Proxys contd…..

Lets continue with the subject in hand “proxys”.When we send or request information in web,it travels directly from our PC to the server of the site.This leaves our IP address in the open ,so inorder to mask or hide our IP we use a proxy server.

FLOW DIAGRAM




The flow diagram clearly shows how the proxy server acts as a intermediate.When you go thro a proxy server you are assigned different IPs ,meanwhile your original IP is perfectly hidden.The IPs assigned to you keep on changing thus ensuring your “anonymity” in the web and pulls a invisible cloak over you.

Ok proxys are good for the safe surfing stuff,but where else they come in handy????Heres the part where proxys are really helpful.Surfing thro’ your college or your company some sites are blocked by the administrator.Mostly social sites like ORKUT,FACEBOOK,MYSPACE etc are blocked in colleges and schools.If you want to access this its possible only via a proxy server.Listed below are the best proxy sites,check it out
www.proxydom.com
www.proxytopsite.com
www.kproxy.com

The next post will cover abt other issues of anonymity in the web,till then adieu and stay invisible.

Proxys

So diwali’s over,had a blast so now back to business,blogging ie. .
Lets take a look at proxys.What are proxys???like in college proxy attendance and stuff,proxy is where someother computer gets information on your behalf in the web.
When we surf the net our pc is identified by its IP (Internet Protocol)address,it’s the identity or the address for our pc on the web.So when you view any site through your browser,the site will have your ip address in seconds ,there by opening up a wide range of info abt you,like your country the “city!” you live in and lots.This if it falls in the wrong hands like in the hands of a “hacker” would make your life on the web unpleasant.So inorder to hide your ip and to make you surf free proxies are present.We ll be seeing abt proxies in detail in the upcoming posts,stay glued.:)

OUR PC FIRST AID KIT

Every pc should have a first aid kit.The importance of such a kit cant be stressed enough as ive personally learnt in numerous occasions.The basic first aid kit should comprise of scanners,spyware removals,registry editors..etc and any util you think tat ur pc should have.
Here I present you with a list of 5 life saving softwares, a absolute must for every pc.

1.HIJACK THIS:
Hijack this is used to scan all the startup entries in our pc.Every hidden task invisible to the taskmanagers eye is brought into the open here.You can see every single process running in your pc at the time of startup.This tool is highly useful to detect Trojans which start in “stealth-mode”.Using this tool you can delete the malicious processes ,as well as save a log for future reference or for technical advice from forums etc.The download link is HIJACKTHIS

2.DECKARD SYSTEM SCANNER:
This is a scanner program which scans every process running inside that box of urs.The main advantage of the scanner is that it creates the log of all the processes running, process performed by your antivirus prog…The reason for using a DSS is to submit the log in online antiviral forums and seek advice from experts.


3.FLASH DISINFECTOR:
A clean and efficient util to flush out viruses and malware in your flash drives,usb.

4.SPYBOT SEARCH AND DESTROY:
Simply the best tool for the job.Very efficient in spyware removal and the best part is it’s a freeware,it cant get any better than this.

5.ADAWARE:
Another excellent adware removal program,contains lots of features an enhancements,surely a essential in our kit.

Common email security mistakes

Iam one of those lucky few who've been severely hit by spam.So in this post i've presented you with the 25 of the most common and easy to fix mistakes that people make when it comes to email security.

Countless computer crashes and thousands of spam emails later, I have learnt the lesson that just opening spam email can bring harm to my computer. Unfortunately there are a whole lot of traps and errors that catch new email users just because "they didn't know any better".

In this post i focus on 25 of the most common and easy to fix mistakes that people make when it comes to email security.

1. Using just one email account
Individuals new to email often think about their email account like they do their home address, you only have one home address, so you should only have one email. Instead, you should think about your email address like you do your keys, while it may be okay to use the same key for your front and your back door, having a single key open everything is both impractical and unsafe.

A good rule of thumb for the average email user is to keep a minimum of three email accounts. Your work account should be used exclusively for work-related conversations. Your second email account should be used for personal conversations and contacts, and your third email account should be used as a general catch-all for all hazardous behavior. That means that you should always sign up for newsletters and contests only through your third email account. Similarly, if you have to post your email account online, such as for your personal blog, you should only use your third email account (and post a web friendly form).

While your first and second email accounts can be paid or freebie, your third 'catch-all' account should always be a freebie account such as those offered by Gmail or Yahoo!. You should plan on having to dump and change out this account every six months, as the catch-all account will eventually become spammed when a newsletter manager decides to sell your name or a spammer steals your email address off a website.

2. Holding onto spammed-out accounts too long
It is simply a fact of life that email accounts will accumulate spam over time. This is especially true of the account you use to sign up for newsletters and that you post online (which as stated above should not be your main email account). When this happens, it is best to simply dump the email account and start afresh. Unfortunately, however, many new email users get very attached to their email accounts and instead just wade through dozens of pieces of spam every day. To avoid the problem, prepare yourself mentally ahead of time for the idea that you will have to dump your 'catch all' account every six months.

3. Not closing the browser after logging out
When you are checking your email at a library or cybercafé you not only need to log out of your email when you are done, but you also need to make sure to close the browser window completely. Some email services display your username (but not your password) even after you have logged out. While the service does this for your convenience, it compromises your email security.

4. Forgetting to delete browser cache, history, and passwords
After using a public terminal, it is important that you remember to delete the browser cache, history, and passwords. Most browsers automatically keep track of all the web pages that you have visited, and some keep track of any passwords and personal information that you enter in order to help you fill out similar forms in the future.

If this information falls into the wrong hands, it can lead to identity theft and stolen bank and email information. Because the stakes are so high, it is important that new internet users be aware of how to clear a public computers browser cache so that they can delete private information before lurking hackers can get a hold of it.

METHOD:
* For those of you using Mozilla's Firefox, simply press Ctrl+Shift+Del.
* Opera users need go to Tools>>Delete Private Data.
* Microsoft's Internet Explorer users need to go to Tools>>Internet Options then click the 'Clear History', 'Delete Cookies', and 'Delete Files' buttons.

5. Using insecure email accounts to send and receive sensitive corporate information
Large corporations invest huge amounts of money to ensure that their computer networks and email remain secure. Despite their efforts, careless employees using personal email accounts to conduct company business and pass along sensitive data can undermine the security measures in place. So make sure that you don't risk your company's security, and your job, by transmitting sensitive company data via your own personal computer or email address.

6. Forgetting the telephone option
One of the most important lessons about email security is that no matter how many steps you take to secure your email, it will never be foolproof. This is never truer than when using a public computer. So unless you need a written record of something or are communicating across the globe, consider whether a simple phone call rather than an email is a better option. While a phone conversation may require a few extra minutes, when compared with accessing email through a public computer, a phone call is a far more secure option and it does not leave a paper trail.

7. Not using the Blind Carbon Copy (BCC) option
When you put a person's email addresses in the BCC: rather than the CC: window, none of the recipients can see the addresses of the other email recipients.

New email users often rely too much on the TO: because it is the default way of sending emails. That is fine as long as you are writing to just one person or a few family members. But if you are sending mail out to a diverse group of people, confusing BCC: and CC: raises some serious privacy and security concerns. It takes just one spammer to get a hold of the email and immediately everyone on your email list gets spammed.

Even if the honesty of the group isn't in question, many email programs are setup to automatically add to the address books any incoming email addresses. That means that some people in the group will inadvertently have added the entire list to their address book, and as a result, if one of their computers is infected with "Zombie" malware and silently sends out spam emails, you will have just caused the entire list to get spammed.

8. Being trigger happy with the "Reply All" button
Sometimes the mistake isn't in deciding between CC: and BCC: but between hitting Reply All instead of Reply. When you hit Reply All, your email message is sent to everyone included on the original email, and if you didn't intend to include them, the information can be disastrous from both a security and personal humiliation perspective:

Example 1: A very successful salesman at our networking company had a large email address book filled with his best customers, including some very important and conservative government contacts. With a single click, he accidentally sent a file chock-full of his favorite pornographic cartoons and jokes to everyone on his special customer list. His subject line: 'Special deals for my best customers!' Needless to say, he's cutting deals for another company these days.

Example 2: A woman was in torment over a busted romance. She wrote a lengthy, detailed message to a girlfriend, adding that her ex-boyfriend preferred men to women. But instead of hitting Reply to a previous message from her girlfriend, she hit Reply All. Her secret was sent to dozens of people she didn't even know (including me), plus the aforementioned ex and his new boyfriend. As if that weren't bad enough, she did this two more times in quick succession!

