Security

Computer Security Authentication by Kent Pinkerton

Computer security authentication means verifying the identity of a user logging onto a network. Passwords, digital certificates, smart cards and biometrics can be used to prove the identity of the user to the network. Computer security authentication includes verifying message integrity, e-mail authentication and MAC (Message Authentication Code), checking the integrity of a transmitted message. There are human authentication, challenge-response authentication, password, digital signature, IP spoofing and biometrics.

Human authentication is the verification that a person initiated the transaction, not the computer. Challenge-response authentication is an authentication method used to prove the identity of a user logging onto the network. When a user logs on, the network access server (NAS), wireless access point or authentication server creates a challenge, typically a random number sent to the client machine. The client software uses its password to encrypt the challenge through an encryption algorithm or a one-way hash function and sends the result back to the network. This is the response.

Two- factor authentication requires two independent ways to establish identity and privileges. The method of using more than one factor of authentication is also called strong authentication. This contrasts with traditional password authentication, requiring only one factor in order to gain access to a system. Password is a secret word or code used to serve as a security measure against unauthorized access to data. It is normally managed by the operating system or DBMS. However, a computer can only verify the legality of the password, not the legality of the user.

The two major applications of digital signatures are for setting up a secure connection to a website and verifying the integrity of files transmitted. IP spoofing refers to inserting the IP address of an authorized user into the transmission of an unauthorized user in order to gain illegal access to a computer system.

Biometrics is a more secure form of authentication than typing passwords or even using smart cards that can be stolen. However, some ways have relatively high failure rates. For example, fingerprints can be captured from a water glass and fool scanners.

Need Help Defeating Denial of Service Attacks?

On March 27, 2013 Business Insider reported that the biggest cyber attack in history, a distributed denial of service attack (DDoS), was taking place. The result reported was that Internet speeds around the world slowed noticeably. The first wave of these attacks began back on March 18th. Identified as Open System Interconnection (OSI) Layer 3 attacks, they were focused on the Domain Name Service (DNS) servers operated by the non-profit anti-spam organization Spamhaus. Spamhaus provides DNS services the loss of which destabilized major portions of the Internet. The level of the attack recorded was at a sustained level of 300 gigabits per second! Were it not for the distributed structure of Spamhaus operations it likely would have been completely taken off line. The attack was alleged to have been concocted after Spamhaus blocked a dutch web host company named Cyberbunker in an effort to weed out spammers. Spamhaus subsequently accused Cyberbunker of working with Russian and Eastern European criminal organizations to facilitate the attack.

Cisco backbone router image

The largest source of the attack traffic against Spamhaus came from DNS reflection. The basic idea of a DNS reflection attack is to send a source IP spoofed request for a large DNS zone file transfers to a large number of open DNS resolvers. The resolvers respond by transferring the large DNS zone files to the intended victim, in this case to Spamhaus. The attackers requests themselves are only a small fraction of the size of the responses, which enables the attackers to amplify the attack many times beyond the bandwidth of the attacker. Requests were approximately 36 bytes long while the response was approximately 3,000 bytes translating to an amplification factor of 100x. In addition to the DNS reflection, the attackers also threw in an TCP ACK reflection attack where the attacker sends a number of SYN packets to servers with spoofed source IP addresses that point back to the intended victim. The ACKs are symmetrical to the bandwidth owned by the attacker, however, so there is no amplification factor benefit.

There is very little any operational administrator can do when your routers are being asked to process more data than will fit into the pipe. Back in May of 2000 Internet Request For Comments (RFC) 2827, Best Current Practice was published with the title: “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.” The RFC describes a network ingress filtering method that can prohibit an DDoS attack from being launched from within the network of an Internet connectivity provider. The purpose of the filters is to preclude an attacker from launching spoofed IP address attacks. Where an Internet connectivity provider is aggregating routing announcements for multiple downline networks then strict traffic shaping would be used to prohibit traffic which appears to have been originated from outside the aggregated announcements. Thus, an attacker would have to launch attacks using their true source IP address, which would rapidly serve to identify the assailants.

This is not to say that ingress filtering is a panacea agains IP spoofed DDoS attacks. Indeed, it does not preclude an attacker who is using a forged source address of another legitimate host within the permitted prefix filter range. However, this requires additional homework on the part of the attacker and the length of time it requires before the attacker is discovered is significantly reduced. Also, the administrator under attack could take concrete steps to stop the attack in progress without affecting other visitors.

Security Glossary, Version 2

RFC 4949 was published as a major revision and expansion of the Internet Security Glossary contained in RFC 2828. The Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process. The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.
 

Quantum Cryptography Email Encryption

Encrypted email using public private key pairs as in PGP is not entirely secure. It is claimed that government organisations are able to crack it and there is always the danger of private keys falling into the hands of hackers. If a unique key could be generated every time a message was sent, and that key could be exchanged between sender and recipient without any danger of interception, then the message could be entirely secure. That is the principal behind quantum cryptography.

