Technolgy Research

T1/E1/J1 Transceiver BERT Function

Each integrated T1/E1 transceiver contains a BERT. The BERT block can generate and detect pseudorandom and repeating bit patterns. It is used to test and stress data communication links, and it is capable of generating and detecting the following patterns:

The BERT receiver has a 32-bit bit counter and a 24-bit error counter. The BERT receiver reports three events: a change in receive synchronizer status, a bit error being detected, and if either the bit counter or the error counter overflows. Each of these events can be masked within the BERT function through the BERT control register 1(TR.BC1). If the software detects that the BERT has reported an event, then the software must read the BERT information register (BIR) to determine which event(s) has occurred. To activate the BERT block, the host must configure the BERT mux through the TR.BIC register.

1. BERT Status

TR.SR9 contains the status information on the BERT function. The host can be alerted through this register when there is a BERT change-of-state. A major change-of-state is defined as either a change in the receive synchronization (i.e., the BERT has gone into or out of receive synchronization), a bit error has been detected, or an overflow has occurred in either the bit counter or the error counter. The host must read status register 9(TR.SR9) to determine the change-of-state.

2. BERT Mapping

The BERT function can be assigned to the network direction or backplane direction through the direction control bit in the BIC register (TR.BIC.1). See Figure 1 and Figure 2. The BERT also can be assigned on a per channel basis. The BERT transmit control selector (BTCS) and BERT receive control selector (BRCS) bits of the per-channel pointer register (TR.PCPR) are used to map the BERT function into time slots of the transmit and receive data streams. In T1 mode, the user can enable mapping into the F-bit position for the transmit and receive directions through the RFUS and TFUS bits in the BERT interface control (TR.BIC) register.

Figure 1. Simplified Diagram of BERT in Network Direction

Figure 2. Simplified Diagram of BERT in Backplane Direction

3. BERT Repetitive Pattern Set

These registers must be properly loaded for the BERT to generate and synchronize to a repetitive pattern, a pseudorandom pattern, alternating word pattern, or a Daly pattern. For a repetitive pattern that is fewer than 32 bits, the pattern should be repeated so that all 32 bits are used to describe the pattern. For example, if the pattern was the repeating 5-bit pattern …01101… (where the rightmost bit is the one sent first and received first), then TR.BRP1 should be loaded with ADh, TR.BRP2 with B5h, TR.BRP3 with D6h, and TR.BRP4 with 5Ah. For a pseudorandom pattern, all four registers should be loaded with all 1s (i.e., FFh). For an alternating word pattern,one word should be placed into TR.BRP1 and TR.BRP2 and the other word should be placed into TR.BRP3 and TR.BRP4. For example, if the DDS stress pattern “7E” is to be described, the user would place 00h in TR.BRP1,00h in TR.BRP2, 7Eh in TR.BRP3, and 7Eh in TR.BRP4 and the alternating word counter would be set to 50(decimal) to allow 100 bytes of 00h followed by 100 bytes of 7Eh to be sent and received.

4. BERT Bit Counter

The BERT Bit Counter is comprised of TR.BBC1, TR.BBC2, TR.BBC3, and TR.BBC4. Once BERT has achieved synchronization, this 32-bit counter increments for each data bit (i.e., clock) received. Toggling the LC control bit inTR.BC1 can clear this counter. This counter saturates when full and sets the BBCO status bit.

5. BERT Error Counter

The BERT Error Counter is comprised of TR.BEC1, TR.BEC2, and TR.BEC3. Once BERT has achieved synchronization, this 24-bit counter increments for each data bit received in error. Toggling the LC control bit inTR.BC1 can clear this counter. This counter saturates when full and sets the BECO status bit.

6. BERT Alternating Word-Count Rate

When the BERT is programmed in the alternating word mode, each word repeats for the count loaded intoTR.BAWC. One word should be placed into TR.BRP1 and TR.BRP2 and the other word should be placed intoTR.BRP3 and TR.BRP4.

Tags : , , , , , , , , , ,

Honeypots Applied to Bot networks

One way a cybersleuth might try to identify a spammer is by building a honeypot drone for a bot-network. A honeypot drone is a computer on the Internet that pretends to be part of a bot-network, but is actually under the control of a cybersleuth. By allowing the honeypot to become a part of the bot-network,the cybersleuth could obtain a copy of the bot-network software and could then discover the mechanism by which the spammer issues new instructions to drones. Once the mechanism is known, one could potentially wait for the spammer to issue new instructions and then catch the spammer.

