Segurança do Software

2010

 

Electronic Signatures as Obstacle for Cross-Border E-Procurement in Europe - Jun. 2009  114.1 kB

E-procurement is considered one of the most promising services within e-government in terms of cost and time efficiency. Within the European Union, the Internal Market requires cross-border e-procurement. The European Council has issued directives and guidelines for this purpose. While e-procurement works on national levels, cross-border e-procurement in Europe does not. This is mainly due to lacking technical interoperability and legal harmonisation in particular concerning the use of e-signatures. By a comparative study of the different legal provisions in the Czech Republic, France, Germany, Spain and Sweden this article provides an overview of the current state-ofplay and makes suggestions on how to overcome the remaining obstacles to pan- European e-procurement.

The Role Digital Identity Management in the Internet Economy: A primer for Policy Makers - Jun. 2009  329.7 kB

This primer aims to provide policy makers a broad-brush understanding of the various dimensions of digital identity management (IdM). Consistent with the Seoul Ministerial Declaration, it also aims to support efforts to address public policy issues for securely managing and protecting digital identities, with a view to strengthening confidence in the online activities crucial to the growth of the Internet Economy. The primer is a product of the Working Party on Information Security and Privacy. It is part of a broader work programme on IdM that began with a workshop held in Trondheim, Norway in May 2007 (www.oecd.org/sti/security-privacy/idm). It was prepared by a volunteer group of experts led by Katarina de Brisis of Norway, with additional assistance from Nick Mansfield, consultant to the Secretariat, and Mary Rundle, who provided assistance in her capacity as a Research Associate with the Oxford Internet Institute through a project funded by the Lynde and Harry Bradley Foundation.

PEPPOL Deliverable D1.1 Requirements for Use of Signatures in Public Procurement Processes Part 3: Signatures Policies - Abr. 2009  1.0 MB

This document is a part of the multi-part deliverable D1.1 “Requirements for Use of Signatures in the Procurement Processes” issued by the PEPPOL1 (Pan-European Public Procurement On-Line) project. PEPPOL is a three-year (May 2008 – April 2011) large scale pilot under the CIP (Competitiveness and Innovation Programme) initiative of the European Commission.

PEPPOL Deliverable D1.1 Requirements for Use of Signatures in Public Procurement Processes Part 7: eID and eSignature Quality Classification - Abr. 2009  477.8 kB

This document is a part of the multi-part deliverable D1.1 “Requirements for Use of Signatures in the Procurement Processes” issued by the PEPPOL1 (Pan-European Public Procurement On-Line) project. PEPPOL is a three-year (May 2008 – May 2011) large scale pilot under the CIP (Competitiveness and Innovation Programme) initiative of the European Commission.

Competitiveness and Innovation Framework Programme - D2.3 Quality Authenticator Scheme - Mar. 2009  3.3 MB

This deliverable combines the work described in deliverable D2.1 and D2.2 and defines the common STORK Quality Authentication Assurance framework. It describes how national authentication levels can be mapped onto STORK QAA levels to ensure eID interoperability. Mapping of these levels onto each other is not always straightforward. Recommendations are given to ensure proper mapping. Furthermore, legal implications regarding the use of qualified certificates are taken into account in the STORK QAA framework. Solution directions are offered to ensure legally allowed use of identifiers in STORK.

Competitiveness and Innovation Framework Programme - D4.1 Interim Report on eID Process Flows - Mar. 2009  1.2 MB

This document provides an overview of the current process flows that will be the input for the pilots.

UK Border Security: Issues, Systems and Recent Reforms: A Submission to the IPPR Commission on National Security for the 21st Century - Mar. 2009  131.8 kB

Tendo como base uma das politicas de segurança das fronteiras britânicas, este documento analisa o sistema de fronteiras electrónicas do Reino Unido, apontando algumas questões de relevo.

Competitiveness and Innovation Framework Programme - D2.2 Report on Legal Interoperability - Fev. 2009  5.7 MB

This deliverable provides an overview of the legal background of eID in 14 STORK Member States and describes the principle legal issues regarding pan Eruropean authentication.

