongst others, e-commerce by providingan avenue for secure on-line transactionsthrough the use of digital signatures. TheAct provides a framework for the licensingand regulation of Certification Authorities,and the recognition of digital signatures.The Controller of the Certification Authoritywho has the authority to monitor andlicense recognized Certification Authoritieswas appointed on 1st of October 1998.iii.Communications and Multimedia‘Art. 249 of the Communications andMultimedia Act requires people, during asearch, to give access to computerised datawhether stored in a computer or otherwise,which includes providing the necessarypassword, encryption code, decryptioncode, software or hardware required toenable comprehension of computeriseddata. Refusal to cooperate is punishablewith at most RM100,000 and/or two years’imprisonment (art. 242). This Act containsa provision (art. 256(2)) allowing people torefuse answering questions if they therebywould incriminate themselves; by contrast,the privilege against self-incrimination canbe deemed not to hold for complying with adecryption order.’An authorized officer making an investigationunder this Act may verbally examine aperson who supposed to be acquaintedwith the facts and circumstances of thecase. The person shall be legally bound toanswer all questions relating to the caseput to him by the authorized officer, but theperson may refuse to answer any questionswhere the answer to which would have atendency to expose him to a criminal chargeor penalty or forfeiture. A person making astatement under this section shall be legallybound to state the truth, whether or not thestatement is made wholly or partly in answerto questions.ConclusionCryptography itself is a harmless system.It was built to defend the security systemsof individuals or a nation. The nature ofcryptography is defensive and not offensive.It depends on the user to use it wisely.Cryptography tools are not easily importedor exported because there may be issues thatwill arise at the end of the day if people wereto use cryptography for negative purposes.Restrictions are not same in all countries andthere are no standard restrictions. It dependson what is the government’s view on theimpact of applying cryptography in theircountry. From my personal point of view,cryptography restrictions are not necessarybecause cryptography is not a harmful tool.Cryptography does protect communicationsand does not serve to take advantage onothers. It is the people factor that still playsa role in determining the dangers associatedwith cryptography. ■References1. Whitfield Diffie and Susan Landau(2005). The Export of Cryptography inthe 20th Century and 21st. Palo Alto: SunMicrosystems.2. Wassenar Arrangement onExport Controls for Conventional andDual-Use Goods and Technologies.http://www.wassenaar.org/index.html3. Cryptography Export Laws.http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/exportlaws.html4. Export or Import Restrictions.http://www.citrix.com/lang/English/lp/lp_1319021.asp5. John Markoff. International GroupReaches Agreement on Data-ScramblingSoftware. The New York Tomes.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Software Product Liability from anInformation Security Perspective13BY | Ahmad Ismadi Yazid B. SukaimiThe argument thatassessing liabilityfor negligence in asoftware productscontext would exposemanufacturers andsellers to “damagesof unknown andunlimited scope” istotally unconvincing.IntroductionInformation is an asset that and like otherimportant business assets, it is essentialfor a business entity and consequentlyneeds to be suitably protected. Informationcan exist in many forms. It can be printedor written on paper, stored electronically,transmitted by post or by using electronicmeans, shown on films, or spoken inconversations. Management systems, basedon a legitimate business risk approaches,to establish, implement, operate, monitor,review, maintain and improve informationsecurity must be in place.This paper will discuss softwareownership and responsibility issues froman information security managementperspective clearly defining every formof responsibility. The responsibility of anowner is described under one of the ISO/IEC 27001 domains, the organisationalaspects of information security and thecontrol elements of dealing with externalparties. In addition, perspectives from bothMalaysia and the United States’ will also bediscussed.Malaysia vs. US LandscapeSoftware vendors are likely to faceincreasing exposure to lawsuits allegingthat software products did not perform aswas expected when the real issues is reallyabout software ownership. Many companiesin Malaysia and US have been alerted withthese issues and had incorporated certaindisclaimers in their products in order toprotect themselves from any security orphysical incidents related to the usage oftheir software. Malaysia’s premier onlinebanking institution stated at their website[1] in particular that the bank shall not beliable for any loss or damage caused byany unavailability or improper functioningof the Mobile Banking-Service for anyreason. This showed how serious they arein facing product liability issues. The samegoes with a US based company, Microsoft[2] as stated at6 their website prohibitingsoftware users from abusing their softwarein any manner that could damage, disable,overburden, or impair any of their servers,or the network(s) connected to any of theirservers, or interfere with any other party’suse and enjoyment of any services. Usersare also warned to not perform any illegalattempt to gain unauthorised access to anyof their services, other accounts, computersystems or networks connected to anyMicrosoft server or to any of their services,through hacking, password mining or anyother means.Definitions of Faulty SoftwareThe ISO/IEC 27001 main objective is toensure business continuity, minimisebusiness risks and business interruptions,maximise return on investments andincrease business opportunities. Thiscan be achieved by increasing customerconfidence in order to protect financialand intellectual properties to gain apositive reputation. Both Malaysia and theUS are discussing the same main issue ine-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

14deciding if software is considered “goods”or a “service”. According to [6] MalaysiaConsumer Protection Act 1999, the definitionof “product” means any goods and, subjectto subsection (2), includes a product whichis comprised in another product, whetherby virtue of being a component part, rawmaterial or otherwise. Under Section 3 of the[7] Malaysia Sale of Goods Act 1957 “goods”means every kind of movable property otherthan actionable claims and money; andincludes stock and shares, growing crops,grass and things attached to or forming partof the land which are agreed to be severedbefore sale or under the contract of sale.Whereas under the [6] Malaysia ConsumerProtection Act 1999, “products” meansproducts which are primarily purchased,used or consumed for personal, domestic orhousehold purposes and includes productsattached to or incorporated in, any real orpersonal property, animals, including fish,vessels and vehicles, utilities and trees, plantsand crop whether on, under or attached toland or not, but does not include choosesin action, including negotiable instruments,shares, debentures and money.In Section 6 under [8] Malaysia Civil LawAct 1956 “fault” means negligence, breachof statutory duty or other act or omissionwhich gives rise to a liability in tort or would,apart from this Act, give rise to the defenceof contributory negligence. The liability of aperson under this Part to a person who hassuffered damage caused wholly or partly bya defect in a product. Moreover, [7] Section62 of the Sale of Goods Act 1957: Exclusionof implied terms and condition as to whereany right, duty or liability would arise undera contract of sale by implication of law, it maybe negatived or varied by express agreementor by the course of dealing between theparties, or by usage, if the usage is such asto bind both parties to the contract, it givestwo conflicting views on the part of theliability of the software programmer.Software can be defined as goods orservices, whichever conforms to the userand the manufacturer. Software productliability can be defined as any liability,negligence, malfunction, warranty issues andsubsequence negative effect that arise fromthe usage of the software, which can affecte-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reservedthe users’ environment such as incidents,losses, fraud and other negative impacts,and can be penalised under the respectivecountry laws. The responsible parties are theowner of the software, the manufacturer, theprogrammer, the salesman and anyone whowere directly involved in selling or providingthe software to the user.Manufacturer responsibilityTo protect their products, softwaremanufacturers use disclaimers andagreements between users and themselves.Users are forced to sign or click a buttonagreeing to the terms stated beforeproceeding to install and use the software.Many times, users are too lazy to read thefine print and continue the transaction byclicking the ‘Agree’ button without fullyunderstanding the legal terms and conditionsstated by the manufacturers. According to[3] Levy et al, in US, there are several casestudies where manufacturers are facing legalaction on faulty software related incidents.A construction company alleged that a bugin a spread sheet programme caused thecompany to underbid a $3 million contract.The company sued the manufacturer ofthe programme for $245,000, claimingit had lost that amount as a result of theincorrect bid. To date, in Malaysia, wedo not have similar cases being broughtinto our courts, even though we legalgrounds with regards to faulty software.There are provisions under ConsumerProtection Act, section 71 that states clearlyabout the responsibilities of manufacturersin Malaysia, where any damage causedwholly or partly by a defect in a product,the producer of the product whose using hisname on the product or using a trade markor other distinguishing mark in relation tothe product, has held himself out to be theproducer of the product persons and in thecourse of his business, imported the productinto Malaysia in order to supply it to anotherperson shall be liable for the damage.Users can also apply tort law and torttheory in both countries when dealing withmanufacturers of defect software. Courtjudgments normally requires the losingparty to compensate the victim financially.In principle, compensation in the form ofdamages and expenses will legally shiftlegally to the defendant. Since the software

