Sunday, December 21, 2008

Comparison of REGEDT32 and REGEDIT.

Most users who have been using Windows NT for a long time have used REGEDT32.EXE, the Windows NT Registry Editor. Windows 95 users, or NT users coming from a Windows 95 background, however, have always used REGEDIT.EXE. The good news is that both are included with Windows NT 4.0, and you can use either. Windows 95 users don't have a choice.

There are significant differences, however, in the features that each possesses. Each has its strengths and weaknesses, and most NT users will end up using both. Table 10.1 compares REGEDT32 with REGEDIT.

Table 10.1. Comparison of REGEDT32 and REGEDIT
.

Feature REGEDT32 REGEDIT
All handle keys available X X
Edit current Registry X X
Edit local NT Registry X X
Edit local 95 Registry
X
Remotely edit other NT Registries X X
Remotely edit other 95 Registries
X
Export and import hives X X
Export hives as text X X
Tiled view of multiple handle keys X
Copy key name available
X
Right mouse button support
X
Single-click cascading of folders
X
Print contents X X
Edit multiple string entries X
Security available on keys and values X
Auditing available on keys and values X
Search for keys X X
Search for values
X
Search for data strings
X
Read-only mode X
Change screen font X
Resource list entries as window X binary only


REGEDT32.EXE
focuses more on the high-security, hardware-level editing, whereas REGEDIT.EXE is designed for ease of use and broad appeal. Most tasks you perform can be done in REGEDIT.EXE with no problem, and, in many cases, it can be done more easily and quickly than with REGEDT32.EXE.

Read More

How to Make a Backup of Registry Using Regedit

How to Make a Backup of Your Registry Using Regedit

Computer users who are seeking a way to produce a backup copy of their Windows registry can easily accomplish this task from within Windows, and without any third party software.
Users need to make backup copies of the Windows registry because it is a large file that contains information about the settings of your computer and the programs.

A lot of users don't exactly understand what exactly the Windows registry is, and why they should backup copies of the data. You see, the Windows Registry is basically a vault of the various settings Windows and other programs use. It's where programs get information from. As I said before, the Windows Registry is basically a giant vault for data.

The reason why users need to make backup copies of their registry is rather simple; one little mistake in your registry can basically stop Windows from loading at startup.
It is essential for users to produce backup copies of their registry because every program you install or download has the ability to modify, even destroy it.

It's important for users to remember that every program you install on your system has access to your system's registry. A lot of adware and spyware applications will modify your system's registry in order to take over your web browser.

Making weekly backup copies of your data is not only a smart thing to do, but takes only a few seconds to successfully make a backup copy. As mentioned before, users do not require a third party utility to backup their registry. A tool, entitled RegEdit is installed on every Windows PC, and although it looks quite complicated, making backup copies of your system's registry is actually rather easy.

To start out, click the Start button and select Run. Type in regedit and press the enter key. A few seconds later you will be presented with a two pane window that resembles the Windows Explorer.

Go into the File menu, and select Export. Find the location of where you wish to store the registry backup file, and type in a name for the file. Click on the Save button, and you are finished. You now have a nice backup of your Windows registry.
Remember that registry backups take a large amount of data, so if you make daily backups remember to delete the older copies.

If you decide to make registry backups every day, remember to delete the older copies. Because of the large amounts of data stored in the registry the files can be very large (fifty to a hundred megabytes).

When you find the need to restore a backup copy of your registry, the process is simply. Locate the backup file, and double click it. You will be presented with a dialog asking you if you are sure you wish to add the data to your registry. Click on Yes and your registry will be restored within seconds.

Using backup copies of your registry is a great idea whenever you stumble across a program that takes control of your web browser, or if you are having problems with an installed application that was working file whenever you produced the backup.
Read More

Friday, December 19, 2008

Structure of the Registry Editor!

The Structure of the Registry

The Registry has a hierarchal structure, although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer.

There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

  • HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
  • HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
  • HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
  • HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
  • HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
  • HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.

Each registry value is stored as one of five main data types:

  • REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
  • REG_DWORD - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
  • REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)
  • REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)
  • REG_SZ - This type is a standard string, used to represent human readable text values.
Other data types not available through the standard registry editors include:
  • REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian format.
  • REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian format.
  • REG_LINK - A Unicode symbolic link. Used internally; applications should not use this type.
  • REG_NONE - No defined value type.
  • REG_QWORD - A 64-bit number.
  • REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian format.
  • REG_RESOURCE_LIST - A device-driver resource list.
Read More

What Is A Registry [Regedit]?

What is the Registry?
The Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.

The physical files that make up the registry are stored differently depending on your version of Windows; under Windows 95 & 98 it is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me there is an additional CLASSES.DAT file, while under Windows NT/2000 the files are contained seperately in the %SystemRoot%\System32\Config directory. You can not edit these files directly, you must use a tool commonly known as a "Registry Editor" to make any change.