However, sophisticated spammers have already developed ways to evade honeypot detection.First, such spammers realize that they are putting themselves and their bot-networks at risk by connecting directly to a site that provides instructions to drones. To counter this risk, sophisticated spammers no longer connect directly to such sites. Instead, they now post new instructions to drones by using a path through multiple computers, often including computers located outside the United States. In such instances, the information obtained from the honeypot drone is of little use in identifying the spammers’ true network addresses.

A second, and more powerful, spammer technique to evade honeypot detection has arisen more recently. Spammers often now design bot-networks so that the sites with which individual drones communicate are not fixed. For example, drones in the Phatbot network receive instructions using a peer-to-peer network of drones. Because the honeypot drone in such a network only communicates with a few other drones, its view of the bot-network is local and limited, and it would not have access to the network address of the bot-network administrator. Thus, as these two spammer techniques to evade detection illustrate, we can expect this “cat and mouse” pattern to play out repeatedly as sophisticated spammers increasingly use and evolve new such methods to evade honeypot detection.

Tags : , , , , ,

Flexible Data Formatting with Crystal Reports

The powerful Crystal Reports designer included in Crystal Reports Server is built to address diverse data formatting and presentation requirements. For novice users, Crystal Reports includes an intuitive report design expert and object-oriented explorers to simplify common reporting tasks. For more advanced users, Crystal Reports includes fine grain control over most features, including formulas, conditional formatting, and object positioning, to address specific customization requirements. Plus, WYSIWYG design support allows report authors to simultaneously format a report while previewing it within the designer.

Crystal Reports Server also helps address the challenges associated with high volume report design and maintenance. For example, the dynamic cascading prompts feature helps minimize report volume by dynamically rendering parameter pick lists based on up-to-date database content.The key benefit of having predefined and scheduled value lists is that the report does not have to query the database to gather the prompts every time a user requests a specific view of a report.

The Crystal Reports Server repository provides a secure, central location to store common report elements including custom functions, SQL commands, dynamic cascading prompts, and bitmaps. You can share these components across multiple reports and update them from a single location. The repository explorer in the Crystal Reports designer allows report authors to log on to a repository server in the platform tier.Repository objects are managed in the platform tier for secure object sharing and updating.

Tags : , , , , , , ,

Coding in Feature Driven Development

Coding process in FDD is not as exciting and challenging as it is in XP (eXtreme Programming). This happens because by the coding time the features have been extensively discussed during Process One, iteration kick-off meeting, design review meeting. Classes and methods are defined by now, their purpose is described in code documentation. Coding often becomes a mechanical process.

Unlike XP FDD strongly discourages re-factoring. The main argument against re-factoring here is that it takes time and does not bring any value to the customer. The quality of code is addressed during code review meetings.

FDD encourages strong code ownership. The main idea is that every developer knows the owned code and better realizes the consequence of changes. FDD fights the problem of leaving team members from the different angle:

  1. Sufficient code documentation simplifies understanding somebody else’s code.
  2. Developers know what other people’s code does, since they reviewed the design.
  3. Developers will look at each other’s code during code review.

 

Tags : , , ,

Signaling System Number 7

SS7 (Signaling System Number 7) is the network control signaling protocol utilized by the Integrated Services Digital Network (ISDN) services framework. ISDN control information for call handling and network management is carried by SS7. SS7 is a large and complex network designed to provide low latency and to have redundancy in many network elements. The SS7 control-signaling network consists of signaling points, signaling links and signaling transfer points. Signaling links or SS7 links interconnect signaling points. Signaling points (SSP) use signaling to transmit and receive control information. A signaling point that has the ability to transfer signaling messages from one link to another at level 3 (SS7 level 3 will be described in detail later) is a Single Transfer Point (STP). There is a fourth entity, the Service Control Point (SCP), which acts as a database for the SS7 network. The STP queries the SCP to locate the destination of the calls. The design of the SS7 protocol is such that it is independent of the underlying message transport network. The design of the signaling network is very important in that it will directly impact the availability of the overall system. In general, the network will be designed to provide redundancy for signaling links and for STPs. Figure 1 shows a basic SS7 network.