is the main reason for this issue, the liabilityis placed upon the owner of the softwaremanufacturer. Tort distinguishes betweentwo general classes of duties. The first is theduty not to injure ‘full stop’ and the otherduty is not to injure negligently, recklessly,or intentionally. Software fault, is governedby fault liability where it flouts a duty not toinjure negligently, recklessly, or intentionally,but can still be governed by strict liability ifthe user is physically affected.An example of strict liability reasoningis described by [3] Levy in the case ofBrocklesby v. United State, where the courtheld a publisher of an instrument approachprocedure for aircraft strictly liable forinjuries incurred due to the faulty informationcontained in the procedure. Strict liabilityapplied because the product was defective,even though the publisher had obtained theinformation from the government. Levy alsodescribed in his research of a second torttheory; that the vendor was negligent indeveloping the software. The plaintiff mustshow that the vendor had a duty to use aspecific standard of care and that the vendorbreached that duty. This can be shown ifthere is malfunction of the software, whichresults in a negative impact. The screenshotor log of the software can be the evidencefor logging the incident.In 2003 at the [9] State Superior Courtin Los Angeles there was an allegationthat Microsoft engaged in unfair businesspractices and violated California consumerprotection laws by selling software riddledwith security flaws. This allegation is reallyan opening statement that the softwaremanufacturer can be held responsible fortheir products. More such legal actions areanticipated. The litigation, legal expertssaid, is an effort to use the courts to makesoftware subject to product liability laws; aburden the industry has so far avoided andplaced the blame on users.ConclusionIt is clearly defined in both Malaysia andUS laws that even though manufacturersprovided their own disclaimers, usersin both countries can still bring themanufacturer to court if they find anydefects in the product. It is important toidentify the exact and appropriate policyrecommendations for software liability lawsboth in Malaysia and the United States. Thisis an important aspect from an informationsecurity perspective where the ownershipand responsibility of the services are clearlydefined. Users and manufacturers shouldmake clear distinctions between safetycriticaland normal software applications.The differences between regular andsafety-critical applications such as exactinglevels of care should be demanded fromprogrammers, as their failure to do so mayresult in the injury or loss of life. The interestof the user and the manufacturer mustbe protected when dealing with softwareproduct liability issues so that it can beovercome and prevented from happeningagain in the future. ■Reference1. [1] Maybank2u Liability and Indemnity.Available online at http://www.maybank2u.com.my/mbb_info/m2u/public/personalDetail04.do?channelId=&cntTypeId=0&programId=FO-Footer&cntKey=TNC03&chCatId=/mbb/Personal#liability. Retrieved on 23rd November2011.2. [2] Microsoft terms of service. Availableonline at http://www.microsoft.Com/about /legal/en/us/IntellectualProperty/Copyright/Default.aspx#E6. Retrieved on 23rd November20113. [3] Levy et al. Tech. L.J. 1 (1989-1990).Software Product Liability: Understanding andMinimising the Risks.4. [3] Raysman & Brown, 1988 Strict ProductLiability for Software and Data, N.Y.L.J., Sept.15, 1at 3, 3; Gemignani.5. [4] Zammit & Savio, Tort Liability for HighRisk Computer Software, 23 PLI/PAT 373, 375(1987).6. [5] Blodgett, Suit Alleges Software Error,A.B.A. J., Dec. 1, 1986, at 22.7. [6] Laws of Malaysia Act 599 ConsumerProtection Act 1999.8. [7] Laws of Malaysia Act 382 Sale of GoodsAct 1957.9. [8] Laws of Malaysia Act 67 Civil Law Act1956.10. [9] Steve Lohr. 2003. Product LiabilityLawsuits Are New Threat to Microsoft. Availableonline at http://www.nytimes.com/2003/10/06/technology/06SOFT.html. Retrieved on 23rdNovember 2011.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved15

16SPAM, the Annoying Culprit on the NetBY | Sahrom Md Abu, Sharifah Roziah Mohd KassimIntroductionSpam has become a global issue faced byalmost all Internet users. Though it is notas serious as malicious code, phishing, butis still considerably serious as spam hasbecome a medium to transmit phishingsites, malwares, illicit contents and viruses.Spam in general is defined as the use ofelectronic messaging systems to sendunsolicited bulk messages to otherInternet users. The most common type ofspam is email spam. The other types ofspam are instant messaging spam, spam inblogs and social networking spam. Spamis considered as an abuse of the Internetinfrastructure to annoy, flood other users’mailboxes and consume unnecessarybandwidth.Email spam has steadily grown since theearly 1990s. Botnets, networks of virusinfectedcomputers, are used to send about80 percent of spam. Email spam lists areoften created by scanning Usenet postings,stealing Internet mailing lists, searchingthe web for addresses, from businesscards, from conferences, seminars andexhibitions.Techniques Used in SpammingGenerally, spammers use or jump tovarious techniques to bypass spam filters.The more sophisticated spam filters are themore sophisticated the spam techniquesused. Direct sending spam emails torecipients is a very simple technique, inwhich spammers do not have to hide theiridentities. Spam filters can easily blockthese techniques by blocking the emailaddress or the IP address. Open relay isanother technique used in which spammersutilises vulnerable open-relay mail serversto send spam emails to recipients. Thistechnique is also used to hide the spammers’information, particularly originating IPs.Using compromised computers is alsoanother method of sending spam. This iscarried out by installing malwares suchas Trojan droppers and downloadersinto compromised computers that allowsremote access or by exploiting MS Windowsvulnerabilities and other applications suchas Microsoft Outlook or Outlook Express.Another contemporary sophisticatedtechnique used in spamming is the use ofspambot.A spambot is an automated programmedesigned to automate the sending of spamswhich works by creating fake accounts.While other spambots, in addition, can crackpasswords and send spam using third partyaccounts. E-mail spambots harvest e-mailaddresses from materials found on theInternet in order to build mailing lists forsending unsolicited e-mails. Such spambotsare web crawlers that can gather e-mailaddresses from websites, newsgroups,special-interest group (SIG) postings andchat-room conversations. Because e-mailaddresses have a distinctive format,spambots are easy to write. Spambots areeffective in sending mass emails.Spam AnalysisDuring the first quarter of 2011, MyCERTreceived a total of 641 spam reportedincidents. March recorded the highest numberwith 282 incidents reported. Meanwhile,Malaysia is the largest spam distributioncentre; about 70 percent of spam come fromMalaysia and 90 percent of that concernsfake lottery winnings and gambling relatedemails. In Q1, 2011 most of the gamblingspam used were UK National Lottery, ExxonMobil, Microsoft and Coca Cola as their fakee-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

