Craftopia
COMPUTER SECURITY
The security measures put in place for an automated information system to achieve the relevant objectives of upholding the integrity, accessibility, and confidentiality of resources within the information system, encompassing hardware, software, firmware, data, and telecommunications.
For more information, click on the 'More Information' link in the navigation bar.
SECURITY ATTACKS
In the realm of cybersecurity, security attacks are a pervasive and evolving threat. These attacks come in two primary forms: active and passive. Active attacks involve deliberate actions to compromise systems, while passive attacks focus on information gathering without altering data. Understanding the nuances of these attacks is crucial for safeguarding digital assets and personal privacy. This exploration delves into the motivations, techniques, and consequences of security attacks, shedding light on the evolving threat landscape and strategies for effective defense
For more information, click on the 'More Information' link in the navigation bar.
COMPUTER VIRUSES
In the vast landscape of the digital world, lurking beneath the surface, are unseen threats known as computer viruses. These are not the biological pathogens we're accustomed to, but rather malicious software programs designed with a singular intent: to infiltrate, replicate, and disrupt. They have been a part of the digital narrative since the early days of computing, evolving and adapting alongside our technological advancements.
This exploration delves into the world of computer viruses, unraveling their origins, how they operate, and the enduring struggle to shield our digital realms from their insidious reach. From the basics of infection to the ever-evolving battlefront of cybersecurity.
For more information, click on the 'More Information' link in the navigation bar.
MOBILE CODE SECURITY
Web security encompasses various aspects, including naming and connections, but it goes beyond these concerns. In the early days of the web, static HTML pages didn't include executable code. However, modern web pages often incorporate dynamic elements like Java applets, ActiveX controls, and JavaScripts. Executing such mobile code poses significant security risks, prompting the development of various strategies to mitigate these risks. Let's explore the challenges posed by mobile code and some approaches to address them.
Java Applet Security :
Java applets are small Java programs compiled to a stack-oriented machine language called JVM (Java Virtual Machine). They can be placed on a Web page for downloading along with the page. After the page is loaded, the applets are inserted into a JVM interpreter inside the browser, as illustrated :
The advantage of executing interpreted code as opposed to compiled code lies in the scrutiny each instruction undergoes before execution. The interpreter has the opportunity to validate the instruction's address, enhancing security. Furthermore, system calls are subject to interpretation, and their handling depends on the security policy in place. For instance, a trusted applet, such as one from a local source, may have its system calls executed without scrutiny.
However, for untrusted applets, like those from the internet, they may be encapsulated within a sandbox to confine their actions and intercept their attempts to access system resources. When an applet seeks to access a system resource, its request is forwarded to a security monitor for evaluation. The monitor assesses the request in accordance with the local security policy and decides whether to permit or deny it. This approach enables selective resource access for applets, but it's worth noting that the security model can have flaws, leading to occasional vulnerabilities.
ActiveX controls :
​
ActiveX controls are x86 binary programs that can be integrated into web pages. When a browser encounters one, it assesses whether to execute it, and if it passes the evaluation, it is executed. Unlike some other technologies, ActiveX controls are not interpreted or contained within a sandbox, granting them significant power similar to regular user programs. This lack of containment raises security concerns, making the decision to run an ActiveX control pivotal. In hindsight, this approach presents a substantial security vulnerability.
Microsoft's chosen method for deciding whether to execute an ActiveX control relies on code signing. Each ActiveX control is accompanied by a digital signature, a cryptographic hash of the code signed by its creator. When an ActiveX control is encountered, the browser first verifies the signature to ensure it hasn't been tampered with during transit. If the signature is valid, the browser checks internal tables to determine if the program's creator is trusted, or if there's a trusted chain of origin. If trust is established, the program is executed; otherwise, it's blocked. Microsoft's system for verifying ActiveX controls is known as Authenticode.
Contrasting this with the Java approach, where the focus is on runtime behavior and ensuring applets adhere to specified restrictions, code signing with ActiveX doesn't monitor the mobile code's behavior at runtime. If the code originates from a trusted source and remains unaltered in transit, it runs without scrutiny. No effort is made to discern whether the code is malicious. If an original programmer intended to perform harmful actions and is deemed trusted, the code executes, potentially causing harm (unless ActiveX controls are disabled in the browser).
Many individuals find the idea of trusting an unknown software company unsettling. To highlight this issue, a programmer in Seattle established a software company and obtained certification as a trustworthy entity, which is relatively easy to accomplish. Subsequently, he developed an ActiveX control that executed a system shutdown and distributed it widely. While it did shut down numerous machines, they could be rebooted, resulting in no permanent harm. His intent was to expose the problem to the public. The official response was to revoke the certificate for this specific ActiveX control, ending a brief episode of embarrassment. However, the fundamental issue remains, potentially exploitable by malicious programmers.
Given the impracticality of overseeing the multitude of software companies that might create mobile code, the reliance on code signing is viewed by many as a looming security disaster.