WebMastersLoom

ActiveX uses an interesting method for enforcing security … it doesn’t. Well, that’s not exactly true. What happens is when a web page requests an ActiveX control the browser determines if that control is already loaded onto your system. If it is the ActiveX control is executed. If not, the user is asked if it is okay to install the control. Additional information about where the control came from and it’s security implications is also included.

The theory behind this security model is the user knows what’s best for his system. In my humble opinion, this is pure hogwash (a stronger expletive came to mind but this is a family site). Is your average web surfer really knowledgeable enough to make a decision like this? Look at it this way, by installing an ActiveX control you are assuming it is secure, won’t damage your system and is bug-free. You are basically trusting completely the company which created the control, the developers and the people distributing the image.

Yes there are security certificates involved, but those are relatively easy to get. Also remember how many security problems have been reported involving ActiveX controls.

I don’t know about you, but when I get that little box stating a site wants to install an ActiveX control, my first impulse is to hit the NO box, quickly followed by the BACK key. This may seem a bit paranoid, but I use my computer all day long and I depend upon it for business and pleasure. Why would I want to put it at any risk for some silly little ActiveX control? The web is a huge place and there are plenty of other sites to look at.

My advice to anyone is generally don’t allow ActiveX controls to be installed from anywhere except for really big sites like Microsoft. It’s just too difficult to judge how safe or unsafe the control happens to be.

How is this different from Java? Well, Java has an entirely different security model which does not make the assumption that the user has been educated about the specific Java applet. Java sets specific rules to what an applet can and cannot do, and generally these rules do an excellent job of preventing damage to a system (there have been bugs but no where near as many as with ActiveX).

On top of the security concerns, ActiveX only works in Internet Explorer. Yes, I know there is a plug in for Netscape but it’s slow and not very usable. Besides, most Netscape users don’t have it installed. If you are designing a web site, please consider this very carefully. If you include ActiveX controls you are losing as many as 50 percent of your visitors. Perhaps more, depending upon your market. Is any functionality that you might gain worth that cost?

Of course, if you are creating an Intranet (a web local to a company) then by all means use all of the ActiveX controls that you want. In this case, you have far more control over the user environment that you have on the web.

This article is written by daBoss. daBoss is the Webmaster of Designer Banners. daBoss can be contacted at sales (at) designerbanners (dot) com.

Developing a Login System with PHP and MySQL

Most interactive websites nowadays would require a user to log in into the website’s system in order to provide a customized experience for the user. Once the user has logged in, the website will be able to provide a presentation that is tailored to the user’s preferences.

A basic login system typically contains 3 components:

1. The component that allows a user to register his preferred login id and password
2. The component that allows the system to verify and authenticate the user when he subsequently logs in
3. The component that sends the user’s password to his registered email address if the user forgets his password

Such a system can be easily created using PHP and MySQL.

Component 1 – Registration

Component 1 is typically implemented using a simple HTML form that contains 3 fields and 2 buttons:

1. A preferred login id field
2. A preferred password field
3. A valid email address field
4. A Submit button
5. A Reset button

Assume that such a form is coded into a file named register.html. The following HTML code excerpt is a typical example. When the user has filled in all the fields, the register.php page is called when the user clicks on the Submit button.

[form name="register" method="post" action="register.php"]
   [input name="login id" type="text" value="loginid" size="20"/][br]
   [input name="password" type="text" value="password" size="20"/][br]
   [input name="email" type="text" value="email" size="50"/][br]
   [input type="submit" name="submit" value="submit"/]
   [input type="reset" name="reset" value="reset"/]
[/form]

The following code excerpt can be used as part of register.php to process the registration. It connects to the MySQL database and inserts a line of data into the table used to store the registration information.

@mysql_connect("localhost", "mysql_login", "mysql_pwd") or die("Cannot connect to DB!");
@mysql_select_db("tbl_login") or die("Cannot select DB!");
$sql="INSERT INTO login_tbl (loginid, password and email) VALUES (".$loginid.”,”.$password.”,”.$email.”)”;
$r = mysql_query($sql);
if(!$r) {
   $err=mysql_error();
   print $err;
   exit();
}

The code excerpt assumes that the MySQL table that is used to store the registration data is named tbl_login and contains 3 fields – the loginid, password and email fields. The values of the $loginid, $password and $email variables are passed in from the form in register.html using the post method.