epresentation to cheat people.Back in 2010, many of this kind of spam usedsporting events like the FIFA World Cup 2010and AFF Suzuki Cup 2010 to cheat people.In addition, all reported spam still used theold format with no advanced techniques,such as ‘spam in PDF attachments’ or ‘usinggraphics as a background image’. Althoughthere was an increase in the amount ofspam reported from January to March 2011in Malaysia, the number of reported damageor monetary loss was minimal.As shown in Figure 2, MyCERT noted thatif a comparison were to be drawn betweenthe spam output of Asia, Africa, USA andEurope, then the Asian region’s output wouldbe the highest. As a result, Asia continuesto dominate as the leading source of spam,even when compared to the total spamoutput of Africa, USA and Europe as a whole(Asia 80 percent, Africa, USA and Europe 16percent).17The distribution of spam sources byregion in MalaysiaAs shown in Figure 1, Asia continues to be theworld’s foremost region for the distributionof spam in Malaysia for Q1, 2011. Overall,during the period of January to March2011, Asian countries were responsible fordistributing 80 percent of the total spamvolume in Malaysia, with 70 percent of themoriginating from Malaysia itself.Africa is among the many regions wherethe fight against cybercrime is virtuallynon-existent. In Q1, 2011 the volume ofunsolicited messages coming from Africancountries accounted for 7 percent of thetotal spam in Malaysia, exceeding that of theUSA or Europe. Poor anti-spam legislationand regulations as well as a lack of ITcompetence provided the ideal conditionsfor further increasing the volume of spambeing distributed from this region.Figure 2 : The fluctuations in spam going/directed to MalaysiaThe distribution of spam sources inMalaysia by country of originDuring Q1, 2011, there were a total of 641spam cases being reported in Malaysiato MYCERT. Figure 3 shows Malaysia wentfirmly into the lead this quarter with a totalof 492 of all spam detected, while USAremains a steady second place with 24.Nigeria became the top African country witha contribution of 22 spam messages.Figure 3: Countries that are sources of spamFigure 1: The distribution of spam sources by regionSpam categoriesReferring to Figure 4, the majority of spamemails are gambling advertisements andwinning lottery notifications. The PersonalFinance/Money recovery scam category wasin second place followed by the Next-of kincategory.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

18Figure 4: The distribution of spam categoriesGambling/Lottery was the most commonspam category in the first quarter of 2011.Almost 90 percent of gambling/lottery emailscame from Malaysia. As shown in Figure 5,the percentage for these scams consistentlyincreased from January to March. PersonalFinance/Money recovery emails came insecond place. In February, the percentage ofemails in this category reached the highestnumber within 3 months at 40.1 percent.Spammers’ tricks and techniquesDuring the first quarter of 2011, incidentsinvolving gambling/lottery emails recordeda third of the total spam that was reportedto MyCERT. The large numbers of spamrecorded were on fake lottery winnings andcompensation claim scams. Scammers willask the victim to pay a certain amount toclaim their winnings/compensation. Oncethe victim pays the fee, they will just inventa new fee that the victim has to continuepaying. If the victim falls for that trick, theykeep inventing a new fee, until the victimgives up or runs out of money.If the victim becomes aware that the emailthat they received is a scam and stop sendingmoney, the second stage of the fraud couldoccur. Scammers will introduce themselvesas police officers or other employees whohave been arrested or who seek to arrest thecriminals in the first scam. They will promiseto return the money stolen in the first scamas shown in Figure 6.Figure 5: The Gambling/Lottery spam and Personal Finance/Money recovery scam categories in the first quarter of 2011According to Figures 3 and 4, the numbersof compromised hosts that are used to sendGambling/Lottery spam emails in Malaysiaare increasing on a daily basis. From thisdata, we can also assume that there are manyMalaysians who are still using Windows XPand the insecure Internet Explorer 6 webbrowser. This inevitably aids the distributionand infection rates for botnets that are usedto send out spam such as Waledac, Krakenor TDL-4. It also shows that the majority ofusers in Malaysia lack awareness on how tosecurely protect their computers.Figure 6: Second stage of fraud for the fake lottery scamWhy Spam is prevalentEven though spam is a nuisance, it is stillprevalent on the net with increasing statisticsevery year. One of the reasons why spam isprevalent is because many recipients of spamemails reply due to lack of awareness aboutspam emails. Many users also purchasegoods through spam emails. By respondingand purchasing goods through spam emails,it actually propagates further spam activitieson the net.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Another reason why spam is prevalentis because spamming is a cheap way inpromoting services and products. This is inaddition to the many tools available on thenet for free that can be used for spamming.There are also many cheap software that canbe used to spam on a large scale and alsothe availability of various database of emailsthat can be purchased on the net for a verycheap price.Another reason is due to the lack of laws inmany countries that can be used to punish andprosecute spammers. Only very few countrieshave spam legislations such as Australia withits Spam Act 2003, Singapore and its SpamControl Act 2007 and New Zealand with itsUnsolicited Electronic Messages Act 2007.Unprotected and vulnerable computers alsoenable spam to be prevalent on the net.Computers without anti-virus protection canlead to malicious programme infections andenable the infected computers to becomespam zombies.Spam MitigationsThough there is no special prescription toeradicate spam entirely, certain mitigationsteps can be implemented to minimisespam to some extent. Some of the stepsusers can implement to protect themselvesare to safeguard your email address fromspammers. This includes being careful whensigning up online using your email addressand making sure the website you sign up withis reputable and not involved in unethicalactivities on the net. You must not reply to aspam email or unsubscribe to a spam emailas this will further propagate the spam. Ifyour email is exposed on the net, make sureit is in the form that a spambot cannot easilydetect and grab. When choosing a new emailaddress use one that is hard to crack - makeit more than a few characters long with afew unusual characters like underscoresif they are allowed. You can also considerusing a secondary email address to avoidpublicising your primary email address oruse a disposable email address. Read emailin plain text, switch off the preview pane,or disable the automatic downloading ofgraphics in HTML emails. Do not click linkson spam emails as the links may contain anencoded version of your email address andindirectly informing spammers that youremail address is valid.Using spam filtering is also an effective wayof preventing spam. Spam filtering can bedone at your computers, your organisation’semail gateway and at your ISP level. Spamfiltering at your computer can be doneeither by using spam filtering software orspam filtering features available in youremail client, which can be configured basedon keyword and routing or source of emailinformation. The emails can be filteredto be sent to a spam-trash folder. SystemAdministrators can install spam filteringsoftware at their email gateways to preventspam emails from reaching their users withinthe organisation. Users can also subscribeto their ISPs’ spam filtering services whichhelp to prevent spam emails from reachingthe end-users’ mailbox. Besides the filtering,make sure your computer is secured andrunning an updated version of an anti-virussoftware and is patched regularly. This canhelp to prevent your email address frombeing harvested from your PC or your PCbeing used as a spam zombie.ConclusionIn conclusion, we can say that spamcontinues to grow and are still prevalenton the net. This is due to various factorssuch as lack of user awareness, availabilityof spamming tools on the net. There is nomagic wand to eradicate spam. However,with safe email practices by users and properspam filtering, spam can be minimised toa certain extent. This will eventually makespam less annoying and the Internet acomfortable place for all of us. ■References1. Cyber999 Help Centre2. http://www.securelist.com/en/analysis/spam3. http://www.419scam.org/4. http://www.scamomatic.com/5. http://www.securelist.com/en/threats/spam?chapter=956. http://en.wikipedia.org/wiki/Spambot7. http://en.wikipedia.org/wiki/Email_spam_legislation_by_country8. http://spamlinks.net/prevent-users.htm19e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