And in this blog you can studying all about registry editor. enjoyed.
Read More

Thursday, December 18, 2008

Google Chrome Review. Nice Result!

Google Chrome, the search giant's first ever web browser, was released to great fanfare on Tuesday, amid talk that it could one day pass Internet Explorer as the world's most popular browser.

The version released for free download is only at the beta - testing - stage, but users and critics have been quick to pass early judgment. The consensus? Google Chrome is attractive, fast and has some impressive new features, but may not - yet - be a threat to its Microsoft rival.

Here is a selection of reviews from some of the most respected technology blogs and writers on the web. Click on the links to read the full reviews, or post your first impressions of Google Chrome in the box at the bottom of the story.

All in all, Google Chrome, after just a little time using it, is superb. It’s not only fast, but it’s useful. It’s not only elegant, but it understands what you really want to do with a browser. And although it suffers from some setbacks that shouldn’t be overlooked, it’s still a highly-capable browser. Download Chrome. You won’t regret it.
TechCrunch

Google has produced an excellent browser that is friendly enough to handle average browsing activities without complicating the tasks, but at the same time it's powerful enough to meet the needs of more-advanced users. The search functionality of the Omnibar is one of many innovations that caught my attention.
PC World

While Chrome's performance is a little better than that of Firefox, in practical terms, it is far less useful, because it lacks the broad array of third-party add-ons programs like Flashblock that make Firefox so customizable. With time, it might catch up, but in the meantime, I'd recommend giving the new Internet Explorer a spin.
The Associated Press

The interface in Chrome is very different from other browsers and takes a little getting used to. Instead of the traditional Netscape/IE-style toolbar across the top, Chrome puts tabs across the top. Moreover, the tabs are detachable, so the terms "tabs" and "windows" become interchangeable within Chrome.
CNET

Will Google Chrome shape the way Web browsers are developed and designed? It is too early to tell, but Google has certainly come up with something appealing and unique. Will Chrome replace Internet Explorer or Firefox? Perhaps not in its present form, and not for a very long time. Overall, Chrome is a killer little application to have and offers a nice break from tradition when surfing the Web. While there's plenty of room to for growth and improvement, the first beta release is impressive.
The Tech Herald

Chrome is a smart, innovative browser that, in many common scenarios, will make using the Web faster, easier and less frustrating. But this first version — which is just a beta, or test, release — is rough around the edges and lacks some common browser features Google plans to add later. These omissions include a way to manage bookmarks, a command for emailing links and pages directly from the browser, and even a progress bar to show how much of a Web page has loaded.
Walter S Mossberg from the Wall Street Journal

It munches through media sites with ease, streaming music and video and handling Flash very smoothly. PDFs open so suddenly that you might not even realise you're using them. Opening a new tab brings up not your home page (although you can switch to that) but a thumbnail view of your nine most visited sites, plus recent bookmarks and a box to search your history. Overall, my first impression of Chrome is 9/10 for speed, 8/10 for ease of use and 7/10 for stability. And those figures should have Microsoft and Mozilla very, very worried.
TechRadar

What I discovered was a product that has some clear advantages over Microsoft's, but also some shortcomings that, overall, hardly make it a killer - at least today. To be sure, Chrome is a work in progress. In addition to being a test version, outside developers are invited to make improvements. But it faces a stiff challenge from Microsoft, which also is making improvements with its latest iteration, which includes some of the same features as Chrome, like tabbed browsing.
San Francisco Chronicle

Our first impression of Chrome is that it's nice and fast. There's very little lag opening pages and the entire interface feels very streamlined. Dragging tabs in and out of windows is awesome, with a transparent version of the page pulling away with your mouse. The fact that you can pull tabs out of windows as well as combine windows is a great touch. Everything involving the tabs feels very, very smooth.
Gizmodo
Read More

Safend Data Leakage Prevention Solutions

Susan Callahan, senior vice president of business development and marketing at Safend, is seeing a change in trends. In the past, corporations were looking to check a box on compliance. Now, data is their most important asset. CEOs are no longer looking to fill a checkbox; they now want a granular solution, she said. According to a recent study by the IDC, 60 percent of all corporate data is accessed via an endpoint. As the perimeter continues to expand, encryption is no longer enough protection for company data.

Safends solutions offer a fix to data leakage prevention. The acronym DLP has several definitions depending on who you ask: data loss prevention, data leakage prevention, or create other acronyms such as information leak detection and prevention (ILDP) and information leak prevention (ILP). Callahan said, How much of DLP is a process versus a process? Its such a complex problem to protect data. Its a process or methodology that needs to be adopted within a corporation. Technology enables you to accomplish it. If there is no way of enforcing it, its not going to happen. Technology is the means to an end.

