Wednesday, May 4, 2011

Your vote is secret?

Election is coming and for many years there have been rumours and misgivings that voting is not confidential and it is best to vote for XX party to avoid any ‘harm’ to himself and family members. Basically people are intimidated by the doubt of balloting privacy existence.
I know this may sound abit strange to discuss such political topic in this blog but this article is directly related to Information Security. Think about this – If this particular information is leaked out to the public, wouldn’t it become a very big hoo-hah?
Everyone knows that fear itself is irrational and at times, hard to predict on its side-effect, largely due to the uncertainties or consequences. Thus this topic of risk management is to help us;
  •          Identify the risk/activity and provide a rating/importance to the pertaining risk
  •          Identify the emerging threat/slide effects that are caused by the risk. This itself also will allow us to understand what additional controls/prevention are there to reduce the risk
There are many ways/methodologies to conduct risk assessment and it will be a very lengthy process if we would to adapt to the exact approach. For the sake of all readers – I would simplify this and try to make it as “user friendly” as possible. You can refer to this link if you are keen to understand more. However for those who are familiar to risk management and find my approach somehow not inline to the mainstream approach – That’s because I’m tailoring this for the sake of everyone’s easy reading.

Now to begin with, you will see my approach and assessment in the following manner:
  1. Identify the risk scenario (In this case – Election/Voting is rigged)
  2. Identify the threat scenario/description when risk has occurred
  3. Classify/rate the risk level:
    • Impact of the risk
    • Severity of the risk
    • Likelihood of the risk
  1. 4.      Mitigating solution/approach to reduce risk.

Identify the risk scenario
This would be quite straight forward as the risk itself is the topic of this article - “If election/votingis rigged”.

Identify the threat scenario/description when risk has occurred

Identifying risk/threat is a process to predict the result/consequence when risk occurs. This would be quite easy to predict but at the same time it is very tricky as well as it depends on which side of the fence are you are sitting on. Remember – The following can only be true if the above risk scenario has occurred:
  • Reputation integrity and etc will be tarnish,
  • Loss of public confidence that may result to anger and etc


Classify/rate the risk level:

Classifying/rating the risk level is a very important step to allow us to have better understanding and estimate the consequence if a particular risk occurs.Identifying risk will allow us to understand, plan and address the risk accords. Example if the risk is low,then we may not need tons of control to address this risk. Likewise if the risk is high, we would need to put in more emphasis to reduce the risk from happening.
Below are the quick explanations on each type of risk:
Impact of the risk
This would mean how much does it affect to the individual/country when happens. Example if Bob does not pass his PSLE – He will not able to go the Secondary School

Severity of the risk
Severity means how dangerous it would be if it happens. Again on using above example if Bob failed his PSLE – It means he might not have good career in future or in other words – How important is it for him to pass this exam.

Likelihood of the risk
Likelihood would mean what the possibility is for it to happen. Example, if Bob has been study hard enough in preparation of the exam – Then it is very unlikely he will fail the exam.



Below is the actual rating I provide. I will explain further as we go go along:
Risk Level to the Country when Occurs
Remark
Impact
High
If happens, the impact would or may cause the entire country to collapse. Remember such event would cause great credibility of the government.

This means once risk has occurred, the pertaining threat will affect everyone in the country be it individual, companies, government agencies or anyone who resides in the country. Due to the size of the impact the level should be rated as high.
Severity
High
Over here would be the side effects if it occurs. Riot may take place, investors will pull out, lots will be out of jobs and economy might collapse are some of the examples.

As you can see, the side-effects affect country international standings and credibility. This would take a long period of time and major efforts to restore back to original. Therefore, the severity of this risk is high again.

Likelihood
Maybe (Low)
Think about it – Is it possible to happen? In order to make this possible, it will take lots of efforts and resources. Therefore it is rated as low. I will explain further in the following paragraph



 Mitigating solution/approach to reduce risk
Basically the  mitigating solution/approach is to address/provide to the risk & threat itself. You can look into various ways to address it – Reduce the risk level by targeting on the risk scenario or threat that may occurred. In commercial arenas for example; corporate companies may buy insurance or build additional office to reduce the impact or severity of the risk.
However in most cases, reducing the Impact or Severity is usually quite difficult and this is relates to risk scenario itself. Why? Singapore Election involves every citizen in the country. That’s by law, can’t be change and also it will defeat the purpose if voting only applicable to certain group of people. Likewise reducing the Severity is near impossible as it is closely related to Impact. The only possible way to reduce or rather take away this risk is to abolish the election system. So Likelihood is the only sub-risk that we can work to  reduce the possibility of occurrance. 
I’m not sure if you know that there are certain guideline/process that an electoral system has to be conducted as per international standards. You can refer to the following links for further reading:
So what are some of the myths that have been hanging in the air? I will try to answer some of the myths or doubts below:
Ques: There’s a serial number on my voting slip. Can I be traced?

Ans: Contrary to some belief, having a serial number on the voting slip is a requirement for the authenticity of each vote. Furthermore this is for audit purpose when required should there be a dispute of the votes later on.

Ques: GOV will know and “mark” me if I vote against them

Ans: Think about it – There’s total of 2mil of votes and GOV would need a lot of resources to do that. Do you think it’s logical to do so? Furthermore personnel involved in the election are ordinary people like you and me. If this is true, then it won’t be a myth but a known fact without official acknowledgement. Lastly do you see any of your friends who disappeared into thin air?

Ques: My job is at risk if I vote against….

Ans: Again there’s no proof at all. It’s all hearsay and let me share this with you. I know of people who voted for non-gov parties or his/her life and yet, still got into a gov board.. Guess you have to convince yourself, not me.

Ques: Election officers are all public servant who works for the gov.

Ans: 1st – They are just like you and me, who are normal citizens. Plus there are certain procedures and processes that have to follow the International requirement (Refer to link above)… So I’ll be very surprised if someone is able to convince so many people to do something ‘funny’.
2ns – Candidates can send its own personnel as observers during voting. In additional, organization like UN can do likewise as well. Also MARUAH has expressed interest to be an independent observer for this election.

Ques: GLC, Civil Service Officer must vote for ruling gov – Else your job will be lost.

Ans: 1st – Again as I’ve mentioned above, it’s is near impossible to do that and I would say is purely fear that let you feel that. All I can say is have you heard anyone lost job because of this?


Conclusion
Election results are critical to a country and the authenticity of it is very important.. If not, I doubt the future government will not able to survive for too long. Therefore securing & ensuring, secrecy of the information & voting plays a very big part of it. Likewise using a systemic risk assessment/methodology will allow us to prepare better and understand what's necessary control require to achieve that.
I hope this article has provided you enough information and knowledge to make a choice of your own with much ease.

HAPPY VOTING!!!

Sunday, December 26, 2010

Myth of SSL Certification


Recently I came across a very interesting discussion about SSL. As ecommerce and internet has becoming very integrated to our daily lives, likewise security technology has been very critical as well. SSL has been a very common “tools” that’s available to us when making transaction online.

Sadly as SSL in general has some quite a lot significance weakness (Be it directly or indirectly), both auditors and hackers would love to use that as a gateway to gain insider access to your info. And these were brought out recently and it took me back to books, scan thru multiple website, forums etc to recap my understanding again… Below are the screenshot captured from openssl command “openssl s_client –connect targetedwebsite.com:443”:
issuer=/C=ZA/O=XXXX Consulting (Pty) Ltd./CN= XXXX CA
---
No client certificate CA names sent
---
SSL handshake has read 1948 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD
    Session-ID: 123J12312K3HFWOIUYQWEWQEWQEWQEWQEWEQWEQW98321412ELKQJDWQL

    Session-ID-ctx:
    Master-Key: 1DSADARQREWQD23J12312K3HFWASFDASADSAOIUY98321412ELKQJDWQL
    Key-Arg   : None
    Start Time: 1286461898
    Timeout   : 300 (sec)

Above was partial paste result and it was highlighted with 2 issues:
Website’s SSL Cert was signed with weaker cipher key strength. (Claimed to be signed using RC4-MD5)
Weaker cipher was allowed. MD5 was known to be prompt to collision attack.
I will discuss this further from different point of views:
·         Views and assessment from IT Security angle
·         Views and assessment from Risk Assessment angle


Website’s SSL Cert was signed with weaker cipher key strength. (Claimed to be signed using RC4-MD5)
From technie’s view: Now above statement is incorrect. Since this weakness has been made known, Major, if not all CA has stopped using such cipher to to be used its client certification. Go to one of the following site to verify and double verify again. Therefore this notion is incorrect.

From Risk Assessment’s view: As above stated, all certification has been using SHA1/2 to sign it. So there should not be a concern here.

Weaker cipher was allowed. MD5 was known to be prompt to collision attack.
From technie’s view: This should be consider as a major weakness as any transaction made to the website may or may not be secure enough. As a user to this website, you may be wondering if my information has been leaked. Think about any secret I shared with you are also been sniffed by a 3rd party. If that’s the case, how can I trust you again??

From Risk Assessment’s view: Now if you view from risk assessment, there’s various angle to see this issue.
·         Risk pertaining to affecting users
·         Risk pertaining to the business of the provider.
·         Risk pertaining to the weakness itself
From user point of view, yes it’s a risk which has been explained previously. If my connection is not secured, how can I be sure my information is not leaked? However there’s no need to be alarmed as most browser will alert you when a low grade ssl cert is been used. But MD5 is a weakness by itself – What can I do? I will discuss this later but basically there’s nothing much a user can do (Not that I know of from browser) as this is most likely defined by the provider.

Now on risk to the business - Frankly speaking, there’s very minimum risk as this is very closely to user. This is a one to one issue where only 1 particular sessions is compromised when session is highjack. So unless there’s some mandatory requirement from the authority – Don’t bet on the provider to do something for you. (I remember PCI has certain requirement but I need to read up on this) The only hope you have or driving force would be: Provider are very particular on its reputation.

Now on the weakness itself – RC4-MD5 are a weakness which no one will deny it. However lets look from a deeper angle:
·         Chances of sessions been compromised. We are talking about the possibility here.
o   1st – The session has be active before it got compromised. If the average session of each user is say 30min but successful attack takes about 1 hr – Then risk is still acceptable.
o   2nd - The cipher itself is a weakness but by increasing the bit length, it actually slow down/reduce the possibility of session been cracked.
o   3rd - Understanding on the possibility to make such attacks possible – Now this is a key here.. As a attacker, you need to 1st able to gain access to the sessions either by Man in the Middle or took over the user’s pc directly. So chances are still low. Of course this still depends on the user. Again how easy is this to happen? It's a Yes or No answer. But again attacker must have at very least decent knowledge on how to achieve this

On risk pertaining to the business of the provider - The only risk that the business management will see is still to its reputation. So it vary on the risk taker of the management

Lastly on risk pertaining to the weakness itself – As mentioned above, yes there’s risk but not high. As for now, this cipher is not considered low. Therefore base on the current industry practice’s view, the push factor to stop supporting this is not high.

Personally, I would say it boil down to 1 statement – Due diligence and social responsibilities of the company. If one is only keen to “compliance” to regulation, then there’s no wrong at all for not enforcing a higher standard. However if one feel best practice is way on how business run, they should restrict it.