“wire-once” settings pool bare-metalCPUs and network resources, allowingfor on demand assignments, defininglogical configurations and networkconnections instantly.Converged InfrastructuresMaturity ModelAs IT infrastructures are sprawled,the migrations of data centresthrough implementation of convergedtechnologies are essential. It is not anovernight transformation and must bedone in phases. A profound analyticalstudy on the current infrastructures andneeds are crucial. A common practicein monitoring the transformation is byapplying the Capability Maturity Model(CMM). It comprises of five maturitylevels, where the evolutionary areaof stability is well-defined towardsachieving a mature transformationprocess. The five maturity levels providethe top-level structure of CMM.Figure 1 shows the definition of eachlevel under CMM. This would helpan organisation to determine thephases of each level while undergoingtransformation.Level 1 – Initial (unstable)at this level, the processes are disorganised,even chaotic. It is likely to depend onindividual efforts for success. It is consideredto be non-repeatable because processeswould not be sufficiently defined anddocumented to allow them to be replicated.Level 2 – Repeatablethe basic project management techniquesare established, and successes could berepeated, because the requisite processeswould have been established, defined, anddocumented.Level 3 – Definedan organisation has developed or adapted astandard software process through greaterattention to documentation, standardisation,and integration of the whole infrastructure.Level 4 – Managedan organisation is able to monitor andcontrol processes through data collectionand analysis for sustainment of their systemand infrastructure.Level 5 – Optimisingprocesses are constantly being improvedthrough monitoring feedback from currentprocesses and introducing innovativeprocesses to better serve the organisation’sparticular needs.21The intention in setting down the keypractices is not to require or espouse a specificmodel of converged infrastructure migrationlife-cycle, a specific organisational structure,a specific separation of responsibilities, or aspecific management and technical approachto development. The intention, rather, isto provide a description of the essentialelements of an effective migration process.Security FeaturesFigure 1: Capability Maturity ModelThe security solution offered by convergedtechnologies varies from various technologyproviders. The fundamental ideas of howe-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

22converged infrastructures work are mostlythe same. The difference would be theadditional features that are bundled withconverged infrastructure packages suchas log monitoring, archiving systems andvarious report generation.The one that is mostly discussed amongthe giant providers is the HP ConvergedInfrastructure Solution. In general, convergedinfrastructures consist of multiple layersof security, often referred to as defencein depth. This approach provides betterrisk reduction by using multiple forms ofmitigation techniques. For instance, theBladeSystem Matrix solution resembles abank vault which possesses multiple levelsof security.This solution utilises modular componentsthat are designed and integrated togetherto meet demanding business and securityrequirements. The main component ofthe BladeSystem Matrix solution is theBladeSystem enclosure. The enclosuresupports the servers, storage blades andassociated hardware. Numerous hardwareand software components comprise theBladeSystem Matrix solution, but several keycomponents provide the substantive securitymodel for the BladeSystem Matrix solution.Virtual Connect is one of the features meantfor managing virtual configurations withinenclosures. The Onboard Administratoris for managing hardware such as blades,fans, power supplies and switches, and aniLO which is associated with each blade fordirect administration of the physical server.Each component offers a full range of securitymechanisms addressing authentication,authorisation, data confidentiality andintegrity.However, implementing virtualisation incomputing environment will divulge it topotential risk as SIM can be a single pointof failure. This has to be addressed andmitigated in order to maintain an acceptablelevel of risk standard.Long Term Cost EffectivenessTransition of current technologies toconverged infrastructures will costcompanies a bomb. However, it is noted tobe a compelling opportunity to pursue. Theimportant distinction is how it can simplifysupporting IT infrastructure managementand technology. This has become ademanding requirement for most companiesseeking to expand their operations.Some converged infrastructures solutionsdo have Systems Insight Management (SIM)software as the foundation component thatprovides the security model and securityservices to many other BladeSystem Matrixcomponents. Therefore, SIM is the focal pointfor security coverage in many sections.The components that make up BladeSystemMatrix solutions are modular and it canbe purchased as individual componentsfor standalone applications outside of theBladeSystem Matrix solution. In addition,individual components can provide additionallocalised security mechanisms.There are three administrative approachesthat come together with BladeSystem Matrix.Implementing converged infrastructures willhelp to reduce operational complexities suchas coordination of tool usage, procedures,interdependencies of each devices andfault-tracking. Thus, the operational andcapital cost to maintain the data centre willbe brought down by eliminating separatehardware components and their annualmaintenance. The lesser on–the-floormaintenance, the lesser the electrical powerconsumed. With fewer physical componentsand more virtualised infrastructures, serverconfigurations can simply be created viasingle management tools.One of the success stories for convergedinfrastructure implementation is theMcKesson healthcare industry, located ine-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

San Francisco, CA. McKesson has doubledits development environment and savedmillions. They managed to lessen theirpower consumption, lowered their networkcomplications, storage and power costs aswell as reduced data centre floor space. Thishas resulted in improved data growth andreduced deployment time.As discussed earlier, converged infrastructuresvirtualises the software domain by mode of avirtual machine manager or better known ashypervisor. The same goes to the physicalinfrastructures by act of implementingconverged networking and I/O virtualisation.Once the virtualised I/Os and networksare executed, they can be composed anddecomposed on demand. This eliminatesa large number of components needed forinfrastructure provisioning, scaling and evenfailover or clustering.I/O consolidation implies convergedtransport which means fewer cables andfewer switches to be installed onto thenetwork. Furthermore, with fewer movingphysical parts, fewer software tools andlicenses are required. Roughly 80 percent ofcurrent physical components can be reducedconsequently contributing to a decrease inoperational complexities. Overall, convergedinfrastructures introduce physical simplicitieswhich breeds operational efficiencies. Thisleads to reduced costs, efforts as well assimplifies complications in managing datacentres.What Is ConvergedInfrastructures And What It IsNotConverged infrastructures have become ademanding solution in this new globalised era.IT infrastructures are now the ultimate platformsto serve the operations of an organisation.Different solution providers might have namedit with different terms. For example, CISCOintroduced this solution as Unified Computing.However, the way how vendors whitewashtheir products would also sound promisingby labelling it as converged infrastructures.Several terms that one might come acrosswhile searching for these kind of solutionsare Heterogeneous Automation, ProductBundle or Pre-Integrated solutions. Thesesolutions could easily be scripted as runbookautomations. This doesn’t reducephysical complexities, or it may simplifyinstallations, but does not guaranteephysical or operational simplicities.ConclusionAll in all, converged infrastructures can recreatean entire environment to provideboth High-Availability as well as DisasterRecovery in mixed physical and virtualenvironments. It also helps eliminate theneed for complex clustering solutions andis an option for replacement of numerouspoint-products to simplify IT management. ■Reference1. HP Converged Infrastructure SolutionSecurity For HP BladeSystem Matrix, 4AA2-8444ENW Rev. 1, November 20092. HP Converged Infrastructure MaturityModel, 4AA1-3980ENW Rev. 3, November 20093. Technical Report, CMU/SEI-93-TR-025,ESC-TR-93-178, Key Practices of the CapabilityMaturity ModelSM, Version 1.1, February 19934. Converge Infrastructure,Ken Oestreich, 15 November 2010http://www.thectoforum.com/content/converged-infrastructure-05. 10 Best Practices for Managing a ConvergedNetwork, Leslie T. O’Neill, April 30, 2009http://www.focus.com/briefs/10-best-practicesmanaging-converged-network/6. IBM Business benefits of convergedcommunications, IBM Global TechnologyServices, October 20067. McKesson doubles its developmentenvironments and saves millions with HPCloudSystem Matrix, 4AA2-3804ENW, July 201123e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

24Randomness Testing using NISTStatistical Test SuiteBy | Norul Hidayah binti Lot @ Ahmad Zawawi, Nik Azura binti Nik AbdullahIntroductionNowadays, random number generator (RNG)and pseudorandom number generator(PRNG) are needed for many purposessuch as for cryptographic, modelling andsimulation applications. For example, inthe cryptographic field, all cryptosystemsuse keys and other cryptographic algorithmparameters must be generated in a randompattern.The RNG is a mechanism where it is used togenerate a truly random binary sequence.It uses non – deterministic sources such asthe noise in an electrical device, the timingof user processes (e.g. mouse movement) orthe quantum effects in a semiconductor toproduce randomness.Meanwhile, the PRNG is a deterministicalgorithm for generating a random binarysequence and this generator uses one ormore inputs which are known as seeds.Both generators are very important in theconstruction of the encryption keys and alsoother cryptographic algorithm parameterssuch as keystream and outputs fromcomponent used in the algorithm. If thegenerated binary sequence is not random,then it can be easily predicted.There are some statistical test suites usedin order to prove the randomness of thegenerators. The first statistical test suitewas developed by Donald Knuth and waspresented in his book entitle “The Art ofComputer Programming Vol. 2 SeminumericalAlgorithms”. Later, the DEIHARD suiteof statistical tests was introduced byGeorge Marsaglia. Following that was theCrypt – XS suite of statistical tests andit was developed by researchers at theInformation Security Research Centre.The most recent suite of statistical testswas developed through collaborationbetween the Computer Security Divisionand the Statistical Engineering Divisionat the National Institute of Standards andTechnology (NIST) referred to as the NISTStatistical Test Suite. This topic will discusson the NIST Statistical Test Suite for bothrandom and pseudorandom numbergenerators.Random Number GeneratorTestsBefore statistical tests are carried out,several assumptions must be made on thebinary sequences.1. Uniformity:This means that for any point in thegeneration of a sequence of random orpseudorandom bits, the occurrence ofzero or one is the same. For example, theprobability of each zero and one is exactly½. The expected number of occurrences ofzeros or ones are equal to n/2, where n isthe length of sequence.2. Scalability:This means that for any test which isapplied to a sequence can also be applied tosubsequence at random. If the sequence israndom, then any subsequence should alsobe random. Therefore, any subsequenceshould pass any tests for randomness.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