Competitiveness and Innovation Framework Programme - D6.0 Pilots Scope - Fev. 2009  760.3 kB

This document is an overview that describes the scope and objectives of the five pilots.

Privacy Features of European eID Card Specifications - Fev. 2009  1.1 MB

As an authentication token and personal data source, a national eID card is a gateway to personal information. Any unwanted disclosure of personal information as a result of the issuance or use of the card constitutes a violation of the citizen’s privacy rights. Apart from considerations of fundamental rights, this is also a serious obstacle to the adoption of eID card schemes and to their cross-border interoperability. The aim of this paper is to allow easy comparison between privacy features offered by European eID card specifications and thereby to facilitate identification of best practice. The target audience is corporate and political decision-makers and the paper seeks to raise awareness of the legal and social implications of new developments in eID card technologies. In particular, the findings should have important implications for data protection and security policies. A clear statement of the status quo is an essential first step towards the important goals identifying best practice, improving the base-line of citizen privacy protection in eID cards throughout Europe and ultimately to improving interoperability and adoption by citizens.

Competitiveness and Innovation Framework Programme - D7.7 Dissemination Plan (M6 first planning, then 6 monthly updating) - Dez. 2008  521.4 kB

The dissemination strategy and plan will move from the general to the specific; from the overall objectives of the project down to the individual actions foreseen to achieve them. The Dissemination planning process will assist STORK by defining communication goals, objectives and strategies with specified timelines, allocating responsibilities, providing a clear modus operandi, facilitating timely response to changed conditions and deviations from plans, establishing a basis for evaluation, identifying risks and taking remedial steps to solve problems.

Competitiveness and Innovation Framework Programme - D2.1 Framework Mapping of Technical/Organisational Issues to a Quality Scheme - Out. 2008  2.4 MB

This deliverable explores how member states classify their local authentication solutions into levels of quality, and it investigates on a common framework for expressing authentication assurance levels in STORK. The IDABC “Proposal for a multi-level authentication mechanism and a mapping of existing authentication mechanisms” is used as guideline on the definition of a tentative common multi-level authentication scheme. A preliminary mapping between the locally adopted levels and the tentative assurance levels is also proposed.

EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond - Out. 2008  2.2 MB

EPC (Electronic Product Code) tags are industry-standard RFID devices poised to supplant optical barcodes in many applications. They are prevalent in case and pallet tracking, and also percolating into individual consumer items and border-crossing documents. In this paper, we explore the systemic risks and challenges created by increasingly common use of EPC for security applications. As a central case study, we examine the recently issued United States Passport Card and Washington State \enhanced" drivers license (WA EDL), both of which incorporate Gen-2 EPC tags. We explore several issues: 1. Cloning: We report on the data format of Passport Cards and WA EDLs and demonstrate their apparent susceptibility to straightforward cloning into o-theshelf EPC tags. We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards. 2. Read ranges: We detail experiments on the readrange of Passport Cards and WA EDLs across a variety of physical congurations. These read ranges help characterize both issues regarding owner privacy and vulnerability to clandestine \skimming" and cloning. 3. Design drift: We nd that unlike Passport Cards, WA EDLs are vulnerable to scanning while placed in protective sleeves, and also to denial-of-service attacks and covert-channel attacks. We consider the implications of these vulnerabilities to overall system security, and oer suggestions for improvement. We also demonstrate anti-cloning techniques for o- the-shelf EPC tags, overcoming practical challenges in a previous proposal to co-opt the EPC\kill" command to achieve tag authentication. Our aim in this paper is to ll a vacuum of experimentally grounded guidance on security applications for EPC tags not just in identity documents, but more broadly in the authentication of objects and people.

Data Handling Procedures in Government: Final Report - Jun. 2008  277.7 kB

Com este relatório o Governo britânico pretendeu definir alguns príncipios e medidas para melhorar a segurança dos dados que detém, para evitar fugas ou roubos, como tem acontecido recentemente no país.

Promoting Data Protection by Privacy Enhancing Technologies (PETs) - Mai. 2007  152.2 kB

The purpose of this Communication, which follows from the First Report on the implementation of the Data Protection Directive5, is to consider the benefits of PETs, lay down the Commission's objectives in this field to promote these technologies, and set out clear actions to achieve this goal by supporting the development of PETs and their use by data controllers and consumers.

How to Raise Information Security Awareness - Jun.2006  1.3 MB

The Users´s Guide: How Raise Information Security Awareness illustrates the main processes necessary to plan, organise and run information security awareness raising initiatives: plan & assess, execute & manage, evaluate & adjust. Each process is analysed and time-related actions and dependencies are identified. The process modelling presented provides a basis for "kick-starting" the scoping and planning activities as well as the execution and assessment of any programme. The Guide aims to deliver a consistent and robust understanding of major processes and activities among users.

Biometrics at the Frontiers: Assessing the Impact on Society - 2005  2.5 MB

The present report, entitled Biometrics at the Frontiers: Assessing the impact on Society, represents the output of the study. Its title underlines the purpose of the study to address biometrics beyond the immediate application for border control purposes, to their wider adoption and use in society.

Chung-Kwei: a Pattern-discovery-based System for the Automatic Identification of Unsolicited E-mail Messages (SPAM) - 2004  79.8 kB

Abstract. In this paper, we present Chung-Kwei1, a system for the analysis of electronic messages and the automatic identification of unsolicited email messages (=SPAM). The method uses pattern-discovery as its underlying tool and is another instance of a generic approach that has been the basis of previously successful solutions developed by our group to tackle problems in computational biology such as gene finding and protein annotation. Chung- Kwei can be trained very quickly; as new examples of SPAM become available, the system can re-train itself without interrupting the classification of incoming e-mail. We trained Chung-Kwei on a repository of 87,000 messages, then tested it with a very large collection of 88,000 pieces of SPAM and WHITE email: the current prototype achieved a sensitivity of 96.56% whereas the false positive rate was 0.066%, or one-in-six-thousand. In terms of speed, we are currently capable of classifying 214 messages/second, on a 2.2 GHz Intel-Pentium platform. The Chung-Kwei system is part of SpamGuru, a collaborative antispam filtering solution that is currently under development at IBM Research.

The Ten Most Critical Web Application Security Vulnerabilities - Jan. 2003  335.7 kB

 

Guide to Securing your Web Site for Business - 2003  312.8 kB

VeriSign, Inc., the leading provider of trust services for electronic commerce and communication, offers a cost-effective, proven solution for securely conducting business over the Internet. This proven technology is in use now—by the top e-commerce sites, virtually all of the Fortune 500 companies with a Web presence, and thousands of other leading Web sites. By installing a VeriSign SSL Certificate (available as part of VeriSign's Secure Site Services) on your company's Web server(s), you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.

Understanding the Privacy Space - Set. 2002  153.2 kB

Understanding the Privacy Space by Benjamin D. Brunk This paper reports on an ongoing research project focusing on privacy tools, and services available on the Internet. A detailed examination of 133 different privacy-related software tools and services rendered a list of 1,241 features relating to privacy. Based on the data gathered, the ongoing work is to formulate a framework to describe this "privacy space" using grounded theory and content analytic techniques. Here, we discuss some of more interesting preliminary findings garnered from a descriptive statistical analysis of the raw data. This paper discusses what can be learned from a user-centric analysis of this increasingly important class of software tools.

Without Pen and Ink - The use of digital signatures in electronic interaction with and within public administration - Out. 2001  2.6 MB

It is not necessary to understand the “nuts and bolts” of a new technology to benefit from it, but a user must master the applications. Things that look simple to the user are often extremely complex and advanced “behind the scenes”. The introduction and use of digital signatures and accompanying infrastructure involve a number of technological, legal, organisational and administrative challenges. This is a complicated field for public administration to relate to. There is therefore a need for a policy on this area, covering norms for use, basic principles for setting up, introducing and maintaining the infrastructure, and strategies on how public administration should ensure that it works in accordance with assumptions. This report proposes basic elements for such a policy.