Component 2 – Verification and Authentication

A registered user will want to log into the system to access the functionality provided by the website. The user will have to provide his login id and password for the system to verify and authenticate.

This is typically done through a simple HTML form. This HTML form typically contains 2 fields and 2 buttons:

1. A login id field
2. A password field
3. A Submit button
4. A Reset button

Assume that such a form is coded into a file named authenticate.html. The following HTML code excerpt is a typical example. When the user has filled in all the fields, the authenticate.php page is called when the user clicks on the Submit button.

[form name="authenticate" method="post" action="authenticate.php"]
   [input name="login id" type="text" value="loginid" size="20"/][br]
   [input name="password" type="text" value="password" size="20"/][br]
   [input type="submit" name="submit" value="submit"/]
   [input type="reset" name="reset" value="reset"/]
[/form]

The following code excerpt can be used as part of authenticate.php to process the login request. It connects to the MySQL database and queries the table used to store the registration information.

@mysql_connect("localhost", "mysql_login", "mysql_pwd") or die("Cannot connect to DB!");
@mysql_select_db("tbl_login") or die("Cannot select DB!");
$sql="SELECT loginid FROM login_tbl WHERE loginid=’".$loginid.”’ and password=’”.$password.”’”;
$r = mysql_query($sql);
if(!$r) {
   $err=mysql_error();
   print $err;
   exit();
}
if(mysql_affected_rows()==0){
   print "no such login in the system. please try again.";
   exit();
}
else{
   print "successfully logged into system.";
   //proceed to perform website’s functionality – e.g. present information to the user
}

As in component 1, the code excerpt assumes that the MySQL table that is used to store the registration data is named tbl_login and contains 3 fields – the loginid, password and email fields. The values of the $loginid and $password variables are passed in from the form in authenticate.html using the post method.

Component 3 – Forgot Password

A registered user may forget his password to log into the website’s system. In this case, the user will need to supply his loginid for the system to retrieve his password and send the password to the user’s registered email address.

This is typically done through a simple HTML form. This HTML form typically contains 1 field and 2 buttons:

[form name="forgot" method="post" action="forgot.php"]
   [input name="login id" type="text" value="loginid" size="20"/][br]
   [input type="submit" name="submit" value="submit"/]
   [input type="reset" name="reset" value="reset"/]
[/form]

@mysql_connect("localhost", "mysql_login", "mysql_pwd") or die("Cannot connect to DB!");
@mysql_select_db("tbl_login") or die("Cannot select DB!");
$sql="SELECT password, email FROM login_tbl WHERE loginid=’".$loginid.”’”;
$r = mysql_query($sql);
if(!$r) {
   $err=mysql_error();
   print $err;
   exit();
}
if(mysql_affected_rows()==0){
   print "no such login in the system. please try again.";
   exit();
}
else {
   $row=mysql_fetch_array($r);
   $password=$row["password"];
   $email=$row["email"];

   $subject="your password";
   $header="from:you@yourdomain.com";
   $content="your password is ".$password;
   mail($email, $subject, $row, $header);

   print "An email containing the password has been sent to you";
}

One of the great promises that actually came true when our Internet-enabled world reached the twenty-first century is efficient customer-to-business interaction. Each day, I find a new way to go through life’s errands without ever waiting on hold for a bank teller, a pharmacist, or an insurance agent. I do it all online.

Internet savvy consumers are coming to expect such web empowerment. And while these information transactions usually require some sort of private data traveling the ether, you, as the webmaster, bear the burden of keeping that data away from those who have no right to it.

Since retina scans and brain wave signatures are still properties of James Bond flicks, we’re stuck using plain old boring passwords.

Is this really secure?

Let’s get this out of the way first. The only truly secure computer is one that’s unplugged. Kind of like “the only safe car is the one that sits in your garage.” Life is a risk/reward proposition and, let’s face it, this (probably) isn’t Fort Knox, we’re securing.

The security measures listed here are suitable for garden-variety data. I’ve used these schemes to write back-end website administration pages for online shopping carts. I’ve used them to write “partner” pages where retailers can download ads and sales data from wholesalers. I wouldn’t use them to secure credit card numbers, social security numbers, or nuclear launch codes.

So what are PHP, MySQL, and session variables?