3. Consistency:It means that the behaviour of a generatormust be consistent across starting values(seeds).The NIST Statistical Test Suite is one of thestatistical packages which were applied todevelop testing on the randomness of binarysequences. These binary sequences wereproduced using hardware or software basedon cryptographic random or pseudorandomnumber generators. This statistical testincludes 16 tests where all the tests focuson a variety of different types of non –randomness that could exist in a sequence. Allthese tests also use the standard normal andthe chi – square as reference distributions, todetermine whether the binary sequence israndom or non – random.The tests on this statistical package canbe divided into two categories which arethe Parameterized Test Selection and theNon – Parameterized Test Selection. TheParameterized Test Selection requiresusers to define parameter value(s) suchas block length, template length andnumber of blocks. Meanwhile, for the Non– Parameterized Test Selection, it does notrequire users to define parameter value(s).Table 1 and Table 2 describe both categoriesrespectively including the focus and thepurpose for each test.25ParameterizedTest SelectionBlock FrequencyTestOverlappingTemplates TestNon – OverlappingTemplates TestFocusThe ratio number of ones within M –bit blocks where M is the length ofeach block.The number of occurrences of prespecifiedtarget strings.The number of occurrences of prespecifiedtarget strings.Serial Test The frequency of all possibleoverlapping m-bit patterns cross thewhole sequence (m-bit is referred tothe length in bits of each block).ApproximateEntropy TestLinear ComplexityTestUniversal TestThe frequency of all possibleoverlapping m-bit patterns cross thewhole sequence (m-bit is referred tothe length of each block).The length of a Linear Feedback ShiftRegister (LFSR).The number of bits between matchingpatterns which is a measurement thatis related to the length of a compressedsequence.PurposeTo determine whether the number ofones in an M – bit block is approximatelyM/2 where M is the length of each block.To reject sequences that showsdeviations from the expected number ofruns of ones of a given length.To reject sequences that exhibit toomany occurrences of a given non –periodic pattern.To determine whether the numberof occurrences of m-bit overlappingpatterns is approximately the sameas would be expected for a randomsequence (m-bit is referred to the lengthin bits of each block).To compare the frequency ofoverlapping blocks of two consecutive/adjacent lengths (m and m+1) againstthe expected result for a normallydistributed sequence (m-bit is referredto the length of each block).To determine whether the sequence isenough to be random.To detect whether the sequence can besignificantly compressed without loss ofinformation.Table 1: Parameterized Test Selectione-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

26Non -ParameterizedTest SelectionCumulative SumsTestRuns TestLongest Runs ofOnes TestRank TestSpectral DFT TestRandomExcursions TestRandomExcursions VariantTestLempel ZivComplexity TestFrequency TestFocusThe maximal excursion (from zero)of the random walk defined by thecumulative sum of adjusted (-1, +1)digits in the sequence.The total number of runs in thesequence, where a run is anuninterrupted sequence of identicalbits.The longest run of ones within M – bitblocks where M is the length of eachblock.The rank of disjoint sub – matrices ofthe whole sequence.The peak heights in the DiscreteFourier Transform of the sequence.The number of cycles having exactlyK visits in a cumulative sum randomwalk.The total number of times whicha particular state is visited in acumulative sum random walk.The number of cumulatively distinctpatterns (words) in the sequence.The proportion of zeros and ones forthe whole sequence.PurposeTo determine whether the sum of thepartial sequences occurring in the testedsequence is too large or too small.To determine whether the number ofruns of ones and zeros of various lengthsis as expected for a random sequence.To determine whether the longest runof ones is consistent with the longestrun of ones that would be expected in arandom sequence.To check for linear dependence amongfixed length substrings of the originalsequence.To detect periodic features in the testedsequence that would indicate a deviationfrom the assumption of randomness.To determine if the number of visits toa particular state within a cycle deviatesfrom what one would expect for arandom sequence.To detect deviations from thedistributions of the number of visits of arandom walk to a certain state.To determine how far the testedsequence can be compressed.To determine whether the numberof zeros and ones in a sequence areapproximately the same as would beexpected for a truly random sequence.Table 2: Non - Parameterized Test SelectionConclusionIn conclusion, the use of random numbergenerators is important since it is one of themain criteria to determine the strength ofcomputer security applications. The randomnumber generators are very useful in orderto construct the encryption keys and also theother cryptographic algorithm parameters.Therefore, by using the statistical tests suite,one can ensure that the sequence producedfrom hardware or software is random. ■References1. Juan Soto, “Statistical Testing of RandomNumber Generators,” National Institute ofStandards & Technology, 100 Bureau Drive,Stop 8930, Gaithersburg, MD 20899 – 8930.2. Andrew Rukhin, Juan Soto, JamesNechvatal, Miles Smid, Elaine Barker, StefanLeigh, Mark Levenson, Mark Vangel, DavidBanks, Alan Heckert, James Dray, San Vo,“A Statistical Test Suite for Random andPseudorandom Number Generators forCryptographic Applications,” NIST SpecialPublication 800 – 22.3. Juan Soto and Lawrence Bassham,“Randomness Testing of the AdvancedEncryption Standard Finalist Candidates,”Computer Security Division, NationalInstitute of Standards and Technology, 100Bureau Drive, Stop 8930, Gaithersburg, MD20899 – 8930.4. http://csrc.nist.gov/groups/ST/toolkit/rng/pubs_presentations.htmle-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Mathematics Operations in BinaryNumeral System27BY | Abdul Alif Bin ZakariaIntroductionCryptography is one of the most importantaspects in the Information Security arena.It is the practice and study of techniquesfor secure communications in the presenceof third parties. Communications overuntrusted networks can be carried out withencryption which is the conversation froma readable state to an unreadable state. Theopposite of encryption is decryption whichis converting an apparent nonsense state toa readable state.Designing a strong cryptographic algorithmhas never been easy these days becausepeople are getting smarter and technologyis progressing rapidly. One of the mostimportant tools in designing cryptographicalgorithms such as DES and AES is theapplication of binary number system. Thisnumber system would complicate anyefforts to break the algorithm. Although itis still possible to break the algorithm, atleast it will delay the efforts to do so.There are many types of number systemswhich are decimal (base-10), hexadecimal(base-8), and binary. Not many of us arefamiliar and understand the foundation ofbinary number systems. Therefore, a binarynumber system is the main topic that willbe discussed in this article because of itsimportance in many applications comparedto other number systems. Binary numeralsystems are also well known as base-2number systems. Unlike decimal numberswhich include every single number from0, 1, 2… to infinite, this system is onlyrepresented by the numbers “0” and “1”.Number “1” represents yes, agree or positive.Number “0”, on the other hand, representsno, disagree or negative, depending onhow we define it. Binary numeral systemsare used in most modern computers it ispopularly known as “bit”. Besides usingbinary in computing, it also has been widelyused in the science and mathematics fields.Due to its flexibleness, further explanationon how to utilise binary numeral systemsin mathematical operations will be discusslater.Differences Between Decimaland BinaryDecimal and binary number systems are twodifferent types of number systems but canoperate in similar mathematical operationtechniques. The difference between thesetwo number systems is the digits thatthey use. Decimal number uses digits “0”to “9” while binary number uses digits “0”and “1”. These two number systems applythe same method to determine the largestand the smallest value by looking at theposition of columns of each digit. “Carry”method is applied in both number systemsif each digit value increases when it reachesthe maximum value in each column.Decimal Number SystemDecimal numbers known as integers canuse the numbers 0, 1, 2, 3, 4, 5, 6, 7, 8,or 9 in each digit. For numbers containingmore than one digit (e.g. 47 and 13), digitsequence is actually separated by columndepending on the total of digits of the saidnumber. Smallest-value column is located atthe end of the column to the right while thelargest value is located at the far left. Thevalues of the sequence are 100, 101, 102,103, 10n where it reads from right to left.Table 1 shows values of each column andits decimal form.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

