The Hong Kong IT Security Summit was held at City University of Hong Kong on 28th Nov 2012. The Summit was co-organized by City University of Hong Kong (CityU), Velosti Technology Limited and Hong Kong Applied Science and Technology Research Institute (ASTRI), this annual event gathered top IT professionals and security experts in Hong Kong to address critical IT security issues for discussing the latest best practice security solution.
Dr. Ray Cheung said Mr. Hon Charles Mok (Legislative Councillor - IT, HKSAR) was invited to attend the summit but Mr. Mok was not available. His greet message was showed to congratulate the successful launch of the summit.
The first speaker was Mr. Alan Cheung (R&D Director, IC Design Group, ASTRI) and his topic named "ASTRI Secured Storage Technologies". He presented ASTRI technology in terms of performance, security and reliability.
Firstly, Mr. Alan Cheung introduced ASTRI product roadmap in storage technology. Then he introduced USB 3.0 which was 10x as fast as USB 2.0, high data throughput and low power consumption during idle.
After that he briefed the security designs as follows:
- Security with System Design (e.g. Fingerprint Sensing and Face Recognition)
- Security with Software Design (e.g. User-to-Computer Authentication (UCA) security algorithm)
- Security with Hardware Design (e.g. AES-XTS)
Reliability with Design Flow and with Verification Expertise were mentioned. USB 3.0 compliance tests and certification was challenge. The certified USB logo was showed in top right corner.
The second speaker was Dr. Patrick Hung (President, Velosti Technology Limited) and his presentation title was "USB Sticks: Culprit behind Security Breaches".
Dr. Patrick Hung said if you think all USB sticks are the same and secure, pigs can fly and can climb trees. Then he briefed different security breaches in US or UK as examples.
Dr. Patrick Hung said good news that USB sticks were getting cheaper with larger capacity. But the Downgraded Flash Devices (黑片) was unreliable and more than 50% of USB Sticks in China was built with Downgraded Flash Devices and TLC Flash Devices. Moreover, most of USB sticks did not support data encryption.
In addition, Dr. Hung introduced the latest development beyond password protection such as Platform Registration, USB Stick Registration, and Sideband Authentication. Finally, Dr. Hung recommended to use reliable USB Sticks and deployed encryption in workplace, scanning USB Sticks for Virus or Malware, as well as, employed "Password + Locks" for authentication.
The third speaker was Prof. John Lui (CS&E Dept., CUHK) and his topic named "Create Your Own Cloud-based Mobile Botnet".
Prof. Lui briefed the smart phone market in China and found that Android was dominant. Then he told us the Wiki definition of botnet "A botnet is a collection of internet-connected computers whose security defenses have been breached and control ceded to a malicious party."
Prof. Lui said botnet design was considered the Scalability (a large population), Controllability (short response delay for commands) and Stealthiness (hard to be detected), indicating three factors were important included "Keep-Alive Period", "Command Dissemination Period" and "Energy Consumption". There some traditional mobile botnets included SMS Botnet, HTTP Botnet and TCP Botnet.
Then Prof. Lui briefed Android Cloud to Device Messaging (C2DM) to Google Cloud Messaging for Android (GCM). And also discussed Bot registration into C2DM and large scale problem. Lastly, he concluded that Android, though popular, had many security issued. It needed better detection, forensic and architecture.
Dr. Ray C.C. Cheung (Assistant Professor, EE Dept., CityU) was the forth speaker and he presented the topic "Chip-To-Cloud Security: Secure Processor & Its Components".
Dr. Cheung briefed the security in new Cloud Landscape included computing technology for Mobile and Cloud, NFC & m-payment, End-to-End Security and Crypto & Embedded Security. Then he identified four major security concerns that were Confidentiality, Integrity, Genuine Authentication and Non-repudiation. Then Dr. Cheung explained the advantages and disadvantages between software and hardware security. They were opposite each other.
After that Dr. Cheung explained what is secure processor. It exploit hardware to provide both hardware and software protection. The common features were separated into Hardware Level Protection (e.g. Data encryption/decryption, Integrity verification, Tamper detection, OS authentication) and Software Level Protection (e.g. Software authentication).
Dr. Cheung said there was no convenient platform on which secure processors could be prototyped. His research was using reconfigurable platform through the advatage of the reconfigurable Field Programmable Gate Array (FPGA) platform for secure processor and then integrated the hardware secured components to the Cloud platform.
Finally, he demonstrated the Secure Computing Model and concluded that we needed to rethinking Trust (End-to-End Balance), Storage (Beyond Disks/Flash), SoC (Embrace Heterogeneity) and Reliability (Security Component Failure, only use the hardware you need).
Dr. Duncan Wong (Associate Professor, CS Dept., CityU) was the fifth speaker and his topic entitled "Sharing Encrypted Cloud Data Using Proxy Re-Encryption".
Firstly, Dr. Wong introduced the conventional cloud storage and sharing services such as Dropbox and Google Drive, which encrypted data on their servers and using internal policies to control. Key was belong to the service provider.
Then Dr. Wong explained Secure Cloud Storage but it needed to use out-of-band key distribution. For using Fine Grained Secure Cloud Storage Sharing could separate the folder distribution to different persons but out-of-band key distribution was still the problem.
Secure Cloud Storage Sharing using Proxy Re-Encryption (PRE) could solve out-of-band key distribution problem. The Multi-Share Fine Grained Secure Cloud Storage Using Conditional Proxy Broadcast Re-Encryption (CPBRE) was demonstrated in the following diagram. ReKey A->{B,C} [Folder A] where ReKey is Re-Encryption Key which send from Alice to Bob and Carol for Folder A only.
The sixth speaker was Dr. KP Chow (Associate Professor, CS Dept., HKU) and his presentation named "Corporate Digital Investigation - The China Challenge".
Dr. Chow quoted 2011 CyberSecurity Watch Survey that 21% of attacks were caused by insiders. He said it should be underestimated because 70% of insider incidents are handled internally without legal action. Insiders attacks were more difficult to defence, more harm and costly, and less likely to be reported.
HKSAR OGCIO - Info Security Incident Handling Guidelines was introduced. The clause 5.2.2 Security Incident Handling mentioned "Planning and Preparation", "Response to Security Incident" and "Aftermath".
If the Security Incident happened in China, you need to employ Judicial expert (計算機國家司法鑒定人) who needed to obtain practicing qualification certificate from the authority and to affiliate with an judicial expertise institution. Judicial expert had investigation and forensic "power". The license sample was showed.
The last speaker was Dr. KW Wong (Associate Professor, EE Dept., CityU) and his topic was "Joint Compression and Encryption for Multimedia Applications".
Dr. Wong briefed the traditional (Independent) Approach of Compression (e.g. WinZip/jpeg/mpeg) and Encryption (e.g. AES/RC4). It is not efficient because of Read/Write twice. Unlock either all or zero information which partial decryption was usually not allowed. It was because compression and encryption algorithms were designed independently and not fit each other. Then Dr. Wong introduced the design of Joint Source Coding and Encryption as follows.
Dr. Wong gave conclusions below.
- Joint operation of compression and encryption have certain advantages over the traditional approach.
- For image compression, some parameters of fractal image coding are encrypted to perform compression and partial encryption at the same time.
Reference:
“Top issues in Corporate IT Security” – Hong Kong IT Security Summit 2012 - http://www.hkcs.org.hk/whatsnew/20121123/files/Hong_Kong_IT_Security_Summit_2012/Reply_Slip.pdf
沒有留言:
發佈留言