9. Spamming as a result of forwarding email
Forwarding emails can be a great way to quickly bring someone up to speed on a subject without having to write up a summary email, but if you aren't careful, forwarding emails can create a significant security threat for yourself and the earlier recipients of the email. As an email is forwarded, the recipients of the mail (until that point in time) are automatically listed in the body of the email. As the chain keeps moving forward, more and more recipient ids are placed on the list.

Unfortunately, if a spammer or someone just looking to make a quick buck gets a hold of the email, they can then sell the entire list of email ids and then everyone will start to get spammed. It only takes a few seconds to delete all the previous recipient ids before forwarding a piece of mail, and it can avoid the terrible situation of you being the cause of all your friends or coworkers getting spammed.

10. Failing to back up emails
Emails are not just for idle chatting, but can also be used to make legally binding contracts, major financial decisions, and conduct professional meetings. Just as you would keep a hard copy of other important business and personal documents, it is important that you regularly back up your email to preserve a record if your email client crashes and loses data (Unfortunately, It happened to Gmail as recently as December 2006).

Thankfully, most email providers make it rather simple to backup your email by allowing you to export emails to a particular folder and then just creating a copy of the folder and storing it onto a writeable CD, DVD, removable disk, or any other type of media. If that simple exporting process sounds too complicated, you can just buy automated backup software that will take care of the whole thing for you. Whether you purchase the software or decide to backup manually, it is important that you make and follow a regular backup schedule, as this is the sort of thing that new email users tend to just put off. The frequency of backups necessary for you will of course depend on your email usage, but under no circumstances should it be done less frequently than every 3 months.

11. Mobile access: Presuming a backup exists
Mobile email access, such as through Blackberry, has revolutionized the way we think about email; no longer is it tied to a PC, but rather it can be checked on-the-go anywhere. Most new Blackberry users simply assume that a copy of the emails they check and delete off the Blackberry will still be available on their home or office computer.

It is important to keep in mind, however, that some email servers and client software download emails to the Blackberry device and then delete them from the server. Thus, for some mobile email access devices, if you delete it from the device, you have deleted it from your Inbox.

Just be aware of the default settings of your email client and make sure that if you want a copy of the email retained, you have adjusted the email client's settings to make it happen. And preferably make sure of this before you decide to delete that important email.

12. Thinking that an erased email is gone forever
We've all sent an embarrassing or unfortunate email and sighed relief when it was finally deleted, thinking the whole episode was behind us. Think again. Just because you delete an email message from your inbox and the sender deletes it from their 'Sent' inbox, does not mean that the email is lost forever. In fact, messages that are deleted often still exist in backup folders on remote servers for years, and can be retrieved by skilled professionals.

So start to think of what you write in an email as a permanent document. Be careful about what you put into writing, because it can come back to haunt you many years after you assumed it was gone forever.

13. Believing you won the lottery … and other scam titles
Spammers use a wide variety of clever titles to get you to open emails which they fill with all sorts of bad things. New email users often make the mistake of opening these emails. So in an effort to bring you up to speed, let me tell you quickly:

* You have not won the Irish Lotto, the Yahoo Lottery, the Skype contest or any other big cash prize.
* There is no actual Nigerian King or Prince trying to send you $10 million.
* Your Bank Account Details do not need to be reconfirmed immediately.
* You do not have an unclaimed inheritance.
* You never actually sent that "Returned Mail".
* The News Headline email is not just someone informing you about the daily news.
* You have not won an Ipod Nano.

14. Not recognizing phishing attacks in email content
While never opening a phishing email is the best way to secure your computer, even the most experienced email user will occasionally accidentally open up a phishing email. At this point, the key to limiting your damage is recognizing the phishing email for what it is.

Phishing is a type of online fraud wherein the sender of the email tries to trick you into giving out personal passwords or banking information. The sender will typically steal the logo from a well-known bank or PayPal and try to format the email to look like it comes from the bank. Usually the phishing email asks for you to click on a link in order to confirm your banking information or password, but it may just ask you to reply to the email with your personal information.

Whatever form the phishing attempt takes, the goal is to fool you into entering your information into something which appears to be safe and secure, but in fact is just a dummy site set up by the scammer. If you provide the phisher with personal information, he will use that information to try to steal your identity and your money.

Signs of phishing include:
* A logo that looks distorted or stretched.
* Email that refers to you as "Dear Customer" or "Dear User" rather than including your actual name.
* Email that warns you that an account of yours will be shut down unless you reconfirm your billing information immediately.
* An email threatening legal action.
* Email which comes from an account similar, but different from, the one the company usually uses.
* An email that claims 'Security Compromises' or 'Security Threats' and requires immediate action.

If you suspect that an email is a phishing attempt, the best defense is to never open the email in the first place. But assuming you have already opened it, do not reply or click on the link in the email. If you want to verify the message, manually type in the URL of the company into your browser instead of clicking on the embedded link.

15. Sending personal and financial information via email
Banks and online stores provide, almost without exception, a secured section on their website where you can input your personal and financial information. They do this precisely because email, no matter how well protected, is more easily hacked than well secured sites. Consequently, you should avoid writing to your bank via email and consider any online store that requests that you send them private information via email suspect.

This same rule of avoiding placing financial information in emails to online businesses also holds true for personal emails. If, for example, you need to give your credit card information to your college student child, it is far more secure to do so over the phone than via email.

16. Unsubscribing to newsletters you never subscribed to
A common technique used by spammers is to send out thousands of fake newsletters from organizations with an "unsubscribe" link on the bottom of the newsletter. Email users who then enter their email into the supposed "unsubscribe" list are then sent loads of spam. So if you don't specifically remember subscribing to the newsletter, you are better off just blacklisting the email address, rather than following the link and possibly picking up a trojan horse or unknowingly signing yourself up for yet more spam.

17. Trusting your friend's email
Most new internet users are very careful when it comes to emails from senders they don't recognize. But when a friend sends an email, all caution goes out the window as they just assume it is safe because they know that the sender wouldn't intend to hurt them. The truth is, an email from a friend's ID is just as likely to contain a virus or malware as a stranger's. The reason is that most malware is circulated by people who have no idea they are sending it, because hackers are using their computer as a zombie.

It is important to maintain and keep updated email scanning and Anti-virus software, and to use it to scan ALL incoming emails.

18. Deleting spam instead of blacklisting it
An email blacklist is a user created list of email accounts that are labeled as spammers. When you 'blacklist' an email sender, you tell your email client to stop trusting emails from this particular sender and to start assuming that they are spam.

Unfortunately, new internet users are often timid to use the blacklist feature on their email client, and instead just delete spam emails. While not every piece of spam is from repeat senders, a surprising amount of it is. So by training yourself to hit the blacklist button instead of the delete button when confronted with spam, you can, in the course of a few months, drastically limit the amount of spam that reaches your Inbox.

19. Disabling the email spam filter
New email users typically do not start out with a lot of spam in their email account and thus do not value the help that an email spam filter can provide at the beginning of their email usage. Because no spam filter is perfect, initially the hassle of having to look through one's spam box looking for wrongly blocked emails leads many new email users to instead just disable their email spam filter altogether.

However, as an email account gets older it tends to pick up more spam, and without the spam filter an email account can quickly become unwieldy. So instead of disabling their filter early on, new internet users should take the time to whitelist emails from friends that get caught up in the spam filter. Then, when the levels of spam start to pick up, the email account will remain useful and fewer and fewer friends will get caught up in the filter.

20. Failing to scan all email attachments
Nine out of every ten viruses that infect a computer reach it through an email attachment. Yet despite this ratio, many people still do not scan all incoming email attachments. Maybe it is our experience with snail mail, but often when we see an email with an attachment from someone we know, we just assume that the mail and its attachment are safe. Of course that assumption is wrong, as most email viruses are sent by 'Zombies' which have infected a computer and caused it to send out viruses without the owner even knowing.

What makes this oversight even more scandalous is the fact that a number of free email clients provide an email attachment scanner built-in. For example, if you use Gmail or Yahoo! for your email, every email and attachment you send or receive is automatically scanned. So if you do not want to invest in a third-party scanner and your email provider does not provide attachment scanning built-in, you should access your attachments through an email provider that offers free virus scanning by first forwarding your attachments to that account before opening them.

21. Sharing your account information with others
We've all done it – we need an urgent mail checked, and we call up our spouse or friend and request them to check our email on our behalf. Of course, we trust these people, but once the password is known to anybody other than you, your account is no longer as secure as it was.

The real problem is that your friend might not use the same security measures that you do. Your friend might be accessing his email through an unsecured wireless account, he may not keep his anti-virus software up to date, or he might be infected with a keylogger virus that automatically steals your password once he enters it. So ensure that you are the only person that knows your personal access information, and if you write it down, make sure to do so in a way that outsiders won't be able to understand easily what they are looking at if they happen to find your records.

22. Using simple and easy-to-guess passwords
Hackers use computer programs that scroll through common names to compile possible user names, and then send spam emails to those usernames. When you open that spam email, a little hidden piece of code in the email sends a message back to the hacker letting him know that the account is valid, at which point they turn to the task of trying to guess your password.

Hackers often create programs which cycle through common English words and number combinations in order to try to guess a password. As a consequence, passwords that consist of a single word, a name, or a date are frequently "guessed" by hackers. So when creating a password use uncommon number and letter combinations which do not form a word found in a dictionary. A strong password should have a minimum of eight characters, be as meaningless as possible, as well as use both upper and lowercase letters. Creating a tough password means that the hacker's computer program will have to scroll through tens of thousands of options before guessing your password, and in that time most hackers simply give up.

23. Failing to encrypt your important emails
No matter how many steps you take to minimize the chance that your email is being monitored by hackers, you should always assume that someone else is watching whatever comes in and out of your computer. Given this assumption, it is important to encrypt your emails to make sure that if someone is monitoring your account, at least they can't understand what you're saying.

While there are some top-of-the-line email encryption services for those with a big budget, if you are new to email and just want a simple and cheap but effective solution, you can follow these step-by-step instructions to install PGP, the most common email encryption standard. Encrypting all your email may be unrealistic, but some mail is too sensitive to send in the clear, and for those emails, PGP is an important email security step.
Here is the link :
http://www.imarc.net/support/topics/pgp_installation

24. Not encrypting your wireless connection
While encrypting your important emails makes it hard for hackers who have access to your email to understand what they say, it is even better to keep hackers from getting access to your emails in the first place.

One of the most vulnerable points in an emails trip from you to the email recipient is the point between your laptop and the wireless router that you use to connect to the internet. Consequently, it is important that you encrypt your wi-fi network with the WPA2 encryption standard. The upgrade process is relatively simple and straightforward, even for the newest internet user, and the fifteen minutes it takes are well worth the step up in email security.
Here is the link :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002706

25. Failing to use digital signatures
The law now recognizes email as an important form of communication for major undertakings such as signing a contract or entering into a financial agreement. While the ability to enter into these contracts online has made all of our lives easier, it has also created the added concern of someone forging your emails and entering into agreements on your behalf without your consent.

One way to combat email forgery is to use a digital signature whenever you sign an important email. A digital signature will help prove who and from what computer an email comes from, and that the email has not been altered in transit. By establishing the habit of using an email signature whenever you sign important emails, you will not only make it harder for the other party to those agreements to try to modify the email when they want to get out of it, but it will also give you extra credibility when someone tries to claim that you have agreed to a contract via email that you never did.

For a quick primer on digital signatures, you can read YoudZone and Wikipedia's articles on the subject.

This article is intended to provide you with the basic information you need to avoid many of the email security pitfalls that frequently trip up new email users. While no single article can cover even the basics of email security, avoiding the 25 common mistakes listed in this article will make a dramatic difference in improving the safety and security of your computer, your personal information, and your emails.

My source of this article is
Link

"Adware" what on earth is it??

Adware is one of many "malwares" or malicious software programs that are unknowingly installed on your computer when you visit online sites and download freebies. When you use share files or visit sites with free downloads of wallpaper, videos, or music, some of these sites will send along adware software with your download.

These malwares are a rapidly growing threat to all computer systems. It is estimated that in the first three months of 2005 over 80% of computer users had some type of malware software program running on their computer, without their knowledge.

Although it is much less a threat to your computer and information than spyware is, what adware will do is cause pop up banners and advertisements to appear on your computer. These advertisements are displayed on your computer no matter what program you might be using. What the people who place this type of nuisance software on you computer say is that adware advertising helps them to recover costs and allows them to offer you those freebies you want.

What you want to do to stop adware from appearing on your computer is to first run an anti-adware program. Run this program on demand regularly. Along with an anti-adware software program run your regular computer virus scan on demand also.

Check the security level on your computer. You security level setting should be at least medium to help protect you from unwanted downloads.

Do not download free files from the internet, period. When downloading any software read the end-user license agreement. Some of these agreements will state that when you download their software you are also agreeing to accept a downloaded spyware that may be placed on your computer at the same time.

Be aware of threats to your computer, and your personal information.

Network Security

As more people are logging onto the Internet everyday, Network Security becomes a larger issue. In the United States, identity theft and computer fraud are among the fastest rising crimes. It is important to protect your network and ensure the safety of all computers and users in that network.

What is a Network?

In order to fully understand network security, one must first understand what exactly a network is. A network is a group of computers that are connected. Computers can be connected in a variety of ways. Some of these ways include a USB port, phone line connection, Ethernet connection, or a wireless connection. The Internet is basically a network of networks. An Internet Service Provider (ISP) is also a network. When a computer connects to the internet, it joins the ISP’s network which is joined with a variety of other networks, which are joined with even more networks, and so on. These networks all encompass the Internet. The vast amount of computers on the Internet, and the number of ISPs and large networks makes network security a must.

Common Network Security Breeches

Hackers often try to hack into vulnerable networks. Hackers use a variety of different attacks to cripple a network. Whether you have a home network or a LAN, it is important to know how hackers will attack a network.

One common way for a hacker to wreak havoc is to achieve access to things that ordinary users shouldn’t have access to. In any network, administrators have the ability to make certain parts of the network “unauthorized access.” If a hacker is able to gain access to a protected area of the network, he or she can possibly affect all of the computers on the network. Some hackers attempt to break into certain networks and release viruses that affect all of the computers in the network. Some hackers can also view information that they are not supposed to see.

Destructive Attacks

There are two major categories for destructive attacks to a network. Data Diddling is the first attack. It usually is not immediately apparent that something is wrong with your computer when it has been subjected to a data diddler. Data diddlers will generally change numbers or files slightly, and the damage becomes apparent much later. Once a problem is discovered, it can be very difficult to trust any of your previous data because the culprit could have potentially fooled with many different documents.

The second type of data destruction is outright deletion. Some hackers will simply hack into a computer and delete essential files. This inevitably causes major problems for any business and can even lead to a computer being deemed useless. Hackers can rip operating systems apart and cause terrible problems to a network or a computer.

The Importance of Network Security

Knowing how destructive hackers can be shows you the importance of Network Security. Most networks have firewalls enabled that block hackers and viruses. Having anti-virus software on all computers in a network is a must. In a network, all of the computers are connected, so that if one computer gets a virus, all of the other computers can be adversely affected by this same virus. Any network administrator should have all of the essential files on back up disks. If a file is deleted by a hacker, but you have it on back up, then there is no issue. When files are lost forever, major problems ensue. Network security is an important thing for a business, or a home. Hackers try to make people’s lives difficult, but if you are ready for them, your network will be safe.

Ive found this link to be useful,the site contains tools for network security.check it out

Hiding your IP

Hiding your IP address is the best way for surfing the net anonymously. IP address is the Internet protocol address. This is the unique address of a computer on the Internet. The IP address consists of four numbers divided by periods. These numbers indicate the domain, the subnetwork, the network and the host computer. Each IP address mostly has an equivalent domain name address, spelled with four letters. It is very important to hide your IP address online. Hiding your IP address online ensures that your personal information is not leaked out to the outsiders.

By installing software in your PC, you can hide your IP address. Anonymous surfing of the web will enable you to safeguard your Internet privacy. There is nothing illegal in hiding your IP address, for the proper reasons. If you have any doubt regarding this you can always consult your legal advisor. The legal advisor can guide you about the matter.

An IP address changer can help you change your IP address when you are surfing online. The tools of IP address changer will let you change your IP address anytime by routing your Internet traffic through an overseas server. The tool has drop down box that enables the user to choose an IP address from one of the countries mentioned in the box. Hiding your IP address is the best option to protect your self from any kind of fraud.

Hiding your IP address also enables you to protect your computer from spyware. Spyware is the software that monitors the activities of the user of a computer. Some webmasters and software producers offer free downloads for your computer. Most of the free downloads are embedded with spyware. After you complete the download, the spyware gets installed in your computer and your activities can be monitored.

Hiding your IP address also gives you freedom from the constantly bombarding pop up ads in your computer. Whenever you enter a website, you will be flooded by the pop up ads. Constant flooding of the pop up ads in the computer can be very irritating and disturbing for the user. The efficiency of the computer also gets diminished due to this. Your computer can stop functioning when you have an urgent piece of work to do. Hiding your IP address will protect you from such situation.

The main advantage of hiding your IP address is that you are protected from any website that wants to monitor your online habits and activities. Hiding the IP address also makes sure that you do not receive any junk or bulk emails in your inbox. Good software for hiding your IP address will keep your computer safe from the hackers. If the software has the ability to support frequent IP address change, the chances of protecting your privacy increases.

You can also use the web-based email to send anonymous email to people. This can sometimes be necessary for your work. Your IP address is meant for your personal use and nobody has the right to misuse this without your permission.

Backing up your pc

Computer backup is so important to your computer that to ignore it is to risk its damnation.

Computers require care and feeding. They require that you attend to their needs. If you don't, then they will most surely be sent to Hell.

Halloween means Hell. What! What do you mean that Halloween means Hell?

Well, if your computer is given the option of trick or treat, which will it accept? Will it accept the trick or the treat? What do you think?

Halloween is the time that computers are subject to tricks or treats. Did you know that more computers fail on Halloween than any other day of the year? That’s right. It’s true (smile). Your computer is in danger! Protect it. Do your computer backups.

Back to the Hell thing. Hell you say? Yep. Well, what do you mean by Hell?

Computer hell is the place for computers without computer backup. The failure to perform hard drive backup means that you are playing Russian Roulette with your data. Data needs your protection. Failure to protect your data may cause your home or business records to be sent to Hell.

Hell in this instance is for the records and files that cannot be resurrected. Resurrected you say, what does that mean?

It means that without computer backup as a source of salvation then the files can safely enjoy eternal oblivion. Oblivion you say, what does that mean? That means they are eternally lost from computer resurrection.

Is there any mercy for my precious files, you ask?

Why yes there is. Would like to know what the mercy for your files is? Yes! Yes! You say.

OK boys and girls listen carefully. The salvation, mercy, resurrection and redemption of your files lies in regular and consistent and persistent computer backup.

If you backup your computer consistently and persistently your files will be resurrected and saved from accidental deletion, hard drive failure and those nasty things like fire, flood, theft, earthquake, hurricanes, tornados and the like!

Computer backup is the key to your data's salvation!

Do your computer backups boys and girls.

Milk and cookies will be served in the pantry.

Trick or treat for your computer backup?

Protect your pc

Spyware is a broad term used for certain types of software that are downloaded onto your computer without your knowledge. Malware has become a phrase that is used when describing spyware and adware.

Spyware is placed on your computer in order to track your internet surfing habits. It knows every site you visit and every page on that site. Spyware also collects your personal information through software that tracks your actual keystrokes. If you fill in a form to make a purchase all your personal information, including name, address and credit card information can be tracked. The potential abuse of spyware tracking is also being discussed in some businesses that store secure information, such as credit card numbers or even medical records.

Adware is another type of spyware. It doesn't work by tracking your information as spyware does, but what it can do is actually change your browser settings without your consent. It can cause pop up ads to show on your computer. It can even place a new toolbar on your computer. Most people are unaware they even have any type of adware installed on their computer until their computer starts to slow down.

The spyware business is a billion dollar a year industry with people getting very rich selling the information they steal about you. There is a case currently in court in the State of New York against a spyware company. The outcome of this legal case will hopefully mean the end of secretly placed spyware.

In order to not fall prey to these types of malwares there are steps you can take. First, don't download freebies. A lot of services that are offered to you as "free" such as free music downloads are free per say, but the price you pay is allowing them to place spyware software or adware targeted advertisements on your computer. Read any agreements about the software very carefully before you download it.

Run an anti spyware software program often along with your virus protection software. Generally spyware and adware are designed to be difficult to remove from you computer and they leave behind "ticklers" which reinstall the software.

Cookies-myth and facts

Read every concern ever expressed on cookies and you'll have heard that they can put a virus on your PC. Some people think that Web sites can use cookies to get your e-mail address, others believe that cookies might be used to track every single site you visit on the Internet. Worst of all, a major newspaper once wrote that ‘cookies are little programs planted by a remote Web site on your PC, which then feed back personal information without your knowledge’.

It's no wonder people are scared, but they shouldn't be - this is all nonsense, there are concerns about cookies, but they're not the ones that appear in the scare stories.

What is a cookie?

Whether it's remembering a password so it can automatically log you on to a site when you return, or storing the contents of your shopping basket the next time you visit an on-line store, Web sites need a means of storing data about their visitors.

Each time you choose an item at your favorite Net shopping site, the site sends a cookie request to your browser, asking it to store a line of text that identifies that particular item. This means you can stop shopping any time you like, go visit some other sites, and whenever you return, the site will read its own cookies and you can carry on shopping where you left off.

Sounds sinister? Er, no, and there are a couple of clues that undo some of the more extravagant scare stories.

First, cookies only contain information that you have already given to the Web site (a user name and password, a shopping selection, or whatever). Cookies cannot be used to get personal information about you that you haven't already provided, such as your e-mail address.

Second, cookies aren't programs, they have no intelligence of their own, they cannot infect your system with a virus or anything similar. They are a few lines of text, nothing more.

Are you being tracked?

One of the biggest concerns over cookies is that they can be used to track all the sites you visit on the Web. What if one site read all your other cookies, for example? No worries there - a site can only read its own cookies, not anyone else's. There is another concern, though, one that does have a degree of truth to it.

Many Web sites use banner adverts to fund them, and some of the companies that produce these came up with an ingenious scheme, using a cookie to give your PC a unique number. Visit another site using the same advertiser and they'll recognize you, know the adverts you've seen before, and can show you similar ones (if you've clicked on some), different ones (if you haven't), or otherwise customize what you see.

Recognize you? Sounds alarming, but really they're just recognizing the system. They know that the computer that visited site A on Tuesday is now at site B on Wednesday - but they don't know who is using it, or even where it is.

However, if you provide your personal details at one site, they could be attached to the unique ID provided by the cookie and, if they agreed, all the sites could share in the information. Surely this must be a concern?

Well, consider this. First, not all sites use advertising, and those that do don't all use the same companies - there's no system that would track anything but a small percentage of the places you visit. What's more, cookies are very unreliable. Many PCs are used by different people, and cookies won't record that.

They might get deleted if you upgrade your browser or reinstall it. Is this a useful way to track people's activities? We don't think so.

To put this into perspective, in the real world, information is collected without our knowledge every time we buy something with a credit card or use a supermarket loyalty card, and mailing lists relating to each of us are being sold all the time. Where do you think junk mail comes from?

Data sharing is much less prevalent on the Internet, where any company that was shown to be collecting data on people and even only potentially creating a mild infringement of privacy would immediately create a firestorm of bad publicity.

Overall, cookies do more good than harm. It's time to let the scare stories rest, and move on to issues that really matter.

Anti Virus Tips

1. Do not open e-mails coming from unknown or distrusted sources.

2. Do not open any e-mail message unless you know what is it about, even if it comes from a friend or partner. Most viruses spread via e-mail messages so please ask for a confirmation from the sender if you are in anny doubt.

3. Do not open the attachments of messages with a suspicious or unexpected subject. If you want to open them, first save them to your hard disk and scan them with an updated antivirus program.

4. Delete any chain e-mails or unwanted messages. Do not forward them or reply to their senders. This kind of messages is considered spam, because it is undesired and unsolicited and it overloads the Internet traffic.

5. Do not copy any file if you don't know or don't trust its source.

6. Be very careful when downloading files from the Internet. Check their source every time and make sure that an antivirus program already verified the files on the download site. If you are not sure about this, copy that file on your hard disk or on a floppy disk and recheck it using your own antivirus.

7. Use a reliable antivirus program and update it permanently. Select an antivirus that has a resident module, so that your computer will be permanently protected.

8. If you have an antivirus program installed on your system, update it regularly. An average of 500 new viruses are discovered every month. The antivirus updates should consist at least of virus signature lists, but it is desirable to keep the antivirus program updated too.

9. Make file backups on a regular basis. Store these copies on removable, write-once media such as CD-R.

10. Any time you have doubts about a file or message, do not download, execute or open it.

Wikipedia defn. of vishing.

What is Vishing

The Wikipedia definition of Vishing:

“Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward.

The term is a combination of “voice” and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer.

The victim is often unaware that VoIP allows for caller ID spoofing, inexpensive, complex automated systems and anonymity for the bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers.

Rather than provide any information, the consumer is advised to contact their bank or credit card company directly to verify the validity of the message.”

Stay tuned for the second part in this series on what to do to protect yourself against vishing, phishing and similar threats.

Vishing......

Identity theft is not only done online. In fact the majority is done offline. Only 14% of cases are based online. So although many con artist do this at cyberspace, it can also do damage in the real world. By stealing Id’s, Credit cards and checking accounts they can access into your finances.

GT got her car broken into by thieves. They broke the window of her car and got her purse and some other valuable things. She expected that her credit cards would be used for some unauthorized purchase.

After a few days her bank called trying to verify a large purchase made on her credit card. Not just that, she also got charged for a maternity bill when she wasn’t even pregnant.

“They used my checking account and credit cards before I had a chance to cancel them”, says GT, a PR executive from San Francisco. A few months later she found out that they had also opened a new checking account in her name.

That one incident made her to go in debt and she couldn’t even use the account. This can be frightening to consumers who have credit cards and checking accounts. Someone can just steal your identity.

Now I am more careful and observant, says GT who has just only recently recovered from the financial mess that she encountered.

Majority of the people believe that Identity theft could only do damage when credit cards are used for online purchases. Well they are definitely wrong. A stolen wallet or bag would create a worse scenario.

For the one out of three identity theft victims who knows how their information was taken, more than 75 percent said it involved a physical method such as a stolen wallet, a phone or mail-order sale, stolen mail, or a theft by someone they knew, compared with 14 percent who reported that it involved online access.

Degrees of Security

Degrees of Security
There are different ways that you can implement security. There is no law saying that you have to connect your entire network to the Internet. (Although I see a fair number of businesses doing it.) One simple way to reduce your cost is to create only a very limited segment that has connectivity. If your primary concern is receiving customer feedback (and providing some promotional information), there really is no need to connect at all. Certainly, an ISP can host a page (or even co-locate a box) for you.

However, if you are determined to provide dedicated access, with a server under your local control, there are some things you can do to greatly increase security. First, if the only box you are placing out on the freeway is a Web server (and you are concerned about that server being cracked), you can use read-only media. This procedure is admittedly more difficult to implement than a live file system (one that is read/write), but the gains you realize in security are immense. Under such a scenario, even if a cracker gains root access, there is very little that he can do. The downside to this, of course, is that dynamic pages cannot be built on-the-fly, but if you are providing an auto-quote generator or some similar facility (perhaps even interfacing with a database), it can still be done.

Really, the key is to enclose all CGI into a restricted area. The CGI programs read the data on the read-only media and generate a resulting page. This is a very secure method of providing technical support, product lists, and prices to clients in the void. Essentially, so long as you back up your CGI, you could have that identical machine up in one hour or less, even if crackers did manage to crash it. This type of arrangement is good for those who are only providing information. It is poor for (and inapplicable to) those seeking to accept information. If you are accepting information, this might involve a combination of secure HTML packages or protocols, where the information received is written to removable, write-one-time media.

The sacrificial host is really the safest choice. This is a host that is expressly out in the open and that you expect to be cracked. Certainly, this is far preferable to having any portion of your internal network connected to the Internet. However, if you also want your local employees or users to be able to access the Net, this is entirely impractical. It can, however, be implemented where you do not expect much access from the inside out, particularly in commerce situations.

A commerce situation is one where you are accepting credit card numbers over a browser interface. Be very careful about how you implement such schemes. Here is why: There are various paths you can take and some of them represent a greater risk than others. Typically, you want to avoid (at any reasonable cost) storing your customers' credit card numbers on any server connected to the network. (You have already seen the controversy that developed after it was learned that Kevin Mitnik had acquired credit card numbers--reportedly 20,000-- from the drives of Netcom.)

Generally, where you are accepting credit card numbers over the Internet, you will also be clearing them over the network. This typically requires the assistance of an outside service. There are various ways that this is implemented, although two techniques dominate that market.

Local Saves
In a local save scenario, the information is piped through some secure, encrypted HTTP session (SHTTP, for example). Usually, this is done through a form written specifically for that purpose. The form outputs the information to a local disk somewhere, from which it can later be retrieved for verification purposes. Along that journey from the input form to the disk, the numbers may be sent through several processes. One is where the numbers are examined against a common algorithm that determines (first and foremost) whether the submitted credit card number is even a real one. By real, I mean that it is a potentially real one. This is one somewhat flawed version of verification. It basically relies on the same algorithms that are used to generate card numbers to begin with. If the submitted number fails to result in a number that could have been generated by the algorithms, the card number is a dreamt-up number, something that someone randomly guessed. There are two flaws with this type of verification, one in the basic concept and the other in reference to security.

The first problem is this: The algorithms used are now widely disseminated. That is, there are credit card number generators available across the Internet that will resolve numbers to either a state of authenticity or no authenticity. Kids used them for years to circumvent the security of Internet service providers.



--------------------------------------------------------------------------------
TIP: One very good example is utilities that exist for unlawfully accessing AOL. These utilities have, embedded within their design, automatic generators that produce a laundry list of card numbers that will be interpreted as valid. When these programs first emerged, the credit card number generators were primitive and available as support utilities. As using generators of this variety became more common, however, these utilities were incorporated into the code of the same application performing the dial-up and sign-on. The utilities would pop up a window list from which the cracker could choose a number. This number would be sent (usually by the SendKeys function in VB) to the registration form of the provider.
--------------------------------------------------------------------------------

So, at the start, individuals could come forward with at least mathematically sound numbers for submission. Thus, simple algorithm credit card validation subjects the accepting party to a significant amount of risk. For example, if this verification is used in the short run but the cards are later subjected to real verification, the interim period comprises the longest time during which the accepting party will lose goods or services as a result of a fraudulent charge. If this period is extended (and the temporary approval of such a credit card number grants the issuer access to ongoing services), then technically, the accepting party is losing money for every day that the credit card is not actually validated.

Secondly, and perhaps more importantly, storing the numbers on a local drive could prove a fatal option. You are then relying upon the security of your server to protect the data of your clientele. This is not good. If the information is ultimately captured, intercepted, or otherwise obtained, potentially thousands (or even hundreds of thousands) of dollars might be at stake. If there is a subsequent investigation (which there usually is), it will ultimately come out that the seed source for the numbers was your hard disk drives. In other words, after the Secret Service (or other investigating party) has determined that all victims shared only one common denominator (using your service), you will have a problem.

This is especially true if your system administrator fails to detect the breach and the breach is then an ongoing, chronic problem. There is a certain level at which this could raise legal liability for your company. This has not really been tested in the courts, but I feel certain that within the next few years, special legislation will be introduced that will address the problem. The unfortunate part of this is as follows: Such a case would rely heavily on expert testimony. Because this is a gray area (the idea of what "negligent" system administration is, if such a thing can exist), lawyers will be able to harangue ISPs and other Internet services into settling these cases, even if only in an effort to avoid sizable legal bills. By this, I mean that they could "shake down" the target by saying "I will cost you $50,000.00 in legal bills. Is it worth the trouble to defend?" If the target is a large firm, its counsel will laugh this off and proceed to bury the plaintiff's counsel in paperwork and technical jargon. However, if the target is a small firm (perhaps hiring a local defense firm that does not specialize in Internet law), a legal challenge could be enormously expensive and a drain on resources. If you have to choose, try to saddle some third party with the majority of the liability. In other words, don't store those numbers on your drives if you can help it.

Remote Saves via CGI
The second scenario may or may not be preferable. This is where you drop a secure HTML form into the structure of your Web site. (This form is provided by the credit card clearing service.) With this, you will likely also receive customized scripts that redirect the data submitted in that form to a remote server. That remote server fulfills one purpose only: clearing the numbers.



--------------------------------------------------------------------------------
NOTE: There are various methods through which the mechanics of this process are achieved. One is where the credit card clearing company has proprietary software that attaches to a particular port. On both the client and the server end, this port traffics the information (which is encrypted before it leaves the client and decrypted after the arrival at the server). More than likely, the remote server refuses connections on almost all other ports, or the information is filtered through a pinhole in a firewall.
--------------------------------------------------------------------------------

The advantages and disadvantages are diverse in this scenario. First, there is the obvious problem that the accepting party is resigned to traveling blind; that is, they will never have the credit card information within their possession. Because of this, disputed claims are a serious headache.

Here's an example: A kid gets his parent's credit card number and charges up a storm. This information is validated by the remote server, with the accepting party storing no information. Later, the parent disputes the transaction, claiming that he never authorized such a charge. This is okay, and may happen periodically. However, obtaining records and then sorting out that dispute is both a logistical and legal problem. It is not quite as simple as disputing unauthorized charges on one's telephone bill. Because the party that cleared (and ultimately collected on) the charge is a third party (one that has no part in the exchange of goods or services), confusion can easily develop.

Imagine now if you were such a victim. You contact the party that is the apparent recipient of the charge, only to find that the company has "nothing to do with it." When consumers are confronted with this type of situation, they become less likely to do commerce over the Net. And while this is essentially no different than being confronted with unauthorized 900- number charges on your telephone bill, the average consumer will view the Internet with increasing suspicion. This is bad for Internet commerce generally. Despite that fact, however, this method is generally regarded as the most secure.

Security concepts III

Your Network
There are several ways you can view security, but I prefer the simple approach and that approach is this: Your network is your home. Consider that for a moment. Try to visualize your network as an extension of yourself. I realize that this sounds a bit esoteric, but it really isn't. You can more easily grasp what I am driving at by considering this: What type of data is on your network? I will wager that I can tell you what's there. Yes; I will bet that only the most unimportant things are on your network--things like your financial information, your identity, your thoughts, your feelings, your personal reflections, your business...your life.

Would you let the world walk through the front door of your home? Would you let complete strangers rifle through your drawers, looking for personal documents or financial statements? Of course not. Then why would you let someone do it over a network? The answer is: You wouldn't. The problem is, computers seem relatively benign, so benign that we may forget how powerful their technology really is.

Software vendors want us to rush to the Internet. The more we use the network, the more software they can sell. In this marketing frenzy, they attempt to minimize some fairly serious problems out there. The truth is, the Internet is not secure and will continue to exist in this state of insecurity for some time to come. This is especially so because many of the networking products used in the future will be based on the Microsoft platform.

Admittedly, Microsoft makes some of the finest software in the world. Security, however, has not been its particular area of expertise. Its Internet operating system is going to be NT--that's a fact. That is also where the majority of Microsoft's security efforts are being concentrated, and it has made some significant advances. However, in the more than 20 years that UNIX has been in existence, it has never been completely secure. This is an important point: UNIX is a system that was designed--almost from its beginning--as an operating system for use on the Internet. It was what the Defense Department chose as the platform to develop ARPAnet. The people who designed it are among the most talented (and technically minded) software engineers on the planet. And even after all this, UNIX is not secure. We should expect, then, that Windows NT will take some time to get the bugs out.

So, in closing on this subject, I relate this: Your network is your home. It is worthy of protection, and that protection costs money. Which brings us to the next issue...

Cost
How much should security cost? It depends on what type of network you have. If your network is large and heterogeneous, those conditions are going to increase the cost. It is important that you understand why, because when you go to the table to negotiate a security package, you need to know what you are talking about.

The Homogenous Network
If you currently have a homogenous network, you should see a break in cost. Here is why: Each operating system implements TCP/IP just slightly differently than the rest, at least at the application level. Each operating system also has one or more additional or proprietary protocols that aren't available on other systems (or that can be available, but only with special software). For example, Windows 95 uses the SMB protocol, which is not widely available in default installations of every operating system. Certainly, there are clients available; one of them is SAMBA, which runs on Linux and perhaps on other operating systems. Because each operating system is different but all machines running the same operating system are basically the same, a security consult of a homogenous network is less intensive than one that harbors many different platforms. It should therefore cost less.

While this is true, it does not mean that you can get a homogenous network secured for next to nothing. In most instances, it is not possible for security attributes to simply be cloned or replicated on all workstations within the network. Various security issues may develop. Some of those involve topology, as I have explained in other chapters and will again discuss here.

We know that a network segment is a closed area; almost like a network within itself. We also know that spoofing beyond that network segment is almost impossible. (Almost.) The more network segments your network is divided up into, the more secure your network will be. (Ideally, each machine would be hardwired to a router. This would entirely eliminate the possibility of IP spoofing, but it is obviously cost prohibitive.) Where you make those divisions will depend upon a close assessment of risk, which will be determined between your technical staff and the consultant. For each segment, you will incur further cost, not only for the consultant's services but for the hardware (and possibly for software).

The Heterogeneous Network
If you have a network comprised of many different platforms, the problem of securing it becomes more complex. Here's an example, again using SAMBA as a focal point. In certain situations, passwords are revealed when using SAMBA in traffic between UNIX and Windows 95 boxes. The more protocols you have running and the more third-party software from different vendors (on different platforms) you have, the more complicated your security assessment will be.

Certainly, even from a practical standpoint, there are immediate problems. First, due largely to the division between the PC and workstation worlds, the security consultants you contract may be unfamiliar with one of more of the platforms within your network, and they may need to call outside help for them. Also, and this is no small consideration, your consultants may ultimately be forced to provide at least a small portion of proprietary code: their own. If this subject crops up, it should be discussed thoroughly. There is a good chance that you can save at least some cost by having these consultants tie together existing security packages, using their own code as the glue. This is not nearly as precarious as it sounds. It may involve nothing more than redirecting the output of log files or other, ongoing processes to plain text (or some other form suitable for scanning by a program on another platform).

The problem with hiring toolsmiths of this sort is that you may find your security dependent upon them. If your local system administrator is not familiar with the code they used, you may have to rely on the consultants to come for second and third visits. To guard against this, you should ensure good communications between your personnel and the security team. This is a bit harder than it seems.

First, you have to recognize at least this: Your system administrator is God on the network. That network is his domain, and he probably takes exceptional pride in maintaining it. (I have seen some extraordinary things done by system administrators--truly commercial-grade applications running, custom interfaces, and so forth.) When an outside team comes to examine your system administrator's backyard, no matter what they say, the experience feels a little intrusive. Diplomacy is really an important factor. Remember: The consultants will leave, but you have to live with your system administrator on a daily basis.

The General Process
Before you contact any firm and have them come to your offices (or home, I suppose), you need to gather some information on a few things, including the following:

Hardware. This should identify the make, manufacturer, model, and series of each workstation, hub, router, network adapter, and so forth. Ideally, you should also have a list of how much memory is in each machine, the capacity of the disk drives, and the specs of your Ethernet. (For example, 10Base-T or whatever.)


Software. All types of network software that you intend to run, and their version numbers.


Protocols. The protocols you are now running (or plan to run in the future). Try to prioritize these. For example, if there is a single machine that simply must run NFS, highlight that. Also, report the type of connectivity that you currently have.


Scope. The maximum number of workstations you plan to run, where they are located, where the network segments exist, where you plan to expand, and any curiosities that might be relevant. (For example, that you have older, legacy Novell NetWare servers running in one office. If these are sufficiently old, they may traffic unencrypted passwords. Your consultant will need to know that. Don't let something like that crop up later.)
Next, you will need to gather a little model of your company's trust system. That is, you will need to have your system administrator devise some easy listing method to peruse privileges. This will identify what each user or workstation requires in the way of privileges. It might be worth outputting this not only in text format, but also in some graphical representation. On certain platforms, this type of software is available, but it is quite expensive. It is probably better (for small firms trying to save money) if this is done using some technical drawing package (such as Visio).

This information should be bound together. (There are copying services that will bind such a folder, such as Kinko's Copies, or perhaps you have in-house facilities that can do this.) Each section should be separated by a tab that identifies that section. Contained within this folder should also be the following items:

A statement from the system administrator about the security of the system. This should include any special considerations, including whether special software has been written, what type of security utilities are now being used, which ones could not be used, and why.


A statement of what type of security policies have been enforced within your network, a history of any security breaches that you may have had, and so forth.
This compilation of information should be handed over to the security consultants only after you have verified their reputation, because once it is in their hands, they will know more about your network than your system administrator did just one week before. However, it is important to collect the information, and here is why: If you don't do it, the security consulting firm will. That will cost a lot of money. Moreover, it will entail them having to disrupt daily activities even further than they already have to while implementing solutions.

The next step may or may not be within your budget, but if it is, I would strongly recommend it. Locate two separate security firms known to have good reputations. (Even if they are in a different state; it doesn't matter.) Ask those firms what it would cost to examine the information and make a recommendation, a kind of mock bid. Included within their summaries should be a report of how such a job would be implemented if they were doing it. This will not only serve as an index for what the probable cost and effort would be, but also may alert you or your system administrator to special issues, issues particular to your precise configuration. That having been done, you can begin your search for a good, local source.

Security concepts II

Security Through Obscurity
If a security consultant explains to you (or your system administration staff) that one or two holes do exist but that it is extremely unlikely that they can be exploited, carefully consider his explanation. Interrogate him as to what "extremely unlikely" means and why he thinks the contingency is just so.

If his explanation is that the level of technical expertise required is highly advanced, this is still not a valid reason to let it slide, particularly if there are currently no known solutions to the problem. If there are options, take them. Never assume (or allow a consultant to assume) that because a hole is obscure or difficult to exploit that it is okay to allow that hole to exist.

Only several months ago, it was theorized that a Java applet could not access a client's hard disk drive. That has since been proven to be false. The argument initially supporting the "impossibility" of the task was this: The programming skill required was not typically a level attained by most crackers. That was patently incorrect. Crackers spend many hours trying to determine new holes (or new ways of implementing old ones). With the introduction of new technologies, such as Java and ActiveX, there is no telling how far a cracker could take a certain technique.

Security through obscurity was once a sound philosophy. Many years ago, when the average computer user had little knowledge of his own operating system (let alone knowledge of multiple operating systems), the security-through-obscurity approach tended to work out. Things were more or less managed on a need-to-know basis. The problem with security through obscurity, however, becomes more obvious on closer examination. It breaks down to matters of trust.

In the old days, when security through obscurity was practiced religiously, it required that certain users know information about the system; for example, where passwords were located and what special characters had to be typed at the prompt. It was common, actually, for a machine, upon connection, to issue a rather cryptic prompt. (Perhaps this can be likened to the prompt one might have received as a Delphi user just a few years ago.) This prompt was expecting a series of commands, including the carrier service, the terminal emulation, and so on. Until these variables were entered correctly (with some valid response, of which there were many), nothing would happen. For example, if the wrong string was entered, a simple ? would appear. A hacker coming across such a system would naturally be intrigued, but he could spend many hours (if not weeks) typing in commands that would fail. (Although the command HELP seems to be a pretty universal way to get information on almost any system.)

Things changed when more experienced users began distributing information about systems. As more and more information leaked out, more sophisticated methods of breaching security were developed. For example, it was shortly after the first release of internal procedures in CBI (the Equifax credit-reporting system) that commercial-grade software packages were developed to facilitate a breaking and entering into that famous computerized consumer credit bureau. These efforts finally culminated with the introduction of a tool called CBIHACK that automated most of the effort behind cracking Equifax.

Today, it is common for users to know several operating systems in at least a fleeting way. More importantly, however, information about systems security has been so widely disseminated that at this stage, even those starting their career in cracking know where password files are located, how authentication is accomplished, and so forth. As such, security through obscurity is now no longer available as a valid stance, nor should it be, especially for one insidious element of it--the fact that for it to work at all, humans must be trusted with information. For example, even when this philosophy had some value, one or more individuals with an instant need-to-know might later become liabilities. Disgruntled employees are historically well known to be in this category. As insiders, they would typically know things about a system (procedures, logins, passwords, and so forth). That knowledge made the security inherently flawed from the start.

It is for these reasons that many authentication procedures are now automated. In automated authentication procedures, the human being plays no part. Unfortunately, however, as you will learn in Chapter 28, "Spoofing Attacks," even these automated procedures are now suspect.

In any event, view with suspicion any proposal that a security hole (small though it may be) should be left alone.

Choosing a Consultant
There are many considerations in choosing a security consultant. First, it is not necessary that you contract one of the Big Ten firms (for example, Coopers and Lybrand) to secure your network. If you are a small business, this is likely cost prohibitive. Also, it is overkill. These firms typically take big contracts for networks that harbor hundreds (or in WANs, thousands) of machines.

If you are a small firm and cannot afford to invest a lot of money in security, you may have to choose more carefully. However, your consultant should meet at least all the following requirements:

He should be local.


He should have at least four years experience as a system administrator (or apprentice administrator) on your platform. (If some of that experience was in a university, that is just fine.)


He should have a solid reputation.


Generally, he should not have a criminal record.


He should have verifiable references.
Why Local?
Your consultant should be local because you will need to have him available on a regular basis. Also, as I've noted, remote administration of a network is just not a wise thing.

Experience
You notice that I say that university experience will suffice, so long as it does not comprise the totality of the consultant's security education. Why? Because the academic community is probably the closest to the cutting edge of security. If you thumb through this book and examine the references, you will notice that the majority of serious security papers were authored by those in the academic community. In fact, even many of the so-called commercial white papers cited within this book were also authored by students--students who graduated and started security firms.

Reputation
I suggest that your consultant should have a solid reputation, but I want to qualify that. There are two points to be made here, one of which I made at the beginning of this book. Just because former clients of a consultant have not experienced security breaches does not necessarily mean that the consultant's reputation is solid. As I have said, many so-called security spe- cialists conduct their "evaluation" knowing that they have left the system vulnerable. In this scenario, the individual knows a little something about security, but just enough to leave his clients in a vulnerable situation with a false sense of security. Technically, a totally unprotected network could survive unharmed for months on the Internet so long as crackers don't stumble across it.

It would be good if you could verify that your potential consultant had been involved in monitoring and perhaps plugging an actual breach. Good examples are situations where he may have been involved in an investigation of a criminal trespass or other network violation.

Equally, past experience working for an ISP is always a plus.

Security concepts I

On a quiet fall evening not so long ago, the Internet was forever changed. That change took only minutes. If you have been reading this book from cover to cover, you will remember the date in question. However, for readers absorbing this book selectively, I will reiterate. That date was November 2, 1988. Shortly before dusk, a worm was unleashed on the network. Within hours, this worm incapacitated many machines (reportedly over 1,000 of them) and interrupted or otherwise degraded the performance of thousands more. (Many of these machines or networks were key research centers engaged in defense-related study.) At the exact moment that the worm was released, the history and future of the Internet changed forever. No one knew it at the time, because it would take a full year in the aftermath to assess what an enormous impact the incident had. But be assured of this: The change occurred in the same instant that Morris released his code to the Network.

Since that time, security has gained almost a cult status. Individuals I know who have never had a clue about the subject are suddenly diving for security information. You hear it in restaurants all the time. As you are eating your lunch, the buzz floats overhead: firewall, router, packet filtering, e-mail bombing, hackers, crackers...the list is long indeed. (This book would never have been written if the climate weren't just so.) By now, most people know that the Internet is insecure, but few know exactly why. Not surprisingly, those very same people are concerned, because most of them intend to implement some form of commerce on the Internet. It is within this climate that Internet Voodoo has arisen, conjured by marketeers from the dark chaos that looms over the Net and its commercial future.

Marketing folks capitalize on ignorance--that's a fact. I know resellers today who sell 8MB SIMMs for $180 and get away with it. However, while technical consultants do often overcharge their customers, there is probably no area where this activity is more prominent than in the security field. This should be no surprise; security is an obscure subject. Customers are not in a position to argue about prices, techniques, and so forth because they know nothing about the subject. This is the current climate, which offers unscrupulous individuals a chance to rake in the dough. (And they are, at an alarming rate.)

The purpose of this chapter, then, is to offer advice for individuals and small businesses. I cannot guarantee that this is the best advice, but I can guarantee that it is from experience. Naturally, everyone's experience is different, but I believe that I am reasonably qualified to offer some insight into the subject. That said, let's begin.

How Security Concepts Can Influence Your Choices
First, I want to quickly examine security concepts and how they will influence your choices of a security consultant. To begin with, know this: "There is nothing new under the sun." This quote is a brilliant statement made by William Shakespeare. It is brilliant because, in literature that preceded his own, for thousands of years, the statement had already been made. Therefore, he used a redundancy to articulate redundancy. How does this relate to Internet security? Read on.

The truth is, TCP/IP has been around for a long, long time. For example, as I reported in Chapter 18, "Novell," NetWare had fully functional TCP/IP built into its operating system back in 1991. UNIX has had it for far longer. So there is no real problem here. The knowledge is available out there in the void.

The greater majority of security breaches stem from human error. (That is because crackers with limited knowledge can easily cut deep into systems that are erroneously configured. On more carefully configured networks, 90 percent of these self-proclaimed "super crackers" couldn't get the time of day from their target.)

These human errors generally occur from lack of experience. The techniques to protect an Internet server have not significantly changed over the past few years. If a system administrator or security administrator fails to catch this or that hole, he needs to bone up on his advisories.



--------------------------------------------------------------------------------
NOTE: I will readily admit that some techniques have been improved, largely by the academic community and not so much by commercial vendors. Commercial vendors are usually slightly behind the academic communities, perhaps by a few months or so. Examples of this might include the development of automated tools to screen your system for known security holes. Many of these are written by students or by freelance software developers. These tools certainly streamline the process of checking for holes, but the holes are commonly known to any security administrator worth his salt.
--------------------------------------------------------------------------------

So, before you haul off and spend thousands (or even tens of thousands) of dollars on a security consult, there are some things that you should consider. Here are a couple test questions:

Suppose you establish a sacrificial machine, a Macintosh running WebStar and no other TCP/IP servers. The machine is isolated from your network, it has no valuable data on it, and basically, it has no inroad to your internal network. Your network does not run TCP/IP, and none of the publicly accessible nodes perform IP forwarding in any case. Would you pay a security consultant to scan that Web server box? (Instead of either having your system administrator scan it or not scan it at all.) If so, why?


You want to co-locate a box at an ISP. You normally work with Microsoft Windows NT (and so does your internal system administrator). Nevertheless, the ISP is trying to convince you to use a SPARC 20 and is willing to sell you one (or lease you one) for fair market value. Do you do it? If so, why?
The correct answer to both of these questions is "probably not." Here are the reasons why:

Scenario 1: What would the consultant be scanning for? Because the machine is running no other services but HTTP over WebStar, most modern scanners would render a laundry list of "connection refused" and "server not reachable" messages. In other words, the scan would be a complete waste of time and money because no services exist on the machine. Scanners like those discussed in Chapter 9, "Scanners," are used only to attack full-fledged TCP/IP implementations, where services (including NFS and other protocols) are either available and misconfigured or available and not configured at all. The question is, would you or your internal system administrator know this? If not, you might get taken.


Scenario 2: Why would you agree to place your Web server in the hands of a company on which you will remain totally dependent? If neither you nor your staff knows UNIX, insist on an NT box. If the provider balks, find another. Commonly, the ISP staff might forward the explanation that they feel UNIX is more secure and they therefore cannot tolerate an NT box on their Ethernet. If you agree to their terms, you will either be dependent upon them for all maintenance and programming or you will have to pay good money to train your system administrator in UNIX.
There are literally hundreds of such scenarios. In each, there is an opportunity for you to get hustled. A security consult is not to be taken lightly. Neither is the management of your co-located box. Remember that your Web server (wherever it might be located) is something that can be viewed (and attacked) by the entire world.

Before you can make an educated choice of a security consultant, you need to be familiar with basic security principles. That's what this chapter is really all about.

About Remote Security Consults
There is a new phenomenon emerging on the Internet. Security consults are now being done (although perhaps not in great number) from remote locations. This is where someone in the same city (or another city) tests, defines, and ultimately implements your security from the outside. In other words, it is done from a location other than your offices or home. I have a couple points to make regarding this type of procedure:

Scan or penetration testing is commonly done from a remote location. The purpose of penetration testing (at the end of the day) is to simulate a real-time attack from the void. There is no replacement for doing this from a remote location. In this limited area of concern, at least, analysis from a remote location is warranted and reasonable.


All other forms of security testing and implementation should be done onsite. Implementing security from a remote location is not a secure method and may result in security breaches. As much as the idea may seem attractive to you, I would strongly advise against having any firm or individual handle your security from a remote location. If your network is large and is meant to be as secure as possible, even the existence of a privileged user who can gain remote access to do maintenance work is a security risk. (For example, why would one cut a hole through a firewall just for the convenience of off-site work?)


--------------------------------------------------------------------------------
NOTE: As an example, an individual on the East Coast recently posted an article in Usenet requesting bids on a security consult. I contacted that party to discuss the matter, mainly out of curiosity. Within three hours, the party forwarded to me his topology, identifying which machines had firewalls running, what machines were running IP forwarding, and so forth.

Granted, this individual was simply looking for bids, but he forwarded this type of sensitive information to me, an individual he had neither seen nor heard of before. Moreover, if he had done more research, he would have determined that my real name was unobtainable from either my e-mail address, my Web page, or even my provider. Were it not for the fact that I was on great terms with my then-current provider, he [the provider] would not even know my name. So, the person on the East Coast forwarded extremely sensitive information to an unknown source--information that could have resulted in the compromise of his network.


--------------------------------------------------------------------------------

So, point one is this: Other than penetration testing, all active, hands-on security procedures should be undertaken at your place of business or wherever the network is located. Do not forward information to a potential consultant over the Internet, do not hire someone sight unseen, and finally, do not contract a consultant whose expertise cannot be in some way verified.

Vista marginally better than XP

Independent security tests performed by CRN.com suggests that Windows Vista is only marginally more secure than Windows XP. CRN spent a week testing both operating systems against various Trojans, viruses and various exploits.

The tests were performed with Windows Vista Business on an HP Compaq 6515b notebook with Internet Explorer 7 (IE7) and an HP Compaq nc6400 with Windows XP with Internet Explorer 6 (IE6), both using the default security features and settings.

Finjan's RUSafe sniffer tool (a security tool that sniffs live traffic and generates logs that can be analyzed to help protect you against malicious web based attacks) was used to help analyze the data.

The computers were tested in 6 areas: Viruses, Spyware and Adware, Trojans, Remote Data Services (RDS) exploits, Vector Markup Language (VML) and other image file flaws, spoofing and testing and phishing.

Viruses

The Finjan RUSafe sniffer tool detected 20 instances of viruses detected in web sites, including suspicious file types, spoofed content, worms and executable files.

One virus and one worm were undetected by either operating system and none of the files were blocked by either operating system.

Spyware and Adware

Windows Defender, built into Windows Vista did pick up one IE Plugin spyware, but not all the variants of the same spyware were prevented by IE7. A few of the sites with spyware were undetected by IE7. The Windows XP machine with IE6 missed all of the sites with spyware.

Trojans

2 Trojans were tested with each system. Vista blocked one, warning that the file might cause problems, but missed the other one. XP gave similar warnings but allowed the engineer performing the test to run both.

Remote Data Services Exploits

RDS exploits are used by computer hackers to run denial-of-service (DOS) attacks to paralyze systems. Vista detected one RDS ActiveX exploit, but missed four others. XP failed to detect any of the RDS exploits.

Image files, spoofing and scripting

Vector Markup Language (VML) and other vector-based images are used to allow hackers to execute remote code. Both systems failed to block spoofed content and and vector-based images that used embedded scripts.

Phishing

Simply put, phishing is usually a type of email scam used to entice people into going to web sites that appear to come from trusted companies, asking for verification of certain information, such as passwords, account numbers, etc. in an attempt to steal your identity.

IE7 provides an extra security layer with a built-in phishing filter. When you surf to sites suspected of using phishing techniques, the filter turns red and you have to click on it to continue. IE7 failed to connect to Microsoft's security site several times. Also noted was the fact that several of the bots produced by various forms of malware kept trying to access remote hacking sites. Vista didn't stop that activity. XP with IE6 produced one pop-up warning.

After the testing was finished, both test machines were almost equally damaged by viruses, Trojans and other malware.

As noted by arstechnica, there was no mention of Vistas User Account Control, an extra "security" enhancement, designed to warn users when software attempts to access certain components.

By default, IE7 in Vista runs in protected mode which would force scripts to run at restricted privilege levels, unlike XP which allows scripts to run at administrator level. Theoretically, protected mode should alleviate the damage to a certain extent.

It would also have been nice to know exactly what happened after the malware attacked the systems. A little more information is needed to accurately compare both systems.

However, one thing remains perfectly clear. Regardless of which OS you're using, it's very important to have security measures such as regularly update antivirus and antispyware programs in place.