PHP is a programming language used (in this case) to write HTML. MySQL is a database. Session variable are used by web servers to track information from one page on a domain to another. This article isn’t a how-to for either technology. If you aren’t very comfortable with them, you could just copy and paste the code samples in this article and build yourself a basic password protected website. You could also just read the Cliff’s notes for Pride and Prejudice and get a C+ in literature class. Your choice.

Let’s get started with sessions

It’s often been said that the web is “stateless”, meaning that each web page is entirely independent, needing no other page to exist, and taking no information from the previous page. This is great for anonymous surfing from one site to the next, but it stinks for password protection. Consumers want password protected information, but they don’t want to enter their password on every page. So we turn to our web server to keep track of a user while he’s on our site.

Ex. 1.

<?php

session_start();

?>

<!DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Strict//EN’ ‘http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd’>

<html xmlns=”http://www.w3.org/1999/xhtml”" xml:lang=”en” lang=”en”>

<head><title>Dan McConkey’s Free Web Marketing Guide</title></head>

<body>

<p>Dan McConkey’s Free Web Marketing Guide</p>

</body>

</html>

end Ex. 1

session_start() is a PHP function that looks to see if a session has already been started then does one of two things:

1. If a session has been started, it does nothing.

2. If a session has not been started, it begins one.

It is important to note that session_start() must occur before any other PHP on the page, if you want it to work. Begin every password-protected page with it. Validation

Now let’s think basic validation. What sorts of things do we need to accomplish?

* First, we need to check to see if the user has already logged in, so we don’t ask for a password on every page. If our user has already logged in, we pass him or her through to the secure content.

* If the user hasn’t already logged in, we need him or her to do so. So we need to write a log-in form.

* We need next to compare log-in form results with a known list of usernames and passwords. If the user checks out, we pass him or her along to the secure content.

* If the user doesn’t check out, we direct him or her back to the log-in screen.

* Lastly, we need to provide the user the ability to log out.

So let’s start with a basic frame-work that we’ll fill in later.

Ex. 2

<?php

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

}

function write_log_in( $text )

{

} // end write_log_in function

function verify()

{

// check to see if they’re already logged in

// if yes, return true

// if no, check to see if visitor has just tried to log on

// if yes, verify password

// if it worked, return true

// if it didn’t, send them back to log-in

// if the user didn’t just log-in, (s)he needs to

} // end verify function

?>

<!DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Strict//EN’ ‘http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd’>

<html xmlns=”http://www.w3.org/1999/xhtml”" xml:lang=”en” lang=”en”>

<head><title>Dan McConkey’s Free Web Marketing Guide</title></head>

<body>

<p>Dan McConkey’s Free Web Marketing Guide</p>

<?php

// check for valid user

if ( verify() )

{

// begin secure content

echo “<p>Clatu, verata, nicto</p>”;

// end secure content

} // end if ( verify() )

?>

</body>

</html>

End Ex. 2

As I said, this is just a frame-work. I like to start all my projects this way. It allows me to get a grand view of what I’m doing before getting mired down in the details.

Basically, so far, all we’ve done is place some secret content inside an if statement. If the user is valid, we show the content, if not, we don’t. Writing a log-in form

The first thing we should flesh out is our log-in function. This is a basic form, with no bells and whistles, so it should be pretty straight forward.

Ex 3

function write_log_in( $text )

{

echo ”

<p>$text</p>

<form method=’post’ action=”>

<p>User ID: <input type=’text’ name=’user_name /></p>

<p>Password: <input type=’password’ name=’password’ /></p>

<p><input type=’submit’ value=’Log In’></p>

</form>

“;

} // end write_log_in function

End Ex. 3

No problems, right? All this is is PHP writing a basic HTML log-in form. Two things are worth noting:

1. The method attribute to the <form> tag is ‘post’. We could have used ‘get’, but that would add our user name and password to the URL as varibles. ie our_url?user_name=bob&password=truck64 . This shows the password–in plain text– right there in the URL. Why spend all this time on security if you’re just going to put peoples’ passwords out for display?

‘post’ is much more secure, forcing the server to keep track of form data, rather that the URL. Any time you can keep information out of the URL, you’re one step closer to a secure web page.

2. Next you want to look at the action attribute to the <form> tag. Leaving it blank tells the server that you plan to process these form results with this same page.

Checking the log-in values

Now let’s flesh out our frame-work a little more.