Safend offers three solutions to address DLP and regulatory compliance: Safe Auditor, Protector and Reporter. Their solutions protect an organizations data in motion, data in use and data at rest. Safend Auditor provides detailed audit logs of all devices currently or historically connected to your endpoints. Download an evaluation copy of Safend Auditor at Safend.com for a free trial. It will reveal how many USB sticks have been used on your machine. It also has a client list utility for IT admin to see who is connected on what devices in the network. According to EOM partners market survey, 72 percent of people within a corporation use at least one USB stick, and many use up to seven different USB sticks. Its important to know who and what devices are connecting to your environment. Safend Auditor is built within regulatory compliance for HIPAA, SOX, PCI and other state privacy laws.

Safend Protector guards against data breaches by applying granular security policies over removable storage devices. Safend Protector offers endpoint monitoring, device identification and blocking based on administrator-defined policies with automatic data encryption. It protects all ports including USB, WiFi, Bluetooth and all removable storage devices. Safend conducted an endpoint security and data leakage threat survey that included responses from enterprise executives and IT administrators. Nearly 60 percent of all respondents were unaware or unsure of how many devices connect to their corporate endpoints. Also, nearly 25 percent have no policies for endpoint and port security at all.

Safend Reporter is an add-on module that provides reporting and analysis on security incidents and operations status. The tool reports on data accessed by removable storage devices and wireless ports that further enables data security and compliance.

Callahan recounted an event where a student used a key logger to get access to his teachers password. He then had access to the answers to his teachers exams before each test. When the student performed exceedingly well, to the point of writing his answers almost word for word from the teachers answers, the compromise was discovered. If kids can do that with a key logger, imagine what can be done to steal company secrets.

With the average cost of a data breach being $6.3 million per company, its too expensive to leave to chance, said Callahan.

------------------
Kristen Romonovich is Associate Editor at the Computer Security Institute. She is dedicated to secure green computing, compliance in the cloud and the security of mobile devices. Learn more at our upcoming conference CSI SX: Security Exchange, csisx.com, May 17-21 in Las Vegas.
Read More

A (Tentative) Wish-List for a Better, More Secure, Web Browser

Web browsers are where the client machine rubber meets the Web server road. So it stands to reason that strong Web browser security is paramount—far more effective than relying on thousands of Web application/ plug-in developers to write more secure code.

There are definitely some browser developers that are making strides in the right directions, but none of them are quite there yet. I’m still thinking through this, but if I were writing my wishlist for a more secure Web browser today (and, well… I am) then here’s what it would be:

1. It has to work. This is absolutely the most important piece of the puzzle. The trouble is, the most effective ways browsers have thusfar come up with to improve security also cause some truly damaging impacts on performance.

2. It has to be built like a platform, not like a singular application. Once upon a time, the Web was a series of static pages, and the Web browser was an application that let you find and view those static pages. Times have changed, however, and now the browser itself plays host to many rich, Web-based applications. Thus, browser development should be treated more like operating system development. Some browsers–Google Chrome, principally–are beginning to make strides in this direction. (As my fellow CSIers, Kristen Romonovich and Robert Richardson, said from the get-go, Chrome is more a Windows competitor than it is an Internet Explorer competitor.)

3. It needs a modular–not monolithic–architecture. In a modular architecture, the browser is divided into at least two components–generally speaking, one that interacts with the client machine, and one that interacts with the Web and operates from within a sandbox. The main benefit is that it’s a great defense against drive-by malware downloads. If an attacker compromises the Web-facing component of the browser, they won’t automatically gain full access to the client machine with user privileges. They’ll only gain access/privileges to whatever the Web-facing component needs. Internet Explorer 8 (beta) and Google Chrome (beta) use modular architectures. The OP Browser still in development by researchers at the University of Illinois uses a more granular modular architecture that splits the browser into five components.

Yet monolithic architectures are used by all the major browsers today. (Monolithic architectures are kind of like real-estate brokers who represent both the buyer and the seller–you just can’t quite trust them.)

4. It has to support some sort of process isolation. In essence, isolating processes means that when one site/ object /plug-in crashes, it doesn’t crash the entire browser.

5. Its security policies cannot rely heavily on the user. Average users should not be expected to understand the intricacies of privacy and security settings. They shouldn’t be expected to dig into their Internet options, flip JavaScript on and off and on and off again, disable plug-ins, delete nefarious cookies, or anything else.

6a. It’s got to figure out how to securely handle plug-ins.
6b. It’s got to figure out how to securely handle JavaScript.

The troubles with plug-ins are that they tend to run as one instance–so process isolation doesn’t really work with them–they’re given unchecked access to all the browser’s innards, and they tend to assume/require the user’s full privileges. In order to allow plug-ins to run properly, Chromium (the modular, open-source Web browser architecture used by Google Chrome) runs them outside of the sandbox, and with the user’s full privileges–so the browser can’t do anything to save the user’s machine from malicious downloads through an exploited plug-in.