28Power10 0 110 1 1010 2 10010 3 1000Decimal10 n 1…….0Table 1: Power and Decimal FormRefer to Table 2, there are four columns ofdecimal number digits which are separatedaccording to the number of digits in eachdecimal number. The column on the far leftis the largest value, while the column on thefar right is the smallest value. If the decimalnumber is larger than 9, it should be carried acolumn to the left. Column next to the carriedcolumn (on the right) will start with value “0”.Decimal Column 4 Column 3 Column 2 Column 19 910 1 099 9 9100 1 0 0999 9 9 91000 1 0 0 0Table 2: Decimal Number in ColumnsBinary Number SystemAs described earlier, binary number is arepresentation of numbers which are “0” and“1”. Similar to decimal numbers, the actualsequence of binary numbers separated bycolumns depends on the total of digits inthe binary number. The smallest value islocated at the end of the column to the rightwhile the largest value is located at the farleft. The only difference between these twonumber systems is the base number. Decimalnumber use 10 as the base numbers whilebinary numbers use 2 as the base number.The values of the sequence are 20, 21, 22,23, 2n where it reads from right to the left.Table 3 shows values of each column and itsbinary form.Decimal Power Decimal Binary2 0 1 12 1 2 102 2 4 1002 3 8 10002 n 2x..…x2 1..….0Table 3: Power, Decimal and Binary FormRefer to Table 4, there are four columns ofbinary number digits which are separatedaccording to the number of digits in eachbinary number. The column on the far left isthe largest value, while the column on thefar right is the smallest value. If the binarydigit is larger than 1, it should be carrieda column to the left. Column next to thecarried column (on the right) will start withvalue “0”.Binary Column 4 Column 3 Column 2 Column 11 110 1 011 1 1100 1 0 0111 1 1 11000 1 0 0 0Table 4: Binary Digits in ColumnsHow to Convert Decimal intoBinary?Binary digits act almost the same as decimalnumbers in many situations. Now let’sDecimal 0 1 2 3 4 5 6 7 8 9Binary 00000 00001 00010 00011 00100 00101 00110 00111 01000 01001Decimal 0 1 2 3 4 5 6 7 8 9Binary 00000 00001 00010 00011 00100 00101 00110 00111 01000 01001Table 5: Decimal Numbers in Binary Number Systeme-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

compare the difference between a binarynumber and a decimal number. For instance,look at number “9”. When number “9” isadded with “1”, it will become “10” whichis a two digit number. The number of digitsincreases each time a single digit numberis exhausted. Single digit numbers can berotated from “0” until “9”. When number “9”is reached, it only can return to “0” by addingone extra digit on its left.In a decimal number system, single digitnumbers can be rotated from zero untilnine meanwhile for binary number systems,single digit numbers can only rotate fromzero to one. If the number, x is larger than“1”, find the highest degree n where x-2n> 0. Repeat the above method until theremainder is less than “2”. If the remainderis less than “2”, the remainder representsthe value in the last column.Mathematics OperationBinary AdditionThe basic concept in binary number additionoperation is almost the same as decimalnumbers. The difference between thesenumber systems is that decimal numbersuse digits “0” to “9” while binary numbersuse digits “0” and “1”. If the value of twoadditional numbers is larger than “1”, itshould be carried a column to the left. Belowis an example on binary additional operationfor single-bit binary numbers.0 + 0 = 00 + 1 = 11 + 0 = 11 + 1 = 0 , carry 129How To Convert Binary IntoDecimal?Binary numbers are actually summation ofbase two powers. Digit in the right most ofa binary number represents 20. Left mostdigit of a binary number is the highestvalue. The power increases by one foreach digit on the left. To convert a binarynumber into a decimal number, each digitneed to be multiplied by base two powernumber and the power is dependent on theposition of each digit in the binary number.The power starts from the right which is 20and increase by one power as it goes to theleft. If the binary number contains six digits,the highest value would be 25. Refer to theexample below for a better understandingon how to convert binary strings intodecimal numbers.Let’s calculate “1+1” in decimal, “2” is theanswer. Since “2” is larger than “1” (where“1” is the maximum digit in binary), “1” hasto be carried a column to the left and “0”(In decimal, “2” minus “2” is equal to “0”)is the remainder. So “1+1” is equal to “10”in binary number. The process is the samefor multiple-bit binary numbers. Here is anexample on additional operation of multiplebitbinary numbers.111 (carried digit)10011+ 1110= 100001i) Binary ii) Decimal1 (carried digit)19+ 14= 33101011 = (1 x 25) + (0 x 24) + (1 x 23) + (0 x 22) +(1 x 21) + (1 x 20)= (1 x 32) + (0 x 16) + (1 x 8) + (0 x 4) + (1 x 2) +(1 x 1)= 32 + 0 + 8 + 0 + 0 + 2 + 1= 43Binary SubtractionBinary subtraction operates almost the sameas decimal numbers. Both number systemsuse the same “borrow” method. If a columnvalue is smaller than the value that we wante-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

30to subtract, it shall borrow from the columnon the left so that the subtraction operationcan be carried out.0 - 0 = 00 - 1 = 1 , borrow 11 - 0 = 11 - 1 = 0For multiple-bit binary numbers, it hasto go through repetition of multiplicationand additional processes which might takesome time depending on the number ofdigits in the binary number to be multiplied.Here is an example of multiple-bit binarymultiplication operation.Now calculate “0-1” in decimal, the answeris “-1”. Since “-1” is not a binary value digit(where “0” and “1” are the digits in binary),“1” has to be borrowed from a column onits left. The new binary digit value becomes“10”. In binary, “10-1” (In decimal, “2” minus“1” is equal to “1”) is equal to “1”. So “0-1”is equal to “1” with borrow “1”. The sameprocess applies for multiple-bit binarynumbers. Here is an example of additionaloperation for multiple-bit binary numbers.* * * (borrowed from)11010110+ 101001= 10101101i) Binary ii) Decimal* (borrowed from)214- 41= 17311011x 11011111 (carried digit)11011+ 00000+ 11011+ 11011= 101011111i) Binary ii) Decimal2 (carried digit)27x 131 (carried digit)81+ 27351There are two steps in multiplying binarynumber systems which are multiplicationand addition. First, we have to multiply thefirst set of binary numbers (11011) witha single bit of the second set of binarynumbers (1101). Since 1101 contains fourbits, four multiplication answers have to bekept for further examination.Binary MultiplicationThe multiplication operation concept usesbinary numbers almost the same as thedecimal number multiplication method.Multiplying using decimal numbers is astraight forward exercise. However, usingbinary numbers is a bit more complicated.Single bit binary multiplication operates thesame way as decimal number multiplicationbecause it is straight forward.0 x 0 = 00 x 1 = 01 x 0 = 01 x 1 = 1The second method requires us to add all ofthe multiplication answers using multiplebitbinary numbers addition method.Remember to use carry method if the valueof two additional numbers is more than “1”.After adding all four multiplication answers,we get “101011111” as the final answer.Binary DivisionDivision using binary number systems is thesame as decimal number systems becauseit solves the problems in a similar method.It divides the possible highest numberbefore proceeding with the smaller valuenumber. The Borrow method is requiredwhen subtracting smaller binary values withlarger binary values. If the number cannot bee-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