Figure 1: SS7 Signaling Endpoints in a Switched-Circuit Network

A typical call can be illustrated using Figure 1. User A goes off-hook in New York and begins dialing. User A is calling User C in San Francisco. The dialed digits are transmitted across the local loop connection to a local switch that has signal point functionality (SSP). The local switch translates the digits and determines the call is not local to itself. The local switch will use its signal point functionality to signal into the SS7 network to a Signal Transfer Point (STP). The STP queries a SCP to locate the destination local switch. The STP signals to the destination local switch to alert it of the incoming call. The destination local switch rings the phone of User C. User C answers and the two local switches signal across the SS7 network and determine the bearer path through the PSTN. Once the path is setup the call begins. When either user goes on hook, the network signals the other end to tear down the bearer path and the call is terminated. The worldwide SS7 network is divided into national and international levels.This allows the numbering plans and administration to be separated.

Tags : , , , , , , , , ,

Web Browser Spoofing Vulnerabilities

Over the past two years, several vulnerabilities in web browsers have provided phishers with the ability to obfuscate URLs and/or install malware on victim machines.

1. International Domain Names (IDN) Abuse

International Domain Names in Applications (IDNA) is a mechanism by which domain names with Unicode characters can be supported in the ASCII format used by the existing DNS infrastructure. IDNA uses an encoding syntax called puny code to represent Unicode characters in ASCII format. A web browser that supports IDNA would interpret this syntax to display the Unicode characters when appropriate. Users of web browsers that support IDNA could be susceptible to phishing via homograph attacks, where an attacker could register a domain that contains a Unicode character that appears identical to an ASCII character in a legitimate site (for example, a site containing the word “bank”that uses the Cyrillic character “a” instead of the ASCII “a”).

2. Web Browser Cross-Zone Vulnerabilities

Most web browsers implement the concept of security zones, where the security settings of a web browser can vary based on the location of the web page being viewed. We have observed phishing emails that attempt to lure users to a web site attempting to install spyware and/or malware onto the victim’s computer. These web sites usually rely on vulnerabilities in web browsers to install and execute programs on a victim’s computer, even when these sites are located in a security zone that is not trusted and normally would not allow those actions.

Tags : , , , , , , , , , , , ,

RFID Privacy Guidelines

1. Accountability

An organization is responsible for personal information under its control and should designate a person who will be accountable for the organization’s compliance with the following principles, and the necessary training of all employees. Organizations should use contractual and other means to provide a comparable level of protection if the information is disclosed to third parties.

Organizations that typically have the most direct contact and primary relationship with the individual should bear the strongest responsibility for ensuring privacy and security, regardless of where the RFID-tagged items originate or end up in the product life cycle.

2. Identifying Purposes

Organizations should clearly identify and communicate to the individual the purposes for collecting, linking to, or allowing linkage to personal information, in a timely and effective manner. Those purposes should be specific and limited, and the organizations and persons collecting personal information should be able to explain them to the individual.

3. Consent

Organizations must seek individual consent prior to collecting, using, or disclosing personal information linked to an RFID tag. To be valid, consent must be based upon an informed understanding of the existence, type, locations, purposes and actions of the RFID technologies and information used by the organization. Individual privacy choices should be exercised in a timely, easy and effective way, without any coercion. Consumers should be able to remove, disable or deactivate item-level RFID tags, without penalty.

Automatic deactivation of RFID tags, at the point of sale, with the capability to re-activate, should be the ultimate goal. Consumers should be able to choose to re-activate them at a later date, re-purpose them, or otherwise exercise control over the manner in which the tags behave and interact with RFID readers.

4. Limiting Collection

Organizations should not collect or link an RFID tag to personally identifiable information indiscriminately or covertly, or through deception or misleading purposes. The information collected should be limited to the minimum needed to fulfil the stated purposes, with emphasis on minimizing the identifiability of any personal data linked to the tag, minimizing observability of RFID tags by unauthorized readers or persons, and minimizing the linkability of collected data to any personally identifiable information.

5. Limiting Use, Disclosure and Retention

Organizations must obtain additional individual consent to use, disclose or link to personal information for any new purposes. Personal information should only be retained to fulfil the stated purposes, and then securely destroyed. Retailers should incorporate the data minimization principles outlined above, into and throughout their RFID information systems.