The OP Browser has some very innovative ways of handling plug-ins. Rather than using the Same Origin Policy–which prohibits scripts and objects from one domain from accessing/loading content (scripts/objects) from another domain–the browser applies to plug-ins a “provider domain policy,” in which the browser can label the Web site and the plug-in content embedded in that Web site with separate origins. The plug-in’s origin will be the domain that’s hosting the plug-in content, which is not necessarily the same as the domain of the page you’re viewing. (So if you were here on GoCSIBlog.com and I’d embedded an Adobe Flash media file from YouTube, the OP browser could recognize the page’s origin as GoCSIBlog.com and the Flash file’s origin as YouTube.com.) The benefit here is that you can add a site to your “trusted” list–thereby allowing plug-ins and allowing any plug-in content that originates from that trusted site–without needing to allow plug-in content that is running on the trusted site but originates from untrusted sites. This greatly mitigates the risks of cross-domain plug-in content… however a) there are some cases where this policy will prevent plug-ins from operating properly and b) as Robert Hansen, CEO of SecTheory pointed out to me, the primary vector for cross-domain content attacks (XSS, CSRF) is JavaScript, not plug-ins.

Yet, browsers (the OP browser included) continue to apply the same origin policy to JavaScript, and there are many JavaScript-based attacks–JavaScript hijacking, for example–that sidestep the same origin policy.

The trouble is, none of the browser companies have really figured out yet how to securely handle JavaScript in a way that doesn’t disrupt one’s browsing experience and/or require security-savvy action from users. The NoScript plug-in for Firefox is a good tool, but a) it’s not a standard Firefox feature, and b) it’s a bit advanced for the average user. Other browsers allow you to simply disable JavaScript, but doing so means the user won’t be able to enjoy some of the fun, quintessentially Web 2.0 things the Internet now has to offer. Further, JavaScript is automatically enabled on any sites on the user’s “trusted” list, so malicious JavaScript on a legitimate site continues to be a problem.

Web browsers’ inability to elegantly handle JavaScript-related threats, is a big problem, because it means that we all must rely upon the individual Web site developers to keep their sites free of cross-site scripting flaws and cross-site request forgery vulnerabilities.

Part of the trouble may be that currently available rendering engines, used for parsing HTML and executing JavaScript, are error-prone and written in generally insecure languages. (So if you’re a young researcher, maybe “Creating a more secure HTML rendering engine” would make a good thesis project. Pretty please?)

I’m still thinking some of this through, so do let me know if you disagree, see errors in my judgment, or think something else should be on this list.

Also: should one browser be expected to do everything? How likely are you (and your users) to use one browser for everyday activities and another browser for more delicate activities?

We’ll be devoting the next issue of the Alert–CSI’s members-only publication–to browsers and other elements of client-side Web security issues. We’ll also be discussing some of during the CSI 2008 conference next month. Tuesday, Nov. 18 Gunter Ollmann of IBM-ISS will present a full 60-minute session on “Man-in-the-Browser Attacks,” and, also on Tuesday, browser security will be discussed during the Web 2.0 Security Summit, moderated by Jeremiah Grossman (CTO, WhiteHat Security) and Tara Kissoon (Director of Information Security Services at VISA, Inc.).

------------------
Sara Peters, senior editor at the Computer Security Institute, is a well-rounded geek-at-large with particular enthusiasm for Web 2.0 security, Web vulnerability disclosure law, virtualization, and cartoons about ninjas.
Read More

Sour Travels with SugarTrip

As Web browsers are becoming more like operating systems, and phones are becoming more like computers, there are a host of new web applications that are supposed to enhance our lives, making them more fun and functional. However, there are also a host of security and privacy concerns that come along with these applications. For instance, SugarTrip is an application available through Google’s Android platform used with the iPhone. SugarTrip utilizes the GPS units that are integrated into most Android phones to measure street traffic. As users drive their cars, SugarTrip measures how quickly they are traveling and reports their speeds back to a central server. The application will also allow users to view routes taken by other drivers to plan the fastest route. It can also pinpoint cars on a map so when a person parks, it is easy to find the car later.

SugarTrip is being marketed as a green application as it should help drivers plan better driving routes and prevent cars from sitting in traffic. However, it seems to me one should be aware of SugarTrip’s privacy concerns before everyone goes out to download the free app.

I mention this because of my recent trip to Connecticut. I found myself stuck at the E-ZPass toll with an increasingly long line of angry New Yorkers just as anxious as me to flee the city for the weekend. Being that the E-ZPass lane is supposed to be faster than cash, and my E-ZPass failed to pay my toll, they expressed their feelings with angry honking and loud expletives in my direction. After being told by a cop to wait in the E-ZPass help lane, (who knew there was such a thing?) and with passing cars showing their appreciation with friendly one-fingered waves, my E-ZPass was revoked.