divided, it will remain as remainder. Refer theexample below for a better understandingon how division operation can be solved byusing a binary number system.100101101 10111010- 101110-101110-1011 (remainder)i) Binary ii) DecimalConclusion375 186-15136-351 (remainder)There are many ways to utilize the use ofbinary number systems as it can operatesimilar to decimal numbers. Not only inmathematical operations, is it also compatiblein other systems or applications due to itsflexible characteristics. Stated below are theother functions of a binary number systemthat are widely used in computer systems.This number system can be another optionfor users to do mathematical operationsinstead of using conventional mathematicalmethods. It can also be used as an element tocheck normal calculation methods especiallywhen dealing with very large numbers.Normal calculators may allow limited digitsfor mathematical operations. It cannotprocess more than a certain number of digits.Binary number systems can be used forvery large mathematical operations becausein a computer system, each binary digitrepresents a character instead of defining itas a number.Binary numbers may represent alphabeticalletters with its own unique code where it canbe found at the ASCII (American StandardCode for Information Interchange) Table.In this table, alphabet “A” is representedby the number 65 meanwhile alphabet “Z”is represented by the number 90. Thesealphabetical code numbers can also beconverted to binary numbers. In binary,alphabetical code for “A” is 1000001 andalphabetical code for “B” is 1011010.Besides using binary numbers to representalphabetical letters, it can also representcolours. Combinations of colours willproduce images or pictures. Each colourhas its unique colour code where this canbe found at a HTML Colour Codes Table. Inhexadecimal for instance, the colour blackis represented by 000000 meanwhile thecolour white is represented by FFFFFF. Thesecolour codes are numbers that also can beconverted to binary numbers. After these twocolour codes have been converted to binarynumbers, the colour black is representedby 000000000000000000000000and the colour white is represented by111111111111111111111111. ■References1. Ian H. (2002). ArithmeticOperations on Binary Numbershttp://www.doc.ic.ac.uk/~eedwards/compsys/arithmetic/index.html2. Christine R.W. and SamuelA. R. The Binary Systemhttp://www.math.grin.edu/~rebelsky/Courses/152/97F/Readings/student-binary3. Weisstein E.W. Binary Operationhttp://mathworld.wolfram.com/BinaryOperation.html4. Peter W. (1996). Noteson Binary Operationshttp://www.math.csusb.edu/notes/binop/binop.html31e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

32Vulnerability Analysis Using CommonCriteria Attack Potential (Part 3-Final)By | Ahmad Dahari Bin JarnoContinuity of Part 1 and Part 2Looking back at Part 1 and Part 2 of thisarticle, each of them provided detailsof explanation and elaboration on howvulnerability assessment or penetrationtesting analysis are conducted in differentways that are commonly referred to bysecurity analysts or penetration testers.Thus, in reference, in general terms, thesearticles are not meant to show weaknessesor flaws of other methodologies that areout there and those already being used andimplemented.Yet, this piece is more about providingsuggestions on improving current practisesthat has been implemented and movingthem forward towards better use of testfindings and producing the best analysisof those findings in ways that are morepractical and considerable under variousforms of measurements. This is to providea significant answer to the question, “Howdefinitive and applicable each vulnerabilityand/or risks are by looking at the findingsof vulnerability assessments or penetrationtests deliberately from vulnerability analysistechniques?”Therefore, part three (3) of this articlewill show how Common Criteria AttackPotential produced results in the formof vulnerability analysis by referring tovulnerability assessments and penetrationtesting activities according to its phases ofexecutions, plans and deliverables.Key Points of Common CriteriaAttack Potential Merits andCalculationsCommon Criteria Attack Potential is definedunder the AVA scope of work (CommonCriteria Vulnerability Assessment WorkUnits), which is specifically conducted underthe evaluation assurance of vulnerabilityassessments. Looking at the point of viewof Common Criteria evaluation processes,Attack Potential are used as a main referencein calculating values of each vulnerabilityassessment or penetration testing scenariosin determining if each of those proposedapproaches are applicable based on the levelof evaluation assurance (EAL), where theproduct will then proceed to be evaluatedand certified. Yet, by looking from theother perspectives of general concept forvulnerability assessment and penetrationtesting, attack potential defined by CommonCriteria in CEM can be used further inseveral areas of vulnerability assessmentsor penetration tests, by implementing it ineach phase of those activities.In a recap of Part Two (2), Common CriteriaAttack Potential is forms of ratings andcomponents categorised according tocalculations (Refer to Table 2 and Table 3 inPart 2). In comparison with other approachesof vulnerability assessment and penetrationtesting in performing vulnerability analysis;commonly security analysts/penetrationtesters use details of that specificvulnerability patent and its behaviour indetermining the level of damage that it cancause. However, there are certain methodsand approaches of the vulnerability tests orpenetration tests that need to be executed inthe first place. An experience security analystand/or penetration tester will considerbetter coverage of vulnerability analysis, byputting considerations of justifications andmethods from planning phases towards theactual analysis that are being conducted. Thereasons behind these actions are basicallyto ensure decisions are properly taken,ensuring confidence in results and mostimportant of all, the vulnerability actuallyexisted, catered, proven and able to be fixedaccordingly based on recommendations offurther improvements. Therefore, Commone-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Criteria is in a better spot to provide securityanalysts/penetration testers guidance thatthey need in achieving better testing coverageand providing justifications in the preliminarystages.Leveraging CC Attack PotentialCoverage in Vulnerability Test& AnalysisQuestions; How far can a security analyst/pen-tester leverage on the situation bycovering up most of the vulnerability testingresults and analysis? Most of us will saythat it depends on the analyst/pen-testerexperience, knowledge and hands-on skills.Yet, a better answer can be given by allowingCC Attack Potential to provide an interestingoutlook into the test planning, executionsand analysis processes.To simulate this justification, the followingis an example that illustrates how CCAttack Potential has been used as part ofvulnerability assessment or penetrationtesting; from the starting point to the mainevents of vulnerability analysis. A shortbrief about the example given here, whichis basically an execution of penetrationtest activities, project based, conductedupon a prototype of smartcard contactlessapplets that has the ability to store crucialinformation by segregating and enforcingaccess controls through defined randomkeys exchange procedures upon informationrequested from proprietary software desktopapplications through a smartcard reader.33Justifications of Preliminary Test Scenarios.Test TitleConfidentialityAvailability & Integrity(CIA) HypothesisTest ObjectiveObjectives DetailsTest ApproachesAttack PotentialCalculationIdentify information transacted between the card reader and sample card viacontactless channels.Examine the key transacted between the card reader and sample card cannot bebypassed in aspects of its processes.Examine the key transacted between the card reader and sample card to beconfidential, whilst maintaining the secrecy of keys that are exchanged betweenboth origins.Performing identification of keys transacted between the smartcard reader andsample card embedded inside a contactless chip.To meet CIA hypothesis, analysts shall perform tests on the key transactionprocesses by monitoring and simulating processes of key exchanges between thesmartcard reader and sample card via contactless channels.These tests are to validate the processes, in a way that it could not be bypassedand could not be compromised in the middle through a man-in-the-middle attack.Test 0 (Control): By using smartcard reader and sample card, perform basicchallenge and response to scenarios with basic commands.Test 1: Generating random keys in short intervals.Test 2: Generating random keys in long intervals.Test 3 and 4: Using USB sniffer to monitor all key exchange transactions betweenSAM and reader. This identifies the location from which key exchanges areinitiated; either from the software or the reader.Test 5: Using USB sniffer to monitor the transition communications betweenSoftware Application Desktop and reader.Elapsed Time: Less than one week (1)Expertise: Proficient (3)Knowledge of TOE: Sensitive (7)Windows of Opportunity: Unlimited Access (0)Equipment: Standard (0)Calculation and Attack Potential Level: Total: 11 (Basic)Table 1: Preliminary Justification using CC Attack Potentiale-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