The principles of quantum encryption have been with us for some time, and new approaches are frequently appearing in scientific publications. One of the latest iterations on this subject was published by a research team from Toronto University who have claimed that their approach is entirely secure and indecipherable. This is how it works.

The essence of quantum cryptography lies in the ability to securely distribute a quantum key between two parties (quantum key distribution) which cannot be detected by an eavesdropper. The bits of the key are encoded as quantum data.

When quantum cryptography was invented it was considered to be an entirely foolproof way to of preventing hacking and encrypting email. This is because if anyone eavesdropped on the message the quantum entanglement would collapse and this would be apparent to the legitimate sender and recipient. That means that the encryption key can be transmitted entirely securely between two users.

However there is a fundamental flaw in this reasoning. The key is transmitted using photons which are received by photon detectors, and it is conceivable that these signals could be intercepted and manipulated by a hacker.

This kind of hacking is called a side-channel attack, and it has been acknowledged by the inventor of quantum cryptography, Dr. Charles Bennett of IBM. When a side-channel attack is launched, the photon detectors are subverted by light signals, so they detect only the photons that the hacker wants the recipient to see.

In the latest approach a solution to this problem has been identified. This is known as "Measurement Device Independent QKD". Although the hacker can operate the photon detectors and send the measurement results, all the recipient need do to detect this is to compare their own data. The key is the detection of small changes that happen during quantum data manipulation.

Sender and recipient send their signals to another photon detector that might be controlled by the hacker; that carries out a joint measurement which provides another data point, and that is adequate to ensure the security of the photon detectors. So far some experiments have supported the theory and a prototype system is being produced which should be ready in the next five years.

This is a guest post by Adam a new Londoner, who has interests in recruitment, all things techy, a passion for travel and a love of fashion. He blogs about recruitment, travel and IT/technology as well as latest trends in mens and womens fashion. If you want Adam to write you specific content, feel free to message me on Twitter (@NewburyNewbie).

 

Spam Firewall

What is a Spam Firewall?

A spam firewall is a hardware device that sits between your internet firewall and LAN. It is called a "firewall" because it provides data filtering of email packets, and blocks the packets that meet the criteria of "spam". Spam firewalls can also provide anti-virus protection, anti-spyware, anti-spoofing and anti-phishing services, depending on the model you choose. A spam firewall is not designed to protect your network against intruders such as hackers - you will need a regular internet firewall for that.

How Does a Spam Firewall Appliance Work?

Spam firewalls use a variety of methods for determining what is considered spam and filtering it out. Normally a form of blacklisting is used, which automatically filters out email from known spammy addresses. A whitelist may also be used, which allows the administrator to identify addresses or domains that should never be blocked. Keyword scanning may also be used, allowing the administrator or individual user to block emails containing certain keywords or keyword combinations. A form of message authenticity checking is also normally used to identify valid "from" addresses, check details of the entire SMTP process, or validate legitimate IP addresses. Many spam firewall appliances also use bayesian algorithm filtering, which help the firewall block more spam over time as it "learns" what is considered spam based on message history, user input and other analysis. Incoming message flow filters also look at the number of incoming messages and where they are from, allowing them to quickly spot and stop a sudden barrage of spam emails that have been mass-distributed from the same source. Spam firewalls are very "smart" and good at eliminating the majority of spam email that comes into a network. They are not 100% effective, but many come close.

Are Spam Firewalls Expensive?

Spam firewall appliances range in price from around $2000 up to $20,000 or more, depending on the number of users it needs to protect and features. Many spam firewalls have optional features like antivirus or anti spyware. Spam firewalls need to be kept up to date with the latest data on known spam sites, new algorithms, updated filters, etc... This is normally handled by the firewall manufacturer as an auto-update feature. As with most network appliances, an annual maintenance plan is usually purchased for the purpose of keeping the firewall up to date and performing it's best.

What About False Positives?

Spam firewall appliances use many sophisticated techniques to identify and block spam, generally with very good success. Because spammers are constantly change their techniques in order to get their junk mail past the latest and greatest spam filtering technologies, spam firewalls must continually monitor patterns and make filtering corrections. Spam firewall manufacturers are also constantly make corrective configuration changes to keep up with the battle against spammers. For this reason, even the best spam firewall is going to filter out "good" mail from time to time. This is called a "false positive", and administrators (and users) must always be on the lookout for this. Most spam firewalls have sensitivity thresholds that can be adjusted by an administrator to help overcome false positives.

A spam firewall appliance is not your typical "set it and forget it" firewall, but the advantage of having such an appliance on your network far outweighs the need for some administrative work. If your organization experiences a lot of spam mail - get a spam firewall and experience the difference!

DJ is a corporate IT Manager and author of the following sites covering information technology topics: Computer Security for EveryoneSave on Phone Service with VoIPInternet Phone Service - The Future is Here!