Revoked? I hadn’t the faintest clue as to why. Once safely out of NY, I was told my E-ZPass had been revoked thanks to another driver on my account who sped through an E-ZPass toll at 35 mph instead of the requested 10 mph.

And with that tidbit, I realized the significance of my technological conveniences working against me. My E-ZPass was tracking my every trip, measuring the time it takes me to go from one toll booth to the next, recording how many times I travel to Connecticut or Manhattan or who knows where else.

With the SugarTrip application sending our traveling speeds and locations back to some unbeknownst central server, I would take a lesson from my E-ZPass experience and ask yourself whether the convenience is worth the trouble.

------------------
Kristen Romonovich is Associate Editor at the Computer Security Institute. She is dedicated to secure green computing, compliance in the cloud and the security of mobile devices. Learn more at our upcoming conference CSI SX: Security Exchange, csisx.com, May 17-21 in Las Vegas.
Read More

Sandboxes and Surfing with Google Chrome

Google designed Chrome to be faster, more stable and most importantly, more secure than other Web browsers. So with these features in mind, Google Chrome was built from scratch to be a Web browser designed for today’s web application users. As more businesses venture into the cloud, it’s becoming increasingly important that your browser doesn’t crash when you’re creating reports in Google Docs or when you’re video conferencing. In order to prevent crashes, Google Chrome developers sandboxed each tab, so that if one tab malfunctions, the whole browser doesn’t crash. If one tab does go down, a “sad tab” will appear depicting a ‘sad face’ emoticon.

This isolation process is similar to modern operating systems. With sandboxing, the goal is to prevent malware from installing itself on the computer or allowing what happens in one tab to affect what happens in another. The perimeter of the sandbox is based on permissions. Each process is stripped of its rights and can compute but can’t write files or read from sensitive areas such as the desktop or documents. Chrome has taken the existing process boundary and made it into a metaphorical jail. Malicious software in one tab is unable to sniff credit card numbers, interact with mouse operations or tell Windows to run an executable start-up. Since Google is writing the code, they have the ability to say who and who isn’t granted permission.

If sandboxed tabs don’t offer enough security for your end users, there are also privacy modes to ensure that your surfing history isn’t being tracked, such as Protected mode used in IE7 and Windows Vista, which can be enabled or disabled by group policy or parental controls. (Apple’s Safari also has a private browsing feature). Google Chrome offers a similar mode called Incognito. (Chrome currently cannot disable through parental controls or group policy).

These modes are jokingly referred to as ‘porn mode’ as the Web surfing activity isn’t tracked because the browser does not store history information or cookies. A spouse that doesn’t want their significant other to know that he/she has been surfing disreputable sites would not be found-out while surfing in these modes. These privacy modes also have business-related uses as well. Privacy modes are good to utilize when typing passwords or financial, personal or sensitive information onto a Web site.

Read More

Cutting Through E-Voting Semantics

The United Kingdom’s government said unequivacobly that UK will not now, nor in the forseeable future, adopt electronic voting. According to today’s story at The Register:

    Michael Wills, a Minister of State at the Ministry of Justice, was asked if the government planned to introduce e-voting before the local and European elections in 2009. He said last week: “The Government do not plan to introduce e-voting for the 2009 European or local elections … The Government have no plans for further e-voting pilots in statutory elections at this stage.”

I did a story about e-voting a few years ago, and found it quite a vexing, exhausting process, because one had to viciously hack through a thicket of semantics to find out what e-voting proponents and e-voting opponents were really arguing about so vociferously.

So I’ll now attempt to save you (and your machete) the effort, and give you the gist of the semantic debate. If you want a much more thorough minutiae-rich account (and you’re a member of the Computer Security Institute) you can read that here.

First off: not all e-voting machines are created equal. “Optical scan” voting machines are technically e-voting machines, but are actually heartily recommended by many people who are often lumped into the category of “e-voting opponents.” What we most often think of as “e-voting machines” are DREs (Direct Recording Electronic machines).

In essence the debate is all about whether or not meaningful audits of the voting machines’ accuracy and integrity can be conducted. Meaningful.

After the polls close, a voting machine spits out a summary report of how many votes were cast for each candidate. There should be a way to verify that a) the machine’s count is accurate (like if 500 voters cast votes for Candidate A, the summary report will actually say that 500 voters cast votes for Candidate A), b) the machine recorded each individual vote accurately, and c) the machine/votes have not been tampered with.

Most e-voting opponents say that the only way to conduct meaningful audits is for the voting system to create a “Voter-Verified Paper Trail” or VVPAT. In a basic DRE system, a voter presses a button (or types in a write-in ballot) to cast their vote, and then the DRE system pops up a little message on the screen saying “You voted for ‘Upstanding Citizen’ for ‘Senate.’ Is that okay?” and then the voter will press either “okay” or “decline.” The voter simply has to trust that when they pressed “Upstanding Citizen” the machine did not record “Evil Mastermind.”

