Countering Spam Robots

CAPTCHAs are employed on websites to differentiate between human users and bot programs that indulge in spamming and other fraudulent activities. With the advent and advancement of sophisticated computer programs to break CAPTCHAs, it has become imperative to continuously evolve the CAPTCHA schemes in order to keep the Internet network and website free of congestion and spam-bots. In light of these developments concerning information security, in this chapter, the authors introduce the novel concept of Scrambled CAPTCHA, which is a combination of OCR-based and Picture CAPTCHAs and exploits an inherent characteristic of human vision and perception. They also introduce Hindi CAPTCHA, developed in Hindi language (Devanagari script). This CAPTCHA will typically address spamming on Indian websites. It also contributes to the digitalization of books written in this script. The authors also discuss the features and security aspects of these schemes in detail, which, to the best their knowledge, had not been implemented earlier.

Security Enhancement of Peer-to-Peer Session Initiation

Today, Peer-to-Peer SIP based communication systems have attracted much attention from both the academia and industry. The decentralized nature of P2P might provide the distributed peer-to-peer communication system without help of the traditional SIP server. However, the decentralization features come to the cost of the reduced manageability and create new concerns. Until now, the main focus of research was on the availability of the network and systems, while few attempts are put on protecting privacy. In this chapter, we investigate on P2PSIP security issues and introduce two enhancement solutions: central based security and distributed trust security, both of which have their own advantages and disadvantages. After that, we study appropriate combination of these two approaches to get optimized protection. Our design is independent of the DHT (Distributed Hash Table) overlay technology. We take the Chord overlay as the example, and then, analyze the system in several aspects: security & privacy, number-of the hops, message flows, etc.

SQL Injection Attacks Countermeasures

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

A Decision Support System for Privacy Compliance

Regulatory compliance in areas such as privacy has become a major challenge for organizations. In large organizations there can be hundreds or thousands of projects that involve personal information. Ensuring that all those projects properly take privacy considerations into account is a complex challenge for accountable privacy management. Accountable privacy management requires that an organization makes sure that all relevant projects are in compliance and that there is evidence and assurance that this actually is the case. To date, there has been no suitable automated, scalable support for accountable privacy management; it is such a tool that the authors describe in this chapter. Specifically, they describe a privacy risk assessment and compliance tool which they are developing and rolling out within a large, global company – called HP Privacy Advisor (HP PA) – and its generalisation and extension. The authors also bring out those security, privacy, risk, and trust-related aspects they have been researching related to this work in particular.

A Dynamic Cyber Security Economic Model

One cannot develop effective economic models for information security and privacy without having a good understanding of the motivations, disincentives, and other influencing factors affecting the behavior of criminals, victims, defenders, product and service providers, lawmakers, law enforcement, and other interested parties. Predicting stakeholders’ actions and reactions will be more effective if one has a realistic representation of how each of the various parties will respond to internal motivators and external stimuli. In this chapter, reactions of involved parties are assumed to be based on “personal utility functions.” However, it is not sufficient merely to develop static utility functions, since the net value of security and privacy changes dynamically. External events, such as the announcement of a new threat, also have a significant effect on both subjective and objective net value. Knowing how such value functions vary over time helps determine the overall dynamic impact of security and privacy measures on the behavior of various participants and ultimately on the economic model that describes these behaviors. Also in this chapter, the authors enumerate the many factors that affect all the various parties and examine how these factors affect the responses of all those involved due to the economic impact of particular exploits and situations as they affect different groups.

Embedded System Security Risk in a Green-House Environment

Embedded systems are extensively used in the field of pervasive computing. These systems are used to such an extent that embedded systems are now controlled and monitored from remote locations by using Web services. Internet authorities are able to assign every device a unique Internet protocol address with the introduction of IPv6 on the Web. Peer-to-peer communication between Internet-enabled devices helped Web services to make performance improvement. On the worse side, it created new attacks on the components used in the embedded systems. The chapter discusses the details of security issues on a Web-enabled embedded system used in greenhouse environment. The devices used in greenhouse environment are monitored and controlled by different software components used in the entire system. Various vulnerabilities are introduced during entire development process of the greenhouse environment. The problem is to search the real threats, then define security policies and implement them during development process. The chapter discusses most of the vulnerabilities of a generalized greenhouse project and tries to find out possible security techniques to deal with the vulnerabilities. Instead of showing the design to build a greenhouse embedded system, it shows to introduce security policies at various levels of life-cycle, be it before development, during development, or after development.

A Privacy Service for Comparison of Privacy and Trust Policies within SOA

Privacy for Service-Oriented Architecture (SOA) is required to gain the trust of those who would use the technology. Through the use of an independent Privacy Service (PS), the privacy policies of a service consumer and provider can be compared to create an agreed upon privacy contract. In this chapter, the authors further define a metamodel for privacy policy creation and comparison. A trust element is developed as an additional criterion for a privacy policy. The authors define the PS, outline what operations it must perform to accomplish its goals, and present how the PS operates in different scenarios. They believe the PS, combined with the enhanced metamodel, provides a strong solution for providing privacy in an SOA environment.

Graphical Passwords

Authentication is probably one of the main security processes that almost everybody has at one point used. Currently, the most widespread authentication mechanism is based on textual passwords, a well-established approach that, with the growth of users and services, has increasing and serious drawbacks. With the rise of high quality displays and more ergonomic human computer interaction mechanisms such as mice, touch-pads and touch-screens, graphical passwords are credited as a valuable replacement to old-fashioned passwords. In contrast to alphanumerical passwords, graphical authentication mechanisms promise greater memorability and usability. In this chapter, an overview of the state-of-art of this topic is presented, introducing some of the main schemes proposed in current literature. The issues and concerns related to security and usability, which still challenge the researchers in this area, are also discussed.

A Pragmatic Approach to Intrusion Response Metrics

The arms race between cyber attackers and defenders has evolved to the point where an effective counter-measure strategy requires the use of an automated, distributed, and coordinated response. A key difficulty in achieving this goal lies in providing reliable measures by which to select appropriate responses to a wide variety of potential intrusions in a diverse population of network environments. In this chapter, the authors provide an analysis of the current state of automated intrusion response metrics from a pragmatic perspective. This analysis includes a review of the current state of the art as well as descriptions of the steps required to implement current work in production environments. The authors also discuss the research gaps that must be filled to improve security professionals’ ability to implement an automated intrusion response capability.

Grid of Security

Network security is in a daily evolving domain. Every day, new attacks, viruses, and intrusion techniques are released. Hence, network devices, enterprise servers, or personal computers are potential targets of these attacks. Current security solutions like firewalls, intrusion detection systems (IDS), and virtual private networks (VPN) are centralized solutions, which rely mostly on the analysis of inbound network connections. This approach notably forgets the effects of a rogue station, whose communications cannot be easily controlled unless the administrators establish a global authentication policy using methods like 802.1x to control all network communications among each device. To the best of the authors’ knowledge, a distributed and easily manageable solution for the global security of an enterprise network does not exist. In this chapter, they present a new approach to deploy a distributed security solution where communication between each device can be control in a collaborative manner. Indeed, each device has its own security rules, which can be shared and improved through exchanges with others devices. With this new approach, called grid of security, a community of devices ensures that a device is trustworthy and that communications between devices progress in respect of the control of the system policies. To support this approach, the authors present a new communication model that helps structuring the distribution of security services among the devices. This can secure both ad-hoc, local-area or enterprise networks in a decentralized manner, preventing the risk of a security breach in the case of a failure.