Internet Protocol Version 6 (IPv6)

Internet Protocol Version 6 (IPv6) is a network layer protocol that enables data communications over a packet switched network. Packet switching involves the sending and receiving of data in packets between two nodes in a network. The working standard for the IPv6 protocol was published by the Internet Engineering Task Force (IETF) in 1998. The IETF specification for IPv6 is RFC 2460. IPv6 was intended to replace the widely used Internet Protocol Version 4 (IPv4) that is considered the backbone of the modern Internet. IPv6 is often referred to as the "next generation Internet" because of it's expanded capabilities and it's growth through recent large scale deployments. In 2004, Japan and Korea were acknowledged as having the first public deployments of IPv6.

The explosive growth in mobile devices including mobile phones, notebook computers, and wireless handheld devices has created a need for additional blocks of IP addresses. IPv4 currently supports a maximum of approximately 4.3 billion unique IP addresses. IPv6 supports a theoretical maximum of 2128 addresses (340,282,366,920,938,463,463,374,607,431,768,211,456 to be exact!). Recent advancements in network technology including Network Address Translation (NAT) have temporarily lessened the urgency for new IP addresses, however, recent estimates indicate that IPv4 addresses could be exhausted as soon as 2012.

IPv6 and IPv4 share a similar architecture. The majority of transport layer protocols that function with IPv4 will also function with the IPv6 protocol. Most application layer protocols are expected to be interoperable with IPv6 as well, with the notable exception of File Transfer Protocol (FTP). FTP uses embedded network layer addresses to facilitate data transmission. An IPv6 address consists of eight groups of four hexadecimal digits. If a group consists of four zeros, the notation can be shortened using a colon to replace the zeros.

A main advantage of IPv6 is increased address space. The 128-bit length of IPv6 addresses is a significant gain over the 32-bit length of IPv4 addresses, allowing for an almost limitless number of unique IP addresses. The size of the IPv6 address space makes it less vulnerable to malicious activities such as IP scanning. IPv6 packets can support a larger payload than IPv4 packets resulting in increased throughput and transport efficiency.

A key enhancement over IPv4 is native support for mobile devices. IPv6 supports the Mobile IPv6 (MIPv6) protocol which enables mobile devices to switch between networks and receive a roaming notification regardless of physical location. MIPv6 is a hallmark of the protocol and was specified as a firm requirement during the design of IPv6. The IETF has separate specifications for MIPv6 that detail data structure, messaging, and security requirements.

Auto-configuration is another IPv6 enhancement that is considered a great benefit to network administrators. IPv6 devices can independently auto-configure themselves when connected with other IPv6 devices. Configuration tasks that can be carried out automatically include IP address assignment and device numbering. An IPv6 router has the ability to determine its own IPv6 address using data link layer addressing parameters. The IETF has issued RFC 2462 to set guidelines for IPv6 auto-configuration.

The IPv6 protocol improves upon IPv4 with increased authentication and privacy measures. IPSec security is embedded into the IPv6 specification to manage encryption and authentication between hosts. This built in security framework enables secure data traffic between hosts that is independent of any applications on either host. In this way, IPv6 provides an efficient end to end security framework for data transfer at the host or the network level.

The deployment of IPv6 networks is growing worldwide. Full replacement of IPv4 is expected to take some time, as it remains the most widely used Internet Protocol. The United States, China, and India are leading recent deployments of the IPv6 protocol and have large investments in IPv6 network infrastructure. The United States government has mandated that federal agencies must complete the transition to an IPv6 infrastructure no later than 2008. Software companies are also releasing operating systems that support the IPv6 standard. In 1997, IBM became the first commercial vendor to support IPv6 through its AIX 4.3 operating system. The latest version of Microsoft's Windows operating system, Windows Vista, has full IPv6 support enabled by default.

Cybersecurity

Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users. The terms computer system security, means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. It seems that everything relies on computers and the internet now, communication (email, cellphones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on. How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system? Cyber security involves protecting that information by preventing, detecting, and responding to attacks. There are many risks, some more serious than others. Among these dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card information and making unauthorized purchases. Unfortunately, there's no 100% guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances. The first step in protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them.

1. Hacker, attacker, or intruder - These terms are applied to the people who seek to exploit weaknesses in software and computer systems for their own gain. Although their intentions are sometimes fairly benign and motivated solely by curiosity, their actions are typically in violation of the intended use of the systems they are exploiting. The results can range from mere mischief (creating a virus with no intentionally negative impact) to malicious activity (stealing or altering information).

2. Malicious code - Malicious code, sometimes called malware, is a broad category that includes any code that could be used to attack your computer. Malicious code can have the following characteristics: o It might require you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page. o Some forms propagate without user intervention and typically start by exploiting a software vulnerability. Once the victim computer has been infected, the malicious code will attempt to find and infect other computers. This code can also propagate via email, websites, or network-based software. o Some malicious code claims to be one thing while in fact doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending confidential information to a remote intruder.
Viruses and worms are examples of malicious code.

Is your computer "male" or "female"?

As you are aware, ships have long been characterised as being female, as in "Steady as she goes" or "She's listing to starboard, Captain!" Recently, a group of computer scientists (all male) announced that computers should be referred to as being female. Their reasons for drawing this conclusion are as follows: Five reasons to believe computers are female:

1. No one but the Creator understands their internal logic;

2. The native language they use to communicate with other computers is incomprehensible to everyone else;

3. The message "Bad command or file name" is about as informative as, "If you don't know why I'm mad at you, then I'm certainly not going to tell you";

4. Even the smallest mistakes are stored in long term memory for later retrieval;

5. As soon as you make a commitment to one, you find yourself spending half your paycheck on accessories for it.


HOWEVER, another group of computer scientists (all female) think that computers should be referred to as male. Their reasons are as follows:

a. They have a lot of data, but are still clueless;

b. They are supposed to help you solve problems, but half the time they are the problem;

c. As soon as you commit to one you realize that, if you had waited a little longer, you could have obtained a better model;

d. In order to get their attention, you have to turn them on;

e. Big power surges knock them out for the rest of the day.

Information Security in Application Development, Software, Programming

Information Security overview

Information security is all about protecting organisation’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. In the heart of information security is the term vulnerability - a weakness in a system which can be exploited to breach security.



Vulnerability among other sources may be exposed by the operating systems, middleware, hardware, network, or the application development language, and the developed application - this is the focus of this article. Considering all the sources mentioned above, the application developer can through his or her actions mitigate the risks emanating from all mentioned sources. This will give us the idea of the enormous responsibility assigned to application development; you will agree with me that this calls for vast technology knowledge among application developers – particularly in a rapidly changing world of technology.

We can simplify Information Security by looking at using the CIA (Confidentiality, Integrity & Availability) acronym. Let us consider few scenarios where inadequate information security leads to loss:

· Imagine what will happen if the Coca-cola production formula is leaked to her main competitor

· What happens when the account details information of a bank is not secure – the bank will face enormous legal actions, loss of customers’ goodwill and the resultant business loss.

· What happens when organization's payroll information leaks out – the company will surely have more disgruntled staff and may result in sudden staff resignations

· What happens when hackers explore the vulnerability in your IT infrastructure and undertake activities that can lead to critical service outage?

· What happens when due to poor application architecture or coding, end users start experiencing poor performance with increased customer and transactions volumes



Service outage

The cost due to non availability of service can best be understood by the following example: For Telecommunication Company which had a 400 capacity call centre; and had a 2 hour service downtime of a critical call centre application. Let us also assume that an average call centre agents earns $12/hour.

Some Losses incurred are:

· Customer Goodwill lost from about 24,000 customers (assuming it takes 2 minutes to handle a customer’s request) over the two hours of outage

· Financially, the total amount from salary of staff who could carry out the job = 400 *12 * 2 = $9,600

· When service is restored, the likely hold of call queue will rise, this is another goodwill and customer retention determinant



Confidentiality

It is the IT security requirement that ensures non disclosure of information to unauthorized individuals or systems. From application development side, the level of information details regarding person or organization should be accessed based on approved access role. For example, the recent PCI DSS (Payment Card Industry Data security standard) regulation requires that such confidential information (Credit/debit card info) should not be available in the raw form to anybody including the database administrator. By PCI regulation requirement, developer must ensure such data is kept in encrypted form. Today, there is commercially available software which you can interface to your application to enforce this regulatory requirement.



Integrity

In information security, integrity means that data cannot be modified without authorization, and the user would not be able to refute access. Without integrity; reliance, trust, and confidence will be lost in the IT system. Imagine a case where a bank teller/cashier sees customer available balance, but is not sure if the balance is correct because there was an occasion he/she had made payment against shown balance but was penalized for granting unapproved overdraft.

This calls for:

· the application development to be based on approved business requirement, policies and processes

· ensuring real time update is triggered once a transaction is consummated by having users screen refreshed occasionally and ensuring key revalidations prior to the actual commit (as changes may have occurred from other users, sources or transaction channels).



Availability

It is all about ensuring that an IT service or system and all its components are available to be used when required. Server / hardware availability is not of interest to the business, rather the business is interested in service availability. If a system is available but users cannot use it to deliver service, it is considered unavailable. Take a case where an application developer, made a field to be unique and auto number, and the field can only accommodate four digits; this means the maximum number will be 9999; after this no transaction can be executed until a remedial action is undertaken – how long will this take???.

One common availability related attack that developers should guard against is Denial-of-service (DOS); the simplest case is where spam mail fills your mail box using up the disk space allocated to you. DOS can also be caused by uncontrolled file upload option on a website; such upload must handle basic security issues dealing with limiting the maximum file size that can be uploaded; filter uploaded file to ensure it does not have malicious embedded codes i.e. executable script, html tags, etc.

Developers should also be guided by the organization’s policies: security policy, access control, business continuity management, regulatory compliance, etc.

System availability can be greatly improved by considering performance from the design stage and not just as a tick in box before go-live; that is why it is important that you design and build systems based on URS of service catalogue. This document will contain the expectations of the business and also the forecast of the expected load to the application.

Performance testing and stress testing should be done before deployment, this is usually done using virtual users whose activities is injected into the application under test; and the performance information e.g. end-to-end response time, number of concurrent users, CPU utilization etc are obtained and compared to business requirement.

Applications should be designed and implemented with high availability in mind, but you should not stop there until your application failover test is successfully achieved.



Authenticity and Non-repudiation

Authenticity and Non-repudiation are vital IT security requirement which cuts across CIA, Authenticity ensures that the system/user is valid and real, while non-repudiation helps to ensure that one party to a transaction can not deny having received a transaction nor can the other party deny having sent a transaction. Both authenticity and non-repudiation can be applied through technology such as digital signatures and encryption. (Digital signatures are equivalent to traditional handwritten signatures in many respects; when properly implemented it is more difficult to forge than the handwritten signature).



Conclusion

Developing the secured application is a conscious, planned and expensive activity. It is a necessity which when properly done will eliminate or reduce vulnerability from other sources. It can be said that if our information asset is confidential, trusted and available then the information asset is safe.

By

Dominic Ogbonna


Dominic Ogbonna, a member of AISA, is the Capacity & Availability coordinator of Phones4u (UK).
He has several years of experience in Information system management, Infrastructure management, Application development, implementation & support across the banking, telecom and retail sectors, with expertise in Application Design & architecture, Information systems security, and Capacity & Availability Management.

http://www.jidaw.com/security/aisa/information_security_application_development.html

Cybercrime is an image nightmare in Nigeria

There is no doubt that cybercrime is an image nightmare for Nigeria. The setting up of a working group, the Nigeria Cyber Crime Working Group (NCWG) is an indication that cybercrime, especially Internet 419 is a source of concern and embarrassment. Also, to tackle this menace is a bill titled cyber security and information protection bill under the House Committee on Drugs, Narcotics and Financial Crimes. The Bill is to provide for the establishment of the Cyber Security & Information Protection Agency charged with the responsibility to secure computer and Networks.
The Internet creates unlimited opportunities for commercial, social and educational activities. But as we can see with cybercrime the net introduces its own peculiar risks. What is the menace cybercrime poses to society? The convenience associated with IT and the Internet is now being exploited to serve criminal purposes. Cybercrime covers Internet fraud not just online 419 – the use of computers and or the Internet to commit crime. Computer-assisted crime includes e-mail scams, hacking, distribution of hostile software (viruses and worms), denial of service attacks, theft of data, extortion, fraud and impersonation.
Cyber crime uses the unique features of the Net – sending of e-mail in seconds, speedy publication/ dissemination of information through the web to anyone on the planet. Computer attacks can be generated by criminals from anywhere in the world, and executed in other areas, irrespective of geographic location. And often these criminal activities can be faster, easier and more damaging with the use of the Internet.
Since the loss suffered by consumers and investors creates serous credibility and image problems, many countries develop strategies for preventing, detecting and containing the threats associated with cybercrime. While it is acknowledged that greed is a major factor motivating most victims, what about the image created for many who never respond?
How is the nation fighting cyber crime? It’s interesting that there is quite a lot of talk about fighting cyber crime. But what are the efforts? And how effective are they? Since there is an awareness of the menace it poses to society, what have been the sincere and meaningful efforts to fight cybercrime? For one are the security agencies enlightened enough? When you talk of efforts, you have to ask again: what have the security agencies done? How much has been invested in terms of time, education, personnel, etc? Are such efforts assessable or meaningful?
Fighting cybercrime requires not just IT knowledge but IT intelligence on the part of the security agencies. In this clime, there is an IT security divide - a serious shortage of skills to deal with the threats associated with IT. Shouting and moaning about cybercrime isn’t enough. All the talk is meaningless unless the gap is closed. Security agencies need to be equipped with the skills, the know-how and the insight necessary to fight cybercrime effectively.
While resources are needed to fight the menace, it is imperative to avoid the misdirected approach of "throwing money" at the problem. Invest based on priorities and strategies. Such policies must be based on knowledge. Knowledge not just for the operatives, but also for those that will commit resources. For example, do the decision makers have any REAL, PRACTICAL appreciation of technology, not to talk of cybercrime? What is their take on the basics of information security in today's high-tech, business environment? The cybercriminals seem to have the technology advantage.
Essentially cybercrime is information and intelligence based activity. You cannot fight cybercrime with ignorance, strong directives or political statement.
To fight cybercrime, those involved have to spend time to learn how cybercrime operates and then devise strategies to fight the menace. And note that learning in IT is not one-off but lifelong.
How strong are the security agencies in the fundamentals of IT? You cannot fight today’s crime with yesterday’s technology. It will always be a losing battle if security professionals are way behind the cyber criminals in terms of tech knowledge. It’s not just about computing skills, but IT Security expertise is essential.
Fighting cybercrime requires a holistic approach, not just addressing the cyber cafés alone. What is the culture towards cybercrime? All stakeholders should be involved. Security agencies should liaise with industry stakeholders. There is a need to create a security-aware culture involving the public, the ISPs, cybercafes, government, security agencies and Internet users. There must be education about the problems, risks and solutions. Existing and potential victims need to be considered. Greed and unrealistic expectations are major problems. “If an offer is too good to be true, don't believe it”.
Furthermore, legislation needs to keep pace with e-crime, especially as it becomes more prevalent and sophisticated. Apart from awareness and culture, security measures (technical and non technical) will need to be put in place and enforced, as part of the solutions. This might involve raising penalties and increasing the seriousness of e-offences. The right culture should create a high level of awareness amongst stakeholders.
Who are the main actors involved? Cyber cafés are not the only source of cyber crime. Apart from the Internet, what are the causes - both historical and current - for the continued rise in cybercrime activity? Can cybercrime be divorced from the widespread corruption in society? Or the harsh economic climate, high unemployment? Disregard for the rule of law and lack of transparency and accountability in governance certainly doesn’t help matters. There is no justification for crime but to the populace, who is perceived as the criminal? Which is the bigger crime: corruption in high places or cybercrime?
Heavier punishments and enlightenment, closing down cyber cafés, issuing draconian directives may therefore not be meaningful without addressing the causes. To fight crime you attack the causes of crime.
Also in terms of strategy, it is crucial to thoroughly address issues relating to enforcement. Mishandling of enforcement can backfire. Enforcement can only work if it avoids harassment, abuse of privacy and extortion. Care must be taken not to throw out the baby with the bath water. Don't create a situation where genuine users of the Internet are frustrated out and unable to benefit from the Internet.
We cannot afford to live in the dinosaur age. In today’s world, computing tools and the Internet are used to effectively promote social development and business growth. Strategies must strike a balance between security concerns and other developmental needs.
Whatever strategy is adopted it should not be the “know-it-all” approach. Solutions should be practical, cost-effective, acceptable and supported by all stakeholders. It is not enough to issue directives and orders. For the right culture to grow all stakeholders must be involved in creating and accepting solutions. To fight crime, you need the cooperation of the community.
There is no one measure that will cure the menace of cybercrime. But it is the combination of measures together with the sincerity and rigour with which they are implemented and administered that will serve to reduce risks most effectively.
http://www.cyberschuulnews.com/nass_cybersecurity_draftbill.html

नाईजीरिया इस माय लव

If you passed her in your city
You would call her badly dressed,
But the faded homespun covers
Such a heart in such a breast!
True, her rosy face is freckled
By the sun's abundant flame,
But she's mine with all her failings,
And I love her just the same.

If her hands are red they grapple
To my hands with splendid strength,
For she's mine, all mine's the beauty
Of her straight and lovely length!
True, her hose be think and homely
And her speech is homely, too;
But she's mine! her rarest charm is
She's for me, and not for you!