In a DRE-with-VVPAT scenario, the voter doesn’t see the “Is that okay?” thing just on screen. The machine, rather, prints the voter’s votes on a slip of paper, which appears behind a glass window. If the printout has it right, you hit okay, and the slip of paper is then dropped into a secured box.

If for some reason–either because there’s a call for a recount, or because the polling place has been randomly chosen for a manual audit mandated by the state–the votes need to be verified, the human-count of the little slips of paper can be verified against the machine’s count. (And presumably, in the event of an incongruity, the paper count will be considered the official number.)

Here’s where we really get into semantics. Here’s an excerpt I’ve lifted directly from my November 2006 Alert story:

    Some supporters of DREs-without-VVPATs claim–either out of snarkiness or ignorance–that a voter can verify their vote on a regular DRE, because it has an okay/change screen. But this misses the intent of a voter verification mechanism–it is not meant to verify that the voter cast their vote correctly, but that the machine recorded their vote correctly…

    So, technically speaking, a DRE can provide the necessary elements of a recount. The individual votes can be printed from the machine’s internal memory and hand-counted. The DRE even goes one step further, because the votes could also be printed from the removable memory card in case the internal memory was destroyed or corrupted. These devices are encrypted to make them resistant to tampering of stored data.

    However, there is still no way to assure the integrity of any of the data. If some error or fraud happened between the time that a voter cast their vote and the time the vote was stored, then a recount would simply retabulate the same erroneous or fraudulent data.

    Some say a VVPAT (or other form of voter verification) captures the intent of the voter, but once again, this isn’t exactly true. Paper doesn’t magically divine a voter’s will. If it did, there wouldn’t be questions like “Does this dimpled chad indicate a vote for this candidate or that the voter abstained from casting a vote in that race?” “If the voter filled in equally dark circles for two candidates in the same race, which one did they actually want?”

    What a VVPAT does capture is what vote the voter actually cast. If the voter leans on the keyboard, types in “”Aa;KJF” for governor and clicks “OK” it’s their error, not the machine’s, so it’s still a valid vote.

As Avi Rubin, author of Brave New Ballot, told the Associated Press in 2006, “The problem is not that elections have been rigged, necessarily; it’s that you can’t say for sure that they weren’t.”

------------------
Sara Peters, senior editor at the Computer Security Institute, is a well-rounded geek-at-large with particular enthusiasm for Web 2.0 security, Web vulnerability disclosure law, virtualization, and cartoons about ninjas.
Read More

Murder in Virtual Worlds

According to LinuxInsider, a 43-year-old piano teacher was arrested after she murdered her virtual, recently-divorced husband’s avatar in Maple Story. (Maple Story is Japan’s equivalent to the virtual world of SecondLife). She had apparently used his login information and password (that he gave her during the happy years of their ‘marriage’) in order to perpetrate the crime.

Authorities were first alerted to this crime by the ‘husband,’ who came online to discover the murdered body of his avatar. His ‘wife,’ who was extradited 620 miles across the country to stand trial in his hometown of Sapporo, was charged with illegal computer access and manipulation of electronic data. If convicted, she could face a prison term of up to five years and a fine up to $5,000.

Just a month before the incident, I explored the legality of virtual worlds in the April Alert, My So-Called Second Life: Virtual worlds inherit the security woes of both the physical world and the logical world. This incident, however amusing, shows how the ‘virtualizing’ of society has helped us discover new ways to commit crime.

It’s important to remember that the woman was effectively charged with hacking, not murder. With the advent of World of Warcraft, virtual murder of other people’s avatars has become a passé societal norm. This phenomenon was satirized in an episode of South Park, where the boys united to defeat an ‘omnicidal’ maniac in order to save World of Warcraft from other players’ disinterest.

With society continuously escaping the real world to live virtual world fantasies, carelessly overenthusiastic people can find themselves committing crimes that, in the past, weren’t the hallmarks of felony. Thanks to virtual worlds, you can actually be arrested for killing people who have no lives (avatars, not geeks).

------------------
Kristen Romonovich is Associate Editor at the Computer Security Institute. She is dedicated to secure green computing, compliance in the cloud and the security of mobile devices. Learn more at our upcoming conference CSI SX: Security Exchange, csisx.com, May 17-21 in Las Vegas.
Read More

Optical scan machines, not just DREs, giving voters troubles today

If voters do not even have confidence in the voting machines recommended by the Verified Voting Foundation, what hope have we in any voting system in use today?

Luckily none of the technical problems thusfar experienced by voters have been called “systemic,” but rather are isolated incidents.

Nonetheless, it was no doubt frustrating and perhaps shocking to some citizens, when after waiting in line for hours at their local polling places, they were told that the optical scan voting machines were malfunctioning; voters were given the option of waiting for the machines to be repaired or filling out the paper ballot and relying on poll workers to scan the paper ballot when the scanning machines were once again fully functional.

Optical scanning machines are preferred by the non-profit organization, Verified Voting, because they automatically provide a paper trail, unlike most direct recording electronic machines (DREs, which are most often thought of in discussions about e-voting.) Optical scan machines basically work like those ScanTron machines you might have used when taking tests back in high school. You’re given a paper ballot, you fill in some boxes or circles with your choices. You then personally insert the paper ballot into the machine, which scans your answers, adds them to the tally, and then drops the paper into a secured box. So in the event of a recount (or in the event that the polling station was randomly selected for a mandatory audit), the machine’s tally could be compared against a manual count of the paper ballots filled out and confirmed by each voter themself.

Yet some troubles have been reported with these optical scan machines today, including quite a low-tech problem–after heavy rain yesterday, the paper ballots at one Virginia polling station were damp, and were getting stuck in the scanning machine.

This morning Tom Brokaw, current moderator of “Meet the Press” and the moderator of one of the presidential debates, said that regardless of who wins, the nation needs to fix the problems with the voting system. It would be difficult to make a convincing counter-argument.

Some of the swing states being given the most attention by analysts and candidates today are Ohio, Florida, Colorado and Virginia. Florida has the most rigorous policy, requiring both a voter-verified paper trail and a manual audit of randomly selected polling places–some of these paper ballots, however are still the infamous “butterfly” ballots that had the country hanging in an uncomfortable suspense during the 2000 election. Colorado also requires a VVPR and manual audits, but according to Verified Voting, Colorado is “shown as having a VVPR requirement because they have enacted VVPR legislation, but these states’ requirements will not be fully implemented until after 2008.” Ohio has a VVPR requirement, but no audit requirement, and Virginia requires neither the paper trail nor the audit.

See the requirements for other states here.

------------------
Sara Peters, senior editor at the Computer Security Institute, is a well-rounded geek-at-large with particular enthusiasm for Web 2.0 security, Web vulnerability disclosure law, virtualization, and cartoons about ninjas.
Read More

Data in the Clouds with Casdex

From a legal point of view, if you work for a publically traded company, you must meet certain terms of compliance. However, even if your organization is compliant while using a cloud service provider, the big question remains: who is liable for the data? There is always a risk when using a provider, but David Barley, Chief Technology Officer for Casdex, (a digital archiving firm that also ensures full compliance and security) said, “At the end of the day, if your organization does experience a data loss, you want to be able to prove what happened. Whether it’s an act of God or an error, things happen.”

For instance, when you use Google e-mail, you’re using a free service. If there’s down time, Google doesn’t have to communicate with their users. Barley stresses the importance of trust while performing business operations in the cloud: “If you have the information you need and you have a trusted relationship [with your provider], it makes it easier. When you join with a provider, you’re joining a business relationship. It’s your company, but the service providers need to be able to help,” said Barley.

Before committing to any data storage provider, there are a few questions you should ask of the service before becoming a customer. Barley said you should be clear on exactly what the service provider is offering: data storage, e-mail, transactional data for the database, archiving and long term protection of data? Even though you may choose to go with a service provider brand name you trust, Barley stresses to learn more about the people running it: “Have they run IT shops in the past? Managing storage at the enterprise level is a different skill set.” Most importantly, what are the rules in place to get access to your data? “Information is your most critical asset. Even if you operate a dry cleaners, your contact list, your list of customers; that’s your gold,” said Barley. You want to be sure you would be able to retrieve your data in the event the provider is no longer in business. “Are they using fly by night facilities?” These are some things to watch out for as you want your provider to be readily available to you when you need to access your data. Barley said, “What types of guarantees do they offer? Things happen; companies go out of business. How do you get your data back?”

The Linkup, formerly known as MediaMax, allowed users to backup and share files online, but then lost 45 percent of their customers’ data. They had about 20,000 paid, disgruntled subscribers. Much of the error was a result of all of the data being on a few computers instead of a system where the data is spread out and stored at several locations. “Casdex’s data is in more one place because it has to be.” As an archive data company, most of their customers’ data does not need to be pulled for everyday business use, but more for auditors. That’s why the data is stored in different locations so if access to Los Angeles is busy, you can be redirected to Las Vegas.

Casdex has setup an escrow account, a fund that is set aside for your organization, in the worst-case scenario that they would go out of business. The funds are set aside as Casdex’s guarantee to continue to run your services for a period of six months. Within those six months, you would be able to go into the service to download your data back out to retrieve it.
In the past, companies backed up their data in filing cabinets, offsite paper file storage facilities and onsite with CDs or thumb drives. Now with an increased risk of data theft, new government regulations, natural disasters, an increasing number of businesses need digital archiving. Casdex offers an Internet storage solution to provide proof of authenticity in court and guarantees that the data has been accurately reproduced. Casdex’s digital archiving solution allows businesses to maintain full compliance with federal regulatory retention policies outlined by the SEC, HIPAA and SOX. When archiving a document, the owner may program the retention time, at the end of which the document is both destroyed and deleted from the server.

There are several different regulations that most companies need to comply with that include retention policies, grant access, etc. “But when you turn on compliance, retention policies tend to change,” said Barley. Casdex can prove with hashes that your data is the same file that it was three years ago to prove compliance or for court cases. With data archiving, it’s important to be able to verify that the data you stored ten years ago is the same data today. HIPAA states that the files stored can’t be read by third parties and to delete the data after ten years, so there are mechanisms in place to control these regulations. Barley said, “Everything is logged, and you can’t tamper with them. If you want to meet these regulations, you need these mechanisms in place. You need these log reports to prove compliance which is as simple as logging into the portal and pulling the report yourself.”

------------------
Kristen Romonovich is Associate Editor at the Computer Security Institute. She is dedicated to secure green computing, compliance in the cloud and the security of mobile devices. Learn more at our upcoming conference CSI SX: Security Exchange, csisx.com, May 17-21 in Las Vegas.
Read More

Free Software to Protect Virtual Machines in the Cloud: Third Brigade VMware Protection

There are some ways to effectively begin securing your information in the cloud. We’ve recently been pondering whether or not one can prove compliance with security and privacy regulations in the cloud. Luckily, while cloud services still may not be right for handling health or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements.

Last week, Third Brigade announced the availability of Third Brigade VM Protection, a free software package for organizations to achieve protection and compliance for VMware virtual machines deployed in a private or public cloud.

When an organization chooses to operate in the cloud, data is located outside of the perimeter, which should come as no surprise. “The big difference is that your perimeter isn’t helping anymore,” said Bill McGee, vice president of products and services for Third Brigade. While you still can’t implement security on the underlying infrastructure, you can add security measures on the top level. McGee said, “There’s no difference by definition between a physical, virtual and cloud server. Management and deployment of the technology is the same. But from the point of view of how you’re protecting it, the difference is around location and what perimeter is in place.”

Third Brigade’s enterprise product Deep Security 6 adds a firewall and IDS/IPS protection onto each virtual machine. It also offers integrity monitoring and log inspection capabilities. While you may not have all of the log files to hand over to your auditor, you at least have logs of what is happening on the VM if not on the hypervisor or physical server level. For instance, if only one of your servers contains personally identifiable information, you can segment the firewall functionally to limit it to the VM that needs to comply with regulations such as the Payment Card Industry Data Security Standard. Since security is operating on each instance, you can customize which security tools you want to place on each VM.

Currently the enterprise product is made for Amazon EC2 that uses the Xen hypervisor, but Third Brigade is working with VMware to offer Third Brigade VMware Protection. The free software will work with any cloud service provider that uses VMware and will also work on your private network. “The VMware vCloud Initiative brings together enterprises, more than 100 service providers worldwide and industry innovators like Third Brigade to deliver enterprise-class cloud computing,” said Wendy Perilli, director of product marketing at VMware. “Whether businesses want to expand their IT infrastructures into internal private clouds or leverage off-premise compute clouds, combining the VMware platform with partner security solutions like those offered by Third Brigade gives them the flexibility and comfort to deliver business-critical applications when and where they want, while enhancing IT agility and security.”

Read More

Can You Vote for Me Now? Estonia First Country to Cast Cell Phone Votes

The Estonian Parliament has passed a law that will allow its citizens to vote via cell phone by 2011. In the past, Estonians were able to cast their votes over the Internet which apparently worked seamlessly despite security concerns. See Sara Peters’ coverage of e-voting in Estonia in the November 2005 Alert.

The cell phones will each have a free, authorized chip for their phone that will verify each voter’s identity. However, the Estonia government should be wary of this new system because of what could happen if a person’s cell phone is stolen and used to cast a vote. Additionally, hasn’t it learned from its sustained cyber attack on the country’s Internet infrastructure last year?

Although Estonian officials did not accuse Russia of being behind the attacks, relations between the Kremlin and former parts of the Soviet Union have been on shaky terms. The cyber-attack involved users overloading the Internet system, thus making it impossible for Estonians to perform such basic tasks as buying bread, milk and gas. Several of the main targets were Estonian government ministries, news and communications organizations, and banks.
The Estonian government estimated the attack cost 2.7 million to 4.5 million US dollars in damages.

Estonia is the first country to have cell phone voting, but supposedly Finland and Sweden also have the capability to hold one. Time will tell how cell phones set the tone for future voting methods.

------------------
Kristen Romonovich is Associate Editor at the Computer Security Institute. She is dedicated to secure green computing, compliance in the cloud and the security of mobile devices. Learn more at our upcoming conference CSI SX: Security Exchange, csisx.com, May 17-21 in Las Vegas.
Read More
Designed By Seo Blogger Templates