6. Accuracy

Organizations should keep personal and related RFID-linked information as accurate, complete, and up-to-date as is needed for the stated purposes, especially when used to make decisions affecting the individual.

7. Safeguards

Organizations should protect personal information linked to RFID tags, appropriate to its sensitivity, against loss or theft, and against unauthorized interception, access, disclosure, copying, use, modification, or linkage. Organizations should make their employees aware of the importance of maintaining the confidentiality of personal information through appropriate training. Although physical, organizational and technological measures may all be necessary, technological safeguards should be given special emphasis.

 

8. Openness

Organizations should make readily available to individuals specific information about their policies and practices relating to the operation of RFID technologies and information systems, and to the management of personal information. This information should be made available in a form that is understandable to the individual.

9. Individual Access

Organizations should, upon request, inform the individual of the existence, use, linkage and disclosure of his or her personal information, provide reasonable access to that information, and the ability to challenge its accuracy and completeness, and have it amended as appropriate.

10. Challenging Compliance

Organizations should have procedures in place to allow an individual to file a complaint concerning compliance with any of the above principles, with the designated person accountable for the organization’s compliance.

Tags : , , , , , , ,

Key management procedures in Cloud computing

Cloud computing infrastructures require the management and storage of many different kinds of keys; examples include session keys to protect data in transit (e.g., SSL keys), file encryption keys, key pairs identifying cloud providers, key pairs identifying customers, authorization tokens and revocation certificates. Because virtual machines do not have a fixed hardware infrastructure and cloud based content tends to be geographically distributed, it is more difficult to apply standard controls, such as hardware security module (HSM) storage, to keys on cloud infrastructures. For example:

  1. HSMs are by necessity strongly physically protected (from theft, eavesdrop and tampering). This makes it very difficult for them to be distributed in the multiple locations used in cloud architectures (i.e., geographically distributed and highly replicated). Key management standards such as PKCS#10 and associated standards such as PKCS#11 do not provide standardized wrappers for interfacing with distributed systems.
  2. Key management interfaces which are accessible via the public Internet (even if indirectly) are more vulnerable, as security is reduced in the communication channel between the user and the cloud key storage and the mutual remote authentication mechanisms used.
  3. New virtual machines needing to authenticate themselves must be instantiated with some form of secret. The distribution of such secrets may present problems of scalability. The rapid scaling of certification authorities issuing key pairs is easily achieved if resources are determined in advance, but dynamic, unplanned scaling of hierarchical trust authorities is difficult to achieve because of the resource overhead in creating new authorities (registration or certification, in authenticating new components and distributing new credentials, etc).
  4. Revocation of keys within a distributed architecture is also expensive. Effective revocation essentially implies that applications check the status of the key (certificate usually) according to a known time constraint which determines the window of risk. Although distributed mechanisms exist for achieving the challenges to ensure that different parts of the cloud receive an equivalent level of service so that they are not associated with different levels of risk. Centralized solutions such as OCSP are expensive and do not necessarily reduce the risk unless the CA and the CRL are tightly bound.

Tags : , , , , , ,

Identification of Web Sites and Certification Authorities

Currently, browsers identify the provider of the web page by indicating the Universal Resource Locator(URL) of the web page in the location bar of the browser. This usually allows knowledgeable web users to identify the owner of the site, since the URL includes the domain name (which an authorized domain name registrar allocates to a specific organization; registrars are expected to deny potentially misleading domain names). However, the identity of the provider is not necessarily included (fully) in the URL, and the URL contains mostly irrelevant information such as protocol, file, and computer details. Furthermore, the URL is presented textually, which implies that the user must make a conscious decision to validate it. All this implies that this mechanism may allow a knowledgeable web user, when alert and on guard, to validate the owner of the site;but novice, naïve or off-guard users may not notice an incorrect domain, similarly to their lack of notice of whether the site is secure, as discussed in the previous subsection.

Furthermore, popular browsers are pre-configured with a list of many certification authorities, and the liabilities of certificate authorities are not well defined; also, the identity of the CA is displayed only if the user explicitly asks for it (which very few users do regularly, even for sensitive sites). As a result, it may not be very secure to use the URL or identity from the SSL certificate. Therefore, we prefer a more direct and secure means of identifying the provider of the web page, and – if relevant – of the CA, and not simply present the URL from the SSL certificate in the TrustBar.