Vulnerability Analysis based on Test Results and Findings for Test B1 and B2.34TEST ID:Test B1 and B2VULNERABILITY ASSESSMENT ANALYSIS:Scope of Confidentiality, Integrity & Availability (CIA):Threat Agent: Unauthorised UserAdverse Actions:Availability: Guessing the sequence of keys or orders that were generated.Confidentiality: Accessing all legitimate keys and using it in sequence.Assets: Generated Keys.Scenario:Unauthorised user may capture, sniff, collect or guess the list of well-defined generatedkeys for use in accessing the data sector of sample cards.Vulnerability & Risk Analysis Finding:As claimed by the developer that all keys used to read and write data on the contactlesschip were random and cannot be guessed, which was described clearly, as generated perdefined order of keys with the correct number of seeds.The keys were derived using seeds, parts of it is the UID of the card and also the secureaccess module card with the help of a Base Key. Without this information provided in theprocess of generating keys, an attacker won’t be able to guess the order despite havingseveral sample cards for pre-test purposes because, each card has its own UID and itsown definitive generated keys.In conclusion, the randomness of these generated keys is definitive and acceptable.Verdict:Operational Devices Risk of CIA: None.Environment Risk of CIA: None.Overall Risk: None.Table 2: Findings of Vulnerability AnalysisReferring to Table 1 and Table 2, CC AttackPotential can be used during the preliminarystages of vulnerability assessment/penetration testing, thus giving betterdirections to security analysts/penetrationtesters, in determining whether the designtests scenarios are appropriate and whetherobjectives are met. Therefore, during thevulnerability analysis stage, a proper analysiscan be performed with stated justifications,supported by ratings from Attack Potentialcalculations, and resulting in better testfindings.Applying CC Attack Potentialfor Vulnerability Analysisin Phases of VulnerabilityAssessment & PenetrationTestingIn understanding this further, we must knowhow the applications of CC Attack Potentialand its capabilities can be fully utilized inall phases of Vulnerability Assessment andPenetration Testing. Can it help spice thingsup a bit? In the previous section, an exampleis given on how to determine the walkthroughof doing vulnerability assessment and/orpenetration testing by calculating AttackPotential ratings during the preliminary(plan) phase and using that informationin determining the risk assessment viavulnerability analysis.Furthermore, Common Criteria AttackPotential could be used in performingvulnerability assessment and/or penetrationtesting by further justifying each approachesand techniques to be chosen for testexecutions. The following is an example thatelaborates several tests conducted upon aUnified Threat Management called All-in-One Firewall Box, that have many securityenforcement features added to the base ofa firewall. To further elaborate the overalltest, one test was selected to be used as anexample in determining the applicability ofthose approaches by levelling exploits incertain ways to determine appropriateness.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

ASPECTS PLAN EXECUTE ANALYSISObjective:Compromised the target operational environment by penetrating into the underlyingoperating system from open ports available on the Unified Threat Management (UTM)system. Previously, open ports scanning have been conducted to identify open access pointsof the UTM system.35Elapsed Time 2 weeks (2) 1 week (1) Analysis:Expertise Proficient (3) Layman (0)Knowledge ofTargetWindows ofOpportunityPublic (0) Public (0)Unlimited (0) Unlimited (0)Equipment Standard (0) Standard (0)Total 5 (Basic) 1 (Basic)Without proper configurationof the UTM system,administration access pointsthrough network ports areopen such as SSH, Telnet andFTP. Those ports are not fullysecure due to them usingdefault access passwords.Additionally, when a testerhas access to the terminalpoint, the tester is onlyrequired to have knowledgeof Linux command lines toexplore the file managementof the UTM system.FindingsHypothesis:There will beonly severalcommon openports such asFTP, SSH, HTTPS,HTTP that will beopen locally andnot publicly.Actual:Open ports areopenly availablethrough localand publicconnections andare using defaultaccess passwordsand accounts.Analysis:Based on the findings,target of assessment are notsecurely configured as perclaimed and advised by thedeveloper.CIAImplementationHypothesis:All networkports arefiltered bypacket filteringrules anddisabled fromany scanningdiscoverytechniques.Actual:Several openports were foundand identifiedas crucial accesspoints foradministration.Analysis:Without proper configurationof the ports as indicatedby the developer insidethe installation andadministration manual, theUTM system is not enforcingCIA as the main criteria.ConclusionTherefore, it is concluded that the UTM system is not secure withoutany proper administration system and can be compromised byallowing access to the underlying operating system without any properlayers of protection.Table 3: Using CC Attack Potential in all phases of testing.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved

36Before we do so, in reference to Table 2 inPart 2, below is a basis of determination ofeach level of description for assistance inreaching a decision.Basic – Tests that are conducted are based oninformation, approaches and tools that areavailable via research on the public domainsuch as the Internet, books and journals.Enhanced Basic – Tests that are conductedare based on information, approaches andtools that are not available on the publicdomain and also require special interest andexperience in such skills.Moderate – Tests that are conducted arebased on information, approaches and toolsused with certain level of proficient in testingskills and experiences with the help of toolsthat are publicly available or customised.High – Tests that are conducted are based oninformation, approaches and tools used witha specialised set of skills and experience,which is not available openly in the publicdomain and also added with specific designconcepts.Beyond High – Tests that are conductedare based on information, approaches andtools used with a specialised set of skills andexperience that not available openly in thepublic domain and also added with specificdesign tools. Additionally, it also requireshigh skills of exploitations with the help ofspecialised equipment such as smartcardtesting technologies.Therefore based on that, Table 3 describesthe ways of determining test approaches,tools that will be used, execution of testactivities and most importantly, determiningthe risks each of those vulnerabilities viavulnerability analysis.ConclusionCombining all three parts of these articles,we can conclude that the importanceof vulnerability analysis approach invulnerability assessment and penetrationtesting cannot be denied. Yet, until now,vulnerability analysis has not adopted ortaken seriously. Apart from determining therisks involved towards vulnerabilities found,vulnerability analysis is an activity thatjustifies whether the risks introduced arerelevant. In finalising the verdict of each riskfound, proper justifications in conductingvulnerability analysis are crucial. Therefore,by using CC Attack Potential, relevancy andproper validation of found vulnerabilitiestowards risks determination can be doneappropriately. CC Attack Potential can be usednot only during the analysis phase but alsoduring preliminary and execution phases.Therefore, it is concluded that CC AttackPotential is an improvement in techniquesand approaches proposed for vulnerabilityanalysis; and able to be a better option inconducting vulnerability assessment andpenetration testing; by providing higherquality of deliverables and justifications. ■References1. Book: Using the common criteria forIT security evaluation, Debra S. Herrmann,2003, by Auerbach.2. Book: Information Security Risk Analysis,Thomas R. Peltier, 2005 by Auerbach.3. Risk Analysis and SecurityCountermeasure Selection, Thomas L.Norman, 2010, by Taylor and Francis Group.4. Common Criteria for InformationTechnology Security Evaluation Part 1:Introduction and General Model, Version 3.1Revision 3, July 2009, CCMB-2009-07-001.5. Common Criteria for InformationTechnology Security Evaluation Part 3:Security assurance components, Version 3.1Revision 3, July 2009, CCMB-2009-07-003.6. Common Methodology for InformationTechnology Security Evaluation (CEM): Version3.1 Revision 3, July 2009, CCMB-2009-07-004.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved