Wireless Communication Growth

"Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active part of the problem." Fred Langa e-Security | CyberSecurity Malaysia 2010 | Vol: 23 (Q2/2010) Vol 23 - (Q2/2010) Explosive Wireless Communication Growth Drives Security Need Balancing Availability And Security - Challenges In Cloud Computing Internet Investment Scam And Web Reconstruction : A Sneak Preview PUBLISHED BY CyberSecurity Malaysia (726630-U) Level 7, [email protected], No. 7, Jalan Tasik The Mines Resort City 43300 Seri Kembangan Selangor Darul Ehsan, Malaysia PRINTED BY Percetakan Tujuh Lapan Enam Sdn Bhd (564108-K) No18, Lengkungan Brunei 55100 Pudu, Kuala Lumpur Tel: +603 2732 1422 KKDN License Number: PQ 1780/3724 DESIGN BY CD Advertising Sdn. Bhd (135508-A) 3-2, Jalan PJU 8/3A, Damansara Perdana, 47820 Petaling Jaya, Selangor Darul Ehsan. www.cdgroup.com.my Greetings to all readers! Welcome to the second edition of the e-Security Bulletin for 2010. I hope the past issues have been informative and have provided you with good insight on current information security issues, strategies and techniques to understand the cyberworld better. This time around, more IT security professionals from within CyberSecurity Malaysia have brought together informative and useful articles for your reading pleasure. In recent years the amount of malware in circulation has grown exponentially. Malware authors and criminals will generate even more threats in order to evade detection and elimination from antivirus software’s. Once again, malware will be designed almost exclusively for nancial gain and we expect to see many new fake antiviruses (roqueware), bots and banker Trojans. The exponential growth of malware and the new distribution channels available to cybercriminals clearly identies that the need for good protection is crucial. Thus, it is essential for companies to invest in training and education for users, w\ ho are still the weakest link in the security chain. New technologies to sustain this evolution are introduced almost daily, but we should not be so naïve as to assume that attackers will not be able to nd ways to compromise and take advantage of us. I believe global cooperation from cyber security experts, government ofcials and business leaders, can protect computer networks under constant attack from ever-mutating viruses, worms, spam and a host of other dangers. This collaboration must take place at an international level in order for us to be able to combat these cyber criminals. There should be practical insights into developing a level of security awareness that targets problems at the source. We at CyberSecurity Malaysia have taken steps to ensure that there is ministerial leadership to tackle and combat online crime, and we will bring together cyber security experts and the private sector to help develop a coordinated approach across the economy. We will work internationally, both bilaterally and through multilateral institutions, to support other countries in dealing with this crime. There is a lot of work for us to do together and we need an ambitious action plan to accomplish our goals. It must begin with a national dialogue on cyber se\ curity and we should start with our family, friends and colleagues. Moving forward, awareness is the focal element and people are the key towards a secure environment. We need to build a culture of security, and best practices must be adopted towards building this culture. CyberSecurity Malaysia has produced a training calendar for 2010. You are most welcome to speak to us on your training needs. Do visit us at www.cybersecurity.my or www.cybersafe.my for tips on Internet safety. Once again, we invite more security professionals to contribute to our newsletter. You can view our newsletter online or access it from our website (www.cybersecurity.my). Last but not least, I would like to thank all contributors for sh\ aring their information in this issue. Warmest regards Lt Col Husin Jazri (Retired) CISSP,CBCD,ISLA CEO, CyberSecurity Malaysia • MYCERT 2 nd Quarter 2010 Summary Report 01 • How Secure is RFID? 03 • Explosive Wireless Communication Growth Drives Security Needs 07 • Balancing Availability & Security - Challenges in Cloud Computing 08 • Encrypt Data Using TrueCrypt 12 • Cloud Backup for Disaster Recovery : Pros & Cons 15 • A Workow for Digital Evidence Management 18 • Mozilla Firefox: Forensic Examination Using SQLite Manager 20 • Internet Investment Scams and Web Reconstruction : A Sneak Preview 24 • Serangan Orang Tengah 26 EDITOR’S DESK CEO MESSAGE TABLE OF CONTENTS READER ENQUIRY Security Managment and Best Practices, CyberSecurity Malaysia, Ministry of Science, Technology and Innovation (MOSTI) • E-mail: [email protected] Greetings to All Readers, Another quarter has gone by and we are here again with lots of useful, informative articles from great contributors within CyberSecurity Malaysia as well as from the industry. Many articles in the previous edition revolved around web applications, but this time around, digital forensics is the crux of our discussion. There is more to learn about web reconstruction, digital evidence management, and the use of SQLite Manager for forensic examination. These topics are especially for those who want to know how digital evidences are brought into a court of law. Another current buzzword is ‘the cloud’. Any organisation that opts for the cloud as a means of cost savings, or as part of their disaster recovery planing would do well to read the related article on cloud computing, where we compare its pros and cons, while guiding readers on knowing how to balance between its availability and security. There are many other good articles provided in this edition to keep you abreast with the latest security threats and developments in information security. Some such topics are Man-in-the Middle attacks, security in RFID, the need for security in wireless communications, and TrueCrypt encryption. We do hope you will nd the articles presented in this edition useful, and we encourage you to check out our we\ bsite for the latest information. Finally, to all our awesome contributors, thank you for your time and effort. Best Regards, Dr. Solah Dr. Solahuddin Shamsuddin, Editor e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 1 Introduction The MyCERT Quarterly summary provides an overview of activities carried out by Malaysia CERT (MyCERT), a department within Cybersecurity Malaysia. The activities are related to computer security issues and trends based on security incidents handled by MyCERT. The summary highlights statistics of incidents according to categories handled by MyCERT in Q2 2010, security advisories released by MyCERT, and other activities carried out by MyCERT staff. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussion of incidents. Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian domain or IP space. MyCERT works closely with other local and global entities to resolve computer security incidents. Incidents Trends Q2 2010 From April to June 2010, MyCERT, via its Cyber999 service, handled a total of 1662 incidents representing a 21.31% increase compared to the previous quarter. Generally, all categories of incidents saw an increase in this quarter compared to the previous quarter. The incidents were reported to MyCERT by various parties within the constituency, which includes home users, private sectors, government sectors, security teams from abroad, foreign CERTs, and Special Interest Groups, in addition to MyCERT’s proactive monitoring efforts. Figure 2 illustrates the incidents received in Q2 2010 classified according to the type of incidents handled by MyCERT and its comparison with the number of incidents received in the previous quarter.Figure 3 shows the percentage of incidents handled according to categories in Q2 2010. In Q2 2010, System Intrusion recorded the highest number of incidents with a total of 581 cases, recording a 15.28% increase compared to the previous quarter, with 1555 Malaysian websites defaced. The majority of System Intrusion incidents are web defacements followed by system compromise and account compromise. Web defacements refer to unauthorised modifications to a website due to certain vulnerable web applications or unpatched servers. This includes web servers running on various platforms such as IIS, Apache and others. MyCERT observed that the majority of web defacements were done via the SQL injection attack technique. SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements, or when user input is not strongly typed and thereby unexpectedly executed. More information on the SQL injection attack technique and fixes is available at: http://www.mycert.org.my/en/resources/web_security/main/main/ detail/573/index.html There were several reports of mass defacements, as also occurred in the previous quarter, involving virtual hosting servers belonging to local web hosting companies. MyCERT has advised the System Administrators on steps for rectifying cases of mass defacement. Figure 4 shows the breakdown of domains defaced in Q2 2010. Out of the total websites defaced in Q2 2010, 75% of them are those with a .com and .com. my extensions. MYCERT 2 nd QUARTER 2010 SUMMARY REPORT Categories of Incidents Quarter Intrusion Attempt Denial of Service Fraud Vulnerability Report Cyber Harassment Content Related Malicious Codes Intrusion 67 18 446 11 57 6 131 504 146 3 424 7 62 8 98 581 Q1 2010 Q2 2010 Figure 3: Percentage of Incidents in Q2 2010 Figure 2: Comparison of Incidents between Q1 2010 and Q2 2010 Vulnerabilities Report (0%) Spam (9%) Malicious Codes (17%) Intrusion Attempt (9%) Intrusion (35%) Fraud (26%) DoS (0%) Cyber Harassment (4%) Content Related (0%) 0% 0% 26% 9% 4% 35% 9% 17% 0% Vulnerabilities Report Spam Malicious Codes Intrusion Attempt Intrusion FraudDoS Cyber Harassment Content Related 0 50 100 150 200 250 June May April -Not Available- (1%) biz (1%) com (46%) com.my (40%) edu.my (5%) gov.my (3%) info (1%) my (3%) net (6%) net.my (29%) org.my (2%) org (3%) tv (0%) 3% 5% 46% 29% 3% 3% 0% 5% 0% 2% 1%1% 1% Vulnerabilities Report (0%) Spam (9%) Malicious Codes (17%) Intrusion Attempt (9%) Intrusion (35%) Fraud (26%) DoS (0%) Cyber Harassment (4%) Content Related (0%) 0% 0% 26% 9% 4% 35% 9% 17% 0% Vulnerabilities Report Spam Malicious Codes Intrusion Attempt Intrusion FraudDoS Cyber Harassment Content Related 0 50 100 150 200 250 June May April -Not Available- (1%) biz (1%) com (46%) com.my (40%) edu.my (5%) gov.my (3%) info (1%) my (3%) net (6%) net.my (29%) org.my (2%) org (3%) tv (0%) 3% 5% 46% 29% 3% 3% 0% 5% 0% 2% 1%1% 1% Figure 4: Percentage of Web Defacement by Domain in Q2 2010 Vulnerabilities Report (0%) Spam (9%) Malicious Codes (17%) Intrusion Attempt (9%) Intrusion (35%) Fraud (26%) DoS (0%) Cyber Harassment (4%) Content Related (0%) 0% 0% 26% 9% 4% 35% 9% 17% 0% Vulnerabilities Report Spam Malicious Codes Intrusion Attempt Intrusion FraudDoS Cyber Harassment Content Related 0 50 100 150 200 250 June May April -Not Available- (1%) biz (1%) com (46%) com.my (40%) edu.my (5%) gov.my (3%) info (1%) my (3%) net (6%) net.my (29%) org.my (2%) org (3%) tv (0%) 3% 5% 46% 29% 3% 3% 0% 5% 0% 2% 1%1% 1% Figure 1: Illustrates the incidents received in Q2 2010, classified according to the type of incidents handled by MyCERT. e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 2 Fraud incidents in this quarter decreased to about 4.9% compared to the previous quarter. Some of the fraud incidents MyCERT handled were Nigerian scams, lottery scams and cheating, mainly with phishing involving foreign and local brands. A total of 298 phishing websites were reported to us, that mostly targeted local brands such as Maybank2U.com, Cimbclicks.com and Pbebank.com. In this quarter, we received significant reports of more than 50 phishing sites that targeted a particular local brand only and we assisted in the removal of those phishing sites by communicating with the affected Internet Service Providers (ISPs). Based on our analysis, the majority of phishing sites are hosted on compromised machines, besides phishers, who host them on purchased or rented domains. The machines could have been compromised and used to host phishing websites and other malicious programs. Cheating activities are still prevalent on the net just as in the previous quarter. Most involve online scams and fraud purchases. Cheating cases are usually escalated to Law Enforcement Agencies for further investigation. We advise Internet users to be very careful when they make purchases online and with regards to whom they deal with. Reports on harassment had also increased this quarter with a total of 62 reports representing an 8.77% increase. Harassment reports mainly involve cyberstalking, cyberbullying and threatening. In this quarter, MyCERT received several reports of messages posted on social networking sites that may raise racial and religious tension in our society. The messages were removed after MyCERT communicated with the respective Internet Service Provider. We also continue to receive reports of identity thefts at social networking sites. MyCERT advises Internet users to be more careful on what they release and expose about themselves on social networking sites as all information can be manipulated for identity theft purposes. Under the classification of malicious codes, in Q2 2010, MyCERT handled 277 reports representing 18.37% out of the total number of incidents. Some of the malicious code incidents we handled are active botnet controllers, hosting of malware or malware configuration files on compromised machines, and malware infections to computers. Advisories and Alerts In Q1 2010, MyCERT issued a total of 12 advisories and alerts for its constituency. Most of the advisories in Q1 involved popular end user applications such as Adobe PDF Reader, Adobe Shockwave player, Multiple Apple Product Vulnerabilities, Multiple Microsoft Vulnerabilities and Microsoft Internet Explorer. Attackers often compromise end users computers by exploiting vulnerabilities in the users’ application. Generally, the attacker tricks the user into opening a specially crafted file (i.e. a PDF document) or web page. Readers can visit the following URL on advisories and alerts released by MyCERT in Q2 2010. http://www.mycert.org.my/en/services/advisories/ mycert/2010/main/index.html Other Activities MyCERT staff were invited to conduct talks and training in various locations in Q2 2010 and a total of 17 talks and trainings were conducted by MCERT staff at different locations in local as well as in overseas. Majority of the talks and trainings were related to Incident Handling, Malicious Traffics Analysis, Analysis of Malicious File, Hacking Anatomy, Internet Security, Log Analysis, Web Security, Open Source and MyCERT’s Case Studies. Some of the prominent talks that MyCERT staff had conducted were “Malaysia National Report and Case Study” at Anti-phisihng Working Group in Brazil, “Pkaji: Analysing Malicious PDF Files” at The Honeynet Project 9th Annual Workshop in Mexico and “Interception and Analysis of Malicious Traffic based on NDIS Intermediate Driver” at SIGNIT 2010, Chaos Computer Club in Germany MyCERT had also conducted trainings on Incident Handling, Log Analysis and Web Security at the OIC-CERT Regional Workshops held in Tunisia and Morroco. Other significant talks and trainings conducted by MyCERT staff were held in various locations in Malaysia. Conclusion Overall in Q2 2010, the number of computer security incidents reported to us increased to 21.31% compared to the previous quarter, and most categories of incidents reported also increased. The increase is a reflection that more Internet users are reporting incidents to CyberSecurity Malaysia. However, no severe incidents were reported to us, and we did not observe any crisis or outbreak in our constituency. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats, and are advised to always take measures to protect their systems and networks from threats. Internet users and organisations may contact MyCERT for assistance at our contacts below: Our contact details is: Malaysia Computer Emergency Response Team (MyCERT) E-mail: [email protected] Cyber999 Hotline: 1 300 88 2999 Phone: (603) 8992 6969 Fax: (603) 8945 3442 Phone: 019-266 5850 SMS: Type CYBER999 report & SMS to 15888 http://www.mycert.org.my/ Please refer to MyCERT’s website for latest updates of this Quarterly Summary. ￭ Introduction Radio Frequency Identification (RFID) is becoming one of the most popular technologies of our era. RFID is generally used to describe any technology that uses radio signals in transmitting data and energy. RFID systems do not require line-of-sight and can work without contact. This property can be used in industrial applications for the tracking of goods, or in access systems. Originally, RFID technology was developed to replace barcodes. There are some advantages of RFID systems over optical identification with barcodes that have been identified. With RFID, it is possible to rewrite and modify data, and it can operate without line-of- sight. The reading speed of RFID is much higher than barcodes. However, since modern 2D barcodes can store 16kBit of data or more, storage may not be one of its advantages. The RFID system basically consists of transponders (tags), readers (scanners), and application systems needed to process any acquired data. A tag contains a microchip, capacitors and an antenna coil which is embedded into an encapsulation material. The tags communicate with the reader via radio signals. A reader can either be a peripheral or a handheld device. The reader also can be integrated into a fixed installation system. Usually, it will send the collected tag-data to the application system for further processing. The communication is initiated by the reader or by the tag, depending on the tag protocol. In this article, we will discuss RFID security issues and ways to overcome the problems. Threats in RFID RFID systems can be used to improve service quality, increase productivity and maintain quality standards in many areas. It can make object management easier and more convenient. However, although the innovation and automation potential of RFID systems are large, they also have a number of inheritance vulnerabilities and security issues, especially during radio communications between RFID transponders and readers. Fundamental information security objectives such as confidentiality, integrity, availability, authentication, authorisation, nonrepudiation, and e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 3 HOW SECURE IS RFID? By | Nor Azeala binti Mohd Yusof Application SystemReaderEnergy, Clock Request Tags Response Ta g ReaderNetwork Back-end Database System security is compromised. Eavesdropping Data Tempering Spoofing Malware Insertion Denial of Service ReplayGather Denial of Service Mimic Makes the tags not detectable by reader systems. GET_CHALLENGE Random A Token 2 TA G Key K Key K READER Token 1 g(K) f(K) M 1 1 1 11 1 1 0 0 00 Transmission data Cipher data 0 Figure 1: Overview of an RFID system with passive tags (Source: RFID Security) anonymity are often not achieved unless special mechanisms are integrated into the system. Threats or constraints within the RFID can be divided into four - privacy, authentication, confidentiality, and other attacks. Privacy The privacy aspect has gained special attention for RFID systems. As we know, readers can read everything within their range. RFID tags can respond to the reader without alerting their users. Most RFID tags emit unique identifiers. However, clandestine scanning of tags may still be a possible threat to users. For example, a person carrying an RFID tag effectively broadcasts a fixed serial number to nearby readers, providing a ready vehicle for concealed physical tracking, which is possible even if a fixed-tag serial number is random and carries no intrinsic data. In addition to their unique serial numbers, EPC (Electronic Product Code) tags carry information about the items they are attached to. Thus, a person carrying EPC tags is subject to clandestine inventorying. A reader can silently determine what objects the user has on him, and harvest his important personal information. Authentication The authenticity of a tag is at risk since the unique identifier (UID) of a tag can be spoofed or manipulated. The tags are in general not tamper resistant. RFID authentication concerns the problem of good readers harvesting information from malicious tags. Basic RFID tags are vulnerable to simple counterfeiting attacks. Little money or expertise is required to scan and replicate the tags. One good example was done by Jonathan Westhues, an undergraduate student who constructed a Radio Frequency tape recorder. This device can read commercial proximity cards, even through walls, and simulate their signals to compromise building entry systems. In future, it is possible to clone a person to counterfeit the identity of a legitimate tag in order to be authenticated by the reader as the real person. In a worst-case scenario, a real person’s rights could possibly be abused or violated if their clone was a wrongdoer. Confidentiality The communication between reader and tag is unprotected in most cases. Eavesdroppers may thus listen in if they are in the immediate vicinity. The forward channel from the reader to the tag has a longer range and is more at risk than the backward channel. Furthermore, the tag’s memory can be read if access controls are not implemented. The issue of confidentiality is of great importance since the wireless nature of an RFID makes eavesdropping one of the most serious and widely deployed threats. e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 4 An authorised individual can use an antenna to record communications between legitimate RFID tags and readers in eavesdropping. This attack can be performed in both directions, tag to reader or reader to tag. One of the factors that make this type of attack feasible is the distance of the attacker from the legitimate RFID devices. Since readers transmit information at a much higher power than tags, the readers are susceptible to these attacks at much greater distances, and consequently to a greater degree. The signal that will be eavesdropped upon is also dependent on the location of the eavesdropper regarding the RFID tag and reader, as well as the possible countermeasures employed for deteriorating the radio signal. Other Attacks These can be grouped into three categories - Mimic, Gather, and Denial of Service (DoS). As shown in figure 2, spoofing is defined as duplicating tag data and transmitting it to a reader. The reader receives data acquired from a tag to mimic the legitimate source. Malware Insertion is defined as having a tag carry a malicious code or virus, rather than valid data in its data storage area, such as SQL Injections or worms. Replay is defined as that valid RFID signal that is intercepted and has its data recorded; this data is later transmitted to a reader where it is played back. Data Tampering is defined as unauthorised erasing or changing of data to render the tag useless. DOS occurs when multiple tags or specially designed tags are used to overwhelm a reader’s capacity to identify individual tags in order to make the system inoperative. Overcoming the problems There are several approaches to solve some of the problems discussed earlier. Privacy protection Tag Deactivation Approaches This approach can be temporary or permanent to ensure privacy protection. When a tag is deactivated, it cannot respond to any reader and does not reveal its information stored on its microchip. There are two ways to do this - temporarily with the sleeping approach, or permanently by the killing approach. When an EPC tag receives a kill command from a reader, it renders itself permanently inoperative. To prevent the deactivation of tags, this kill command is PIN protected. To kill a tag, a reader must also transmit a tag-specific PIN. Killing or discarding tags enforces consumer privacy effectively, but it eliminates all of the post-purchase benefits of RFID for the consumer. Rather than killing tags at the point of sale, why not put them to “sleep” (temporary inactivation). While this concept is simple, it would be difficult to manage in practice. Sleeping tags would confer no real privacy protection if any reader at all could “wake” them. Hence, some form of access control such as passwords, specific PINs, or biometrics would be needed for the waking of tags. Re-encryption It is necessary that tag identifiers be suppressed or changed over time to prevent RFID tag tracking. Juels, a chief scientist of RSA labotaries, and Pappu, scientist and cofounder of the Advanced Development Group in ThingMagic’s Inc., consider the special problem of consumer privacy-protection for RFID through enabled banknotes. Their scheme employs a public- key cryptosystem with a single key pair: A public key PK, and a private key SK held by an appropriate law enforcement agency. An RFID tag in the system carries a unique identifier S, the banknote serial number. S is encrypted under PK as ciphertext C; the RFID tag emits C. Only the law enforcement agency, as possessor of the private key SK, can decrypt C and thus learn the serial number S. To address the threat of tracking, the ciphertext C is proposed to be periodically re-encrypted. A system is envisaged in which shops and banks process re- encrypting readers programmed with PK. The algebraic properties of the E1 Gamal cryptosystem permit ciphertext C to be transformed into a new, unlinkable ciphertext, C using the public key PK alone, and with no change to the underlying plaintext S. In order to prevent wanton re-encryption, banknotes carry optical writeaccess keys proposed to re-encrypt a ciphertext, and a reader must scan this key. Blocker Tags To protect consumer privacy, a blocker tag is proposed. A blocker tag is a simple, passive RFID device, similar in cost and form to an ordinary RFID tag; the difference is that it performs a special function. A blocker RFID tags possesses a special bit designating it either public (0) or private (1). When a reader attempts to scan RFID tags that are marked as “private”, a blocker tag jams the reader. More precisely, the blocker tag cheats the tag-to-reader communications protocol in such a way that the reader perceives many billions of nonexistent tags and therefore stalls. A blocker actually prevents undesired scanning when it exploits the anti-collision protocol that RFID readers use to communicate with tags. This protocol is known as singulation. Singulation enables RFID readers to scan multiple tags simultaneously. The Application System ReaderEnergy, Clock Request Tags Response Ta g ReaderNetwork Back-end Database System security is compromised. Eavesdropping Data Tempering Spoofing Malware Insertion Denial of Service Replay Gather Denial of Service Mimic Makes the tags not detectable by reader systems. GET_CHALLENGE Random A Token 2 TA G Key K Key K READER Token 1 g(K) f(K) M 1 1 1 11 1 1 0 0 00 Transmission data Cipher data 0 Figure 2: RFID attacks categories (Source: Security Issues in RFID) e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 5 reader first ascertains what tags are present and then addresses tags individually to ensure that tag signals do not interfere with one another during the scanning process. Authentication Protection There are two ways to solve the authentication problem through incorporation of cryptological procedures. Mutual Symmetrical Authentication The reader and tag in the communication need to check the other party’s knowledge for a secret cryptology key for authentication, and to determine the parties’ legitimacy. This approach is based on the principle of a three-pass mutual authentication. In the mutual symmetrical authentication, the tags and readers of an application are in possession of the same secret cryptological key K. When a tag first enters the interrogation zone of a reader, it cannot be assumed that the two participants in the communication belong to the same application. The reader needs to protect the application from manipulation using falsified data while the tag needs to protect the stored data from unauthorised reading or overwriting. Procedures:1. Reader sends a GET_CHALLENGE command to the tag. 2. Tag generates a random number, RA, and then sends it back to the reader. This procedure is called a Challenge-Response procedure. 3. Reader generates a random number RB. 4. Reader calculates an encrypted data block called token 1 (contains both the random number RA and RB and additional control data Text 1) by using secret key K and common key algorithm ek, then sends this data block to the tag. 5. Tag decrypts received token 1 and compares the received RA with the previously transmitted RA. If the two figures correspond, the tag can confirm that the two common keys correspond. 6. Tag generates another random number, RC, to be used to calculate an encrypted token 2 (contains random number RB and additional control data Text 2). 7. Tag sends Token 2 to the reader. 8. The reader decrypts token 2 and checks whether the received RB is equal to the previous one. If the two figures correspond, then the reader can confirm the key as well. 9. Now, the tag and reader have authenticated each other and further data communication is thus legitimised. Advantages: 1. There is no need for a secret key to be transmitted over the air (only encrypted random numbers are transmitted) 2. Two random numbers are always encrypted simultaneously 3. The token can be encrypted using any algorithm 4. The strict use of random numbers from two independent sources mean that recording an authentication sequence for replay attack would fail 5. The data transmission is more secure since the random session key is calculated from the random numbers generated. However, this represents a potential source of danger for applications that involve vast quantities of tags. The small probability that the key for a tag will be discovered must be taken into account because the tag is accessible to everyone in uncontrolled numbers. If this happen, the procedures described above would be totally open to manipulation. Derived Key Authentication In derived key authentication, the key of each tag is derived independently. 1. Unique ID number of each tag is read out during its production and an individual key KX is calculated using certain cryptological algorithm and master key KM, so the tag is thus initialised. 2. Each tag receives a key linked to its own ID number and the master key KM. 3. The reader will request the ID number of the tag for authentication. 4. In a Security Authentication Module (SAM) in the reader, the tag’s specific key KX is calculated using the master key KM. This can be used to initiate the mutual symmetrical authentication procedure. Application System ReaderEnergy, Clock Request Tags Response Ta g ReaderNetwork Back-end Database System security is compromised. Eavesdropping Data Tempering Spoofing Malware Insertion Denial of Service Replay Gather Denial of Service Mimic Makes the tags not detectable by reader systems. GET_CHALLENGE Random A Token 2 TA G Key K Key K READER Token 1 g(K) f(K) M 1 1 1 11 1 1 0 0 00 Transmission data Cipher data 0 Figure 3: Mutual symmetrical authentication procedure (Source: Security Issues in RFID) e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 6 Confidentiality Protection The common solution to protect confidentiality is by using encryption. As figure 4 shows below, a pseudorandom generator can be used. Internal state M is changed after every encryption step by the state transformation function g(K). The pseudorandom generator is made up of the components M and g(K). The security of the cipher depends principally on the number of internal states, M, and the complexity of the transformation function, g(K). The encryption function f(K) can be generally very simple and can only comprise AND addition or XOR logic gating. Protection from Other Attacks Several countermeasures are shown in the table below. Conclusion RFID is now widely used and it serves a variety of purposes. Today, cyber security is constantly in the news with identity theft, breaches in corporate financial records, and threats of cyber terrorism. RFID security should be seen in the same light. Many good solutions addressing privacy and security problems have been proposed, but when we look at the offered level of protection and preserved usefulness of RFID features, we cannot name one single or universal method that would clearly be the most recommended approach. Nonetheless, we can safely state that the currently most widespread mechanism for protecting all the security issues will not be sufficient as the only option in the future. Due to the need of preserving advantages of RFID tags over longer time periods, we need to look at alternative approaches. ￭ References 1. Siflia, H., Hamam, H., Selounani, S.A. (2009 Technical Solution for Privacy Protection in RFID European Journal of Scientific Research. 38(3),500 508.http://www.eurojournals.com/ejsr_38_3_14.pdf 2. Wang, K. (2009). Security Issues in RFID. http://security.riit.tsinghua.edu.cn/share/RFID. pdf 3. Feldhofer, M., Dominikus, S., and Wolkerstorfer, J. (2004). Strong Authentication for RFID Systems Using the AES Algorithm. Strong Authentication for RFID Systems. 357-370. http://fara.cs.unipotsdamde/~engelman/13.%2 Semester/Master%20Thesis/Materialien%20und% 20Originalquellen/Arbeiten/Strong%2 Authentication%20for%20RFID%20Systems%20 using% 20the%20AES%20Algorithm.pdf 4. Knospe, H., Pohl, H. (2004). RFID Security. Information Security Technical Report. 9(4), 39-50. http://www.sciencedirect.com/science? ob=ArticleURL&_udi=B6VJC-4FBFH6X-5& user=1441945&_coverDate=12%2F31%2F2004& rdoc=1&_fmt=high&_orig=search&_sort=d& docanchor=&view=c&_searchStrId=1354987274& rerunOrigin=scholar.google&_acct=C000012458& version=1&_urlVersion=0&userid=1441945&md5= d48 3b625a3bf1d6d5291ee78efa1812 5. Liang, Y., Rong, C. (2008). RFID System Security Using dentity-Based Cryptography. http://www.spri gerlinkcomcontent/1301g8j0082ux28/ 6. Juels, A. (2006). RFID Security and Privacy: A Research Survey. IEEE Journal on Selected Areas in Communication. 24(2), 381-394.http://allserv kahosl.be/projecten/rabbit/studienamiddag/pres rfid.pdf Application System ReaderEnergy, Clock Request Tags Response Ta g ReaderNetwork Back-end Database System security is compromised. Eavesdropping Data Tempering Spoofing Malware Insertion Denial of Service ReplayGather Denial of Service Mimic Makes the tags not detectable by reader systems. GET_CHALLENGE Random A Token 2 TA G Key K Key K READER Token 1 g(K) f(K) M 1 1 1 11 1 1 0 0 00 Transmission data Cipher data 0 Figure 4: Encryption using a pseudorandom generator (Source: Security Issues in RFID) Figure 5: Protection techniques against different attacks (Source: Security Issues in RFID) CATEGORY TECHNIQUES Spoofing Denial of Service Replay Data Tampering Malware InsertionAppropriate authentication Protect secrets Don’t store secrets Appropriate authentication Filtering Throttling Quality of Service Appropriate authentication Timestamps Appropriate authentication Hashes Message authentication codes Digital signatures Tamper resistant protocols Middleware detection e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 7 Introduction Devices capable of handling IEEE 802.11 based wireless communication are expected to exceed 1 billion units by year 2013 according to In-Stat research. This exponential growth is attributed to mobile devices that will use WiFi as the primary method of high speed network access such as smartphones, netbooks and laptops. This wireless growth is not only seen in the consumer electronics space, but also the ratification of 802.11n, which has accelerated the adoption of wireless devices in small to large enterprises. This article will touch on this new technology and the security challenges that need to be addressed. The IEEE 802.11n technology uses sophisticated signal encoding algorithms to provide over 5X bandwidth and 2X greater range using the same frequency spectrum as the 802.11a and 802.11b/g. It achieves this greater efficiency usage of spectrum by taking advantage of three major enhancements in physical layer radio, media access, and multiple antennas and multiple transmit streams known as MIMO technology (see table 1.0 for more information). MIMO technology transmits the data over two or more separate radios. These multiple-transmitted signals can take different paths and are received at different times by the receiver. On the receiver’s side, multiple radios pickup the transmitted signals and recombine them for maximum signal quality. This use of multipath and multiple antennas increase overall signal quality and therefore lead to increased bandwidth and range. With the advent of IEEE802.11n technology, many new services and capabilities that were marginally Explosive Wireless Communication Growth Drives Security Needs By | Koroush Saraf MIMO Transmit beamforming (TxBF) Maximal Radio Combining (MRC) Spatial Multiplexing (SM) Space time Block Coding (STBC) Cyclical Shift diversity (CSD) PHY enhancements 40 MHz Channels (channel bonding) More Subcarriers Non-HT Duplicate Format Optional Short Guard internals Significantly Increased Modulation Rates MAC enhancements 40 MHz Channels (channel bonding) Block Acknowledgements Reduced Interframe space - RIFS Spatial Multiplexing Power Save - SMPS Power Save Multi-Poll-PSMP Table 1.0: 802.11n Enhancements: Faster Speeds Longer Range 802.11abg 802.11N Legacy 11g vs. 11n 160 6 ft 40 ft110 ft150 ft 180 ft200 ft Distance (ft) Throughout (Mbps)140 120 100 80 60 40 20 0 802.11 Wireless Data Rates have surpassed wired fast Ethernet Speeds, enabling their used as primary access Edge mechanism Achieving critical mass with the advent of IEEE 802.11n: functional using 802.11g can now go mainstream. One such feature is the new voice over WiFi handset technology that can take advantage of the multimedia extensions of 802.11n, as well as the newly enabled power save modes. Using these features, voice handsets preserve battery power and allow longer standby and talk times as well as better audio quality. Another key trend is the replacement of access edge Ethernet switches with wireless access. At the enterprise level, companies can now provide a similar connection experience with a lower total cost of ownership and deployment for a wireless solution (compared to a wired solution). Another new extension is peer-to-peer communication between devices. This new technology will change the home entertainment center by providing high speed wireless communication between the television and other audio/video equipment. This literally means that the television is now your computer as well. Like any technology that connects us to the outside world, the issue of security is paramount. New authentication and encryption mechanisms, such as WiFi Protected Access version 2, have been added to wireless standards in the past few years. However, even with the presence of strong authentication and link encryption, the following wireless threats still persist: • Man-in-the-middle attacks • Evil twin AP / Honeypot • Denial of service attacks – Too many associations per second, Packet Flood • Rogue Access Points • De-Authentication broadcast • Channel interference • Mac-Spoofing In fact, some of the recent high-profile hacking cases have involved “drive-by” trolling of exposed wireless networks of retail establishments, resulting in the theft of thousands of consumer credit card accounts. In addition to mid-enterprise organisations and service providers, retail industry customers will need to address wireless security guidelines required by the Payment Card Industry, which require the detection of rogue wireless access points and intrusion prevention. Wireless LANs open as much, if not greater risks, compared to wired networks. Therefore, medium-sized enterprises to large organisations need to look into protecting both their wired and wireless LANs with the same network and application security solutions. ￭ Koroush Saraf is the Director of Product Management at Fortinet concentrating on wireless and security products. Most recently, he was the director of product management and co-founder at ConSentry networks where he defined product requirements and led high level architecture of the ConSentry LANShield appliances and switches for seven years. Koroush has Master of Science degrees from USC/ Stanford University and a Bachelor of Science degree from the University of Maryland. e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 8 Balancing Availability & Security Challenges in Cloud Computing By | What is cloud computing? In a nutshell, it is a virtual server available on the Internet. According to Kevin Marks from Google, the word “cloud” is chosen since it comes from the early days of the Internet where we drew the network as a cloud. Clouds can be seen, we know they exist, but are intangible; the same applies to cloud computing. We do not know where or how our data, applications, hardware or network infrastructure are setup and stored, but we know it is somewhere in that cloud. Theoretically, the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance define cloud computing as model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g, networks, servers, storage, applications and services), that can be rapidly provisioned and released with minimal management effort or service provider interaction. There are various cloud services providers offering a variety of services. Some common cloud services providers are as shown in Figure 1.Cloud computing offers businesses many benefits, especially for organisations looking to enhance their IT systems or services while minimising cost. There are various types of cloud computing services offered by cloud computing service providers; these can mainly be grouped into three service models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The following table as shown in Table 2 describes the service models offered. However, each service model has an associated security risk. Introduction Globalisation has changed the way we do things, especially in computing. Not being restricted to any geographical boundary has allowed the emergence of new computing architecture. Services are now offered anywhere and to anyone across the globe. Users can now access their application and data anywhere, anytime and on various platforms and devices. It is undeniable that our daily life revolves around the Internet. Who would have ever thought of the vast storage and applications that the Internet provides? When you store data on the Internet, do you worry about data size limitations? When you watch videos on YouTube, have you ever wondered where the videos are stored? A survey conducted by Pew Internet and American Life Project in 2008, shows that 69% of online American citizens use webmail services, store data online, and use software programs such as word processing application where functions are located on the web. The following table 1 shows survey findings on sets of activities participants have conducted over the Internet utilising cloud computing. Table 1: Survey Findings on Cloud Computing Activities Figure 1: Example of cloud services providers Cloud Computing Activities Internet users who perform the following online activities (%) Use webmail services such as Gmail, Yahoo mail or Hotmail 56 Store personal photos online 34 Use online applications such as Google Documents or Adobe Photoshop Express 29 Store personal videos online 7 Pay to store computer files online 5 Backup hard drive to an online site 5 e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 9 Service ModelService Model Service Model Infrastructure as a Service (Iaas) Platform as a Service (PaaS) Software as a Service (SaaS) Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party. Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider. Capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). Options to minimise the impact if the cloud provider has a service interruption • Availability • Confidentiality • Privacy and legal liability in the event of a security breach (as databases housing sensitive information will now be hosted offsite) • Data ownership • Revolves around e-discovery •Who owns the applications? •Where do the applications reside? Deployment Model Description of Cloud Infrastructure To Be Considered Private Model Community Model Public Model Hybrid Model • Operates solely for an organisation • May be managed by the organisation or a third party • May exist on-premise or off-premise A composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) A composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) • Cloud services with minimum risk • May not provide the scalability and agility of public cloud services • Same as private cloud, plus: • Data may be stored with the data of competitors. • Aggregate risk of merging different deployment models • Classification and labeling of data will be beneficial to the security manager to ensure that data is assigned to the correct cloud type. • Aggregate risk of merging different deployment models • Classification and labeling of data will be beneficial to the security manager to ensure that data is assigned to the correct cloud type. Table 2: Cloud Computing Services Models Table 3: Deployment Models of Cloud Computing The storage services that cloud computing offers is not only limited to personal usage; cloud computing has also become the first choice for companies and enterprises that opt for cloud computing as a backup solution or as part of their overall disaster recovery strategy. There is also consistent growth in companies who are now choosing the SaaS model to host their organisation’s internal and external system. When choosing cloud services, companies must take into account the deployment model. There are four deployment models of cloud computing as depicted in Table 3. Each deployment model has associated risks which have to be considered prior to making a choice. • Shared by several organisations • Supports a specific community that has a shared mission or interest. • May be managed by the organisations or a third party • May reside on-premise or off-premise e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 10 Though certain levels of cloud computing has been used for quite some time now, the commercial cloud services offered to organisations are fairly new. There are concerns by users on the implementation of cloud computing or on-demand model. The survey as shown in Figure 2 clearly shows that security is the main issue most people are concerned about, followed by performance and availability. Understandably, these issues portray the risks that need to be taken into account before moving to cloud computing. In another survey carried out by Kelton Research in 2009, 45% of the respondents believed that the risks of cloud computing outweigh the benefits. Only 17% of the respondents said that the benefits achieved with cloud computing outweigh the risks. Availability in Cloud Computing Due to the on-demand nature of cloud comptuting, availability is the main concern when subscribing to cloud computing services. Similar to availability in other applications and services, users fear that their data or applications will not be available when most needed. In the context of cloud computing, location plays a role in retrieving data. Although we do not know where our data is stored, the further the data is, the more risky it will be. The server’s uptime is vital since companies cannot afford to wait and lose their business. In order to support businesses that require high speed access and sufficient storage, cloud providers must have excellent infrastructure and bandwidth. To achieve this, providers normally have redundant paths for load balancing to avoid overloading the system, which can result in delayed service. Though availability is always guaranteed by cloud providers, customers should ensure that they have provisions in place if service disruption occurs. Most, if not all, cloud service providers provide three to four “nines” of uptime and availability, but there are many examples of services failing from unpredicted code or human errors (eg Google). 1 In fact, EMA research has shown that an average enterprise IT uptime is just ‘two nines’, at 99.5%. For a 24×7 system, that is over 50 minutes of downtime, each and every week. The most recent example of such a failure is the power outage at IaaS provider Rackspace’s London facility, but of course, we have seen this before from many public cloud providers – including RackSpace in particular, and not just Figure 2: Survey on challenges/issues ascribed to the cloud model once. Amazon, Yahoo, Microsoft, GoGrid, RIM, Twitter, Paypal and many others have also had substantial and often repeated outages. Information Security Issues Confidentiality, authentication and authorisation Too much emphasis on availability may sometimes divert users’ attention to security issues. Among the main security issues to be considered is confidentiality. Users often question the safety of data stored in the network. What kind of service does the cloud provider offer in order to keep a customer’s data secure? Users also should be wary about trustworthiness – can the service provider ensure the confidentiality of their data? In the chapter on Data Security and Storage written by Tim Mather, Subra Kumaraswarmy and Shahed Latif in their book entitled Cloud Security and Privacy: An Enterprise Perspective on Risks, the authors advise users to find out if their cloud provider uses vetted encryption algorithms, and whether the protocols employed ensure data confidentiality as well as data integrity. Apart from that, the authors discuss aspects of data security related to data in transit and data at rest. Users should be aware that even when data at rest is encrypted, it cannot be operated on by the application without being decrypted. If users still remain skeptical of their data security, the authors advise not to put sensitive data in a public cloud, other than for simple cloud storage services where your data is, and always remains encrypted. Gartner, being the world’s leading information technology research and advisory company, points out that the cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner adds. To ensure the confidentiality of stored data, users should also look at authentication and authorisation aspects. Using just a username and password is no longer safe in the cloud world since they can be easily guessed by hackers. Thus, a cloud service provider must facilitate an additional authentication factor outside of the browser. Professor Jonathan Zittrain in his article “Lost in the Cloud” published in NY Times on July 20, 2009, proposed solutions that include adopting safer Internet communications and password practices, including the use of biometrics like fingerprints to verify identity. Other types of authentication vary, as shown in Figure 3 below: Figure 3: Authentication and authorisation recommended for cloud. Client Device Identication Cryptographic ProcessingModule Secure Private Key Storage Secondary Authentication From Factors Identity Proong Service Fraud Detection Service Online Identity Metasystems Adaptive Authentication Anomaly & Fraud Detection Public Key Management Service Identity Management (IdM) Web Access Management ( W A M ) Single Sign- On (SSO) Risk- based Analytics Key & Cert Management (PKI) Vulnerability Management Security Policy Management Personal Identity Frameworks Authentication SystemStrong Aunthentication Service Client Components Security Infrastructure Cloud- based Services Security Q: Rate the challenge/issues ascribed to the ‘cloud’/on-demand model Performance Availability Hard to Integrate with in-house IT Not enough ability to customize Worried on-demand will cost more Bringing back in-house may be difcult Regulatory requirement prohibit cloud Not enough major suppliers yet % responding 4 or 5 (1= not signicant, 5= very signicant) 0% 10% 20% 30% 40% 50% 60% 70% 80% 74.6% 63.1% 63.1% 61.1% 55.8% 50.4% 50.0% 49.2% 44.3% Client Device Identication Cryptographic ProcessingModule Secure Private Key Storage Secondary Authentication From Factors Identity Proong Service Fraud Detection Service Online Identity Metasystems Adaptive Authentication Anomaly & Fraud Detection Public Key Management Service Identity Management (IdM) Web Access Management ( W A M ) Single Sign- On (SSO) Risk- based Analytics Key & Cert Management (PKI) Vulnerability Management Security Policy Management Personal Identity Frameworks Authentication SystemStrong Aunthentication Service Client Components Security Infrastructure Cloud- based Services Security Q: Rate the challenge/issues ascribed to the ‘cloud’/on-demand model Performance Availability Hard to Integrate with in-house IT Not enough ability to customize Worried on-demand will cost more Bringing back in-house may be difcult Regulatory requirement prohibit cloud Not enough major suppliers yet % responding 4 or 5 (1= not signicant, 5= very signicant) 0% 10% 20% 30% 40% 50% 60% 70% 80% 74.6% 63.1% 63.1% 61.1% 55.8% 50.4% 50.0% 49.2% 44.3% *Source: IDC Enterprise Panel, August 2008 n=244 e-Security | CyberSecurity Malaysia | Vol: 23-(Q2/2010)© CyberSecurity Malaysia 2010 - All Rights Reserved 11 Authentication should not be taken lightly as we do not want our data to fall into the wrong hands. Information leakage can harm a company’s business if misused. There was a case reported in 2009 where a hacker managed to access an extensive amount of company data stored on Google Apps by first hijacking a Twitter employee’s official e-mail account. 5 After probing, it was discovered that the breach had to do with weak passwords and password resets.This incident has raised awareness on security and privacy concerns related to cloud computing. Access control is one of the security controls that should be reviewed when subscribing to any cloud computing services. Access controls selected, such as restricting privileged user access to sensitive data, will ensure that identification, authentication, authorisation and non-repudiation issues are addressed. Integrity The next important security challenge in cloud computing is data integrity. Clearly the data that resides in the cloud holds valuable company information, the value of which will degrade if deleted or altered. To ensure the data remains intact, Henry Sienkiewicz, DISA Technical Program Director of Computer Services, points out a series of access control measures that can help guard against unauthorised data availability to cloud users operating in a multi-tenant environment. 6 He added that intrusion detection should be built, not just externally, but internally as well. Access controls can be created based on roles and responsibilities throughout the environment. It can also be narrowed down, not only by individual layers, but by individual data as well. Choosing a cloud provider should not be a rushed decision – customers must dedicate substantial time and resources for evaluation. For cautious customers who have high regard for data integrity, they should measure cloud providers by adhering to the advice of consultants, and by using the accounting industry’s SAS 70 Type II audits of internal controls of the ISO’s 27001 information security standards. This is to ensure that cloud providers strive for high-level security. Customers must avoid vendors who refuse to provide details on security services offered. Chenxi Wang, principal analyst of security and risk management at Forrester Research recommends that clients inquire thoroughly about how vendors would guard customers’ data, what happens to the data once the bond ends, and the procedures in place if the contract is breached, before subscribing to their services. He further advised users to ask for service-level- agreements and non-disclosure agreements that are as detailed as possible, about recourse actions to cover users’ bases. Cross-border legal aspect As discussed earlier, we do not know where our data is stored, the route they travel, and the type of security measures implemented to secure it. It could be at any point around the globe. When data resides outside of our country, would it be easy for local authorities to request access, should the need arise? This would be an issue as every authority or government has its own laws to abide by. In the European Union, there exists the EU Data Protection Directive that says, in the absence of specific compliance mechanisms, that the EU prohibits the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world. 7 Consequently, before subscribing to a cloud provider, buyers should ponder these questions before the contract is signed: • What kind of data will be in the cloud? • Where do the data subjects reside? • Where will the data be stored? • Where are the servers? • Will the data be transferred to other locations and, if so, when and where? • Can certain types of data be restricted to particular geographic areas? • What is our compliance plan for cross-border data transfers? Cloud computing services are here to stay. It offers enterprises the ability to have long-term IT savings, scalability, the reduction of infrastructure, and the establishment of IT services. Though users’ main concern is