TrustBar identifies, by default, both site and the certificate authority (CA) which identified the site, allowing users to decide if they trust the identification by that authority. The identification is based on the SSL server authentication, confirming that the site possesses the private key corresponding to a public key in a certificate signed by the given certificate authorities, which currently must be one of the certificate authorities whose keys are pre-programmed into the browser.

Figure 1.1: Screen-shots of secure sites with logo in TrustBar

Preferably, TrustBar identifies the site and authority by logo (or some other image selected by the user,e.g. a ‘my banks’ icon). However, since currently certificates do not contain a logo, TrustBar can also identify the site and authority by name. See Figure 1.1 for identifications by logo (in (b) and (c)) and by name (see (a)). TrustBar supports certificate-derived and user-customized identifiers for sites, by logo or name:

  1. Certificate-derived identification: Names are taken from the `organization name` field of the existing X.509 SSL certificates. Such names are presented together with the text `Identified by` and the name or logo of the Certificate Authority (CA) which identified this site. The site may provide the logo in an appropriate (public key or attribute) certificate extension. This may be the same as the certificate used for the SSL connection, or another certificate (e.g. identified by a <META> tag in the page). The logo may be signed by entities that focus on validating logos, e.g. national and international trademark agencies, or by a certificate authority trusted by the user.
  2. User-customized identification: The user can identify a logo for a site, e.g. by `right-click` on an image of the logo (which usually appears on the same page). Users can also select a textual site identifier (a `pet name’),presented by TrustBar to identify the site. Whenever opening a page with the same public key, TrustBar automatically presents this logo or pet name for the site.

By displaying the logo or name of the Certifying Authority (e.g. EquiFax or Verisign in Figure 1.1), we make use and re-enforce its brand at the same time. Furthermore, this creates an important linkage between the brand of the CA and the validity of the site; namely if a CA failed and issued a certificate for a spoofing web site,the fact that it failed would be very visible and it would face loss of credibility as well as potential legal liability.

Notice that most organizational web sites already use logos in their web pages, to ensure branding and to allow users to identity the organization. However, browsers display logos mostly in the main browser window, as part of the content of the web page; this allows a rogue, spoofing site to present false logos and impersonate as another site. One exception is the FavIcon, a small icon of the web site, displayed at the beginning of the location bar in most (new) browsers. Many browsers, e.g. [Mozilla], simply display any FavIcon identified in the webpage. Other browsers, including Internet Explorer, display FavIcon only for web-pages included in the user’s list of ‘Favorite’ web pages, possibly to provide some level of validation. However, since browsers display FavIcon also in unprotected pages, and come with huge lists of predefined favorite links, this security is quite weak. We believe that the logo or icon presented in the FavIcon area should be considered a part of the TrustBar and protected in the same manner.

Tags : , , , , , , ,

Virtual Reality enhanced stroke rehabilitation system

Rehabilitation following stroke must address both the underlying deficits (range of motion, strength, and coordination) and the skilled use of the arm for the performance of ADL. Ideas gleaned from motor learning research suggest that rehabilitation should include a large amount of practice that contains not only repetition of an activity but performance of that activity in a way that promotes solving new and novel motor problems. In this sense, using VR technology may assist the rehabilitation process by allowing the systematic presentation of practice trials of a given task to a degree not fully possible in traditional therapy. The potential advantages of using VR technology in rehabilitation are (1) interactivities to motivate stroke patients including video and auditory feedback and (2) manipulability to allow the therapist to tailor treatment sessions focusing on the deficits specific to an individual and increasing task complexity as appropriate. In addition, trials in VRSRS can be presented in such away as to require both repetition and problem solving for the promotion of motor learning without boredom due to its game features. Research to date has found that the use of VR in motor rehabilitation for individuals post-stroke is feasible to address deficits in reaching, hand function, and walking. Nonetheless, important issues such as usability in designing applications of VRSRS have been often neglected or at least not firmly established because using VRSRS as a therapeutic intervention is still in its infancy. In the following sections, we will describe the concept of human factors design and how we have applied the concept to one of our applications of VRSRS, the Reaching Task.

Tags : , , , , ,