Ex. 4

<?php

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

}

function write_log_in( $text )

{

} // end write_log_in function

function verify()

{

// check to see if they’re already logged in

// if yes, return true

// check to see if visitor has just tried to log on

$user_name = $_POST[”user_name”];

$password = $_POST[”password”];

if ( $user_name && $password )

{

// verify password and log in to database

$db = mysql_pconnect( “localhost”, “$user_name”, “$password” );

if ( $db )

{

// register session variable and exit the verify function

$valid_user = $user_name;

$_SESSION[’valid_user’] = $valid_user;

return true;

}

else

{

// bad user and password

$text = “User Name and Password did not match”;

write_log_in( $text );

}

}

else

{

// if the user didn’t just log-in, (s)he needs to

}

} // end verify function

?>

<!DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Strict//EN’ ‘http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd’>

<html xmlns=”http://www.w3.org/1999/xhtml”" xml:lang=”en” lang=”en”>

<head><title>Dan McConkey’s Free Web Marketing Guide</title></head>

<body>

<p>Dan McConkey’s Free Web Marketing Guide</p>

<?php

// check for valid user

if ( verify() )

{

// begin secure content

echo “<p>Clatu, verata, nicto</p>”;

// end secure content

} // end if ( verify() )

?>

</body>

</html>

End Ex. 4

First, we’ll check whether the user has just tried to log in.

$_POST is a PHP superglobal array that keeps track of data sent to a page via a <form method=’post’> tag. In the log-in function, we named our inputs user_name and password, so we can access the user input by calling $_POST[”user_name”] and $_POST[”password”].

We next run an if ( $user_name && $password ) statement to see if both $_POST[”user_name”] and $_POST[”password”] hold values. If they do, the user just tried to log in.

Our next section of code is the part that actually checks whether the user name and password are correct. Here, we use MySQL’s User table (part of the mysql database) to keep track of our users. This is, perhaps, the best route, as MySQL is already set up to control access permissions. However, this can present problems when you want to keep the database connection open across pages. Also, some hosting companies won’t give you grant access (let you make new users) to the mysql database.

In those cases, you can accomplish much the same thing by setting up your own users table in your database. You would then need to write an SQL query that compares user names and passwords. That would look something like this:

Ex. 5

$select = “select user_name from users

where user_name=’$user_name’

and password=PASSWORD( ‘$password’ )”;

$query = mysql_query( $select );

if ( mysql_num_rows( $query ) == 1 )

{

// validated user and password

…

End Ex 5

Getting back to our validation using MySQL’s built in features, we know that the user name and password checked out because the connection attempt returned true.

Registering a session variable

Now that we know our user name and password check out, we need to store that information and allow our user to continue surfing our protected area without logging in each and every page. Looking back at example four, we notice another of PHP’s superglobal variables: $_SESSION.

$_SESSION is an array that holds all of our session variables. By setting the valid_user session variable, we can later make a call to ession_is_registered( “valid_user” ) to see if our user has already logged in successfully.

Logging out

The last thing we have to attend to is allowing our users to log out of our system. In this case, we’ve used a simple link inside our protected area.

Ex 6

<?php

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

session_unregister( “valid_user” );

session_destroy();

session_start();

}

function write_log_in( $text )

{

} // end write_log_in function

function verify()

{

} // end verify function

?>

<!DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Strict//EN’ ‘http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd’>

<html xmlns=”http://www.w3.org/1999/xhtml”" xml:lang=”en” lang=”en”>

<head><title>Dan McConkey’s Free Web Marketing Guide</title></head>

<body>

<p>Dan McConkey’s Free Web Marketing Guide</p>

<?php

// check for valid user

if ( verify() )

{

echo “<p><a href=’?log_out=1′>Log out</a></p>”;

// begin secure content

echo “<p>Clatu, verata, nicto</p>”;

…

End Ex 6

First, looking in the HTML body, we see a simple HTML link that adds a variable to the URL. In this case, the variable name is log_out and its value is 1. We use 1 as a value because it’s easy to store in a URL, but really any value greater than zero will work.

Once we pass a log-out request to the page, we need to process it. That’s what the if( $log_out) part is for.

The if statement checks if a log-out request was passed. Once it sees that one was, it unregisters the valid_user session variable, then it destroys the session entirely.

Ironically, it starts a new session right back up. That’s in case the user decides to log in later (without closing the browser window), or log in as a different user. The final code

Putting it all together we get this:

Ex. 7

<?php

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

session_unregister( “valid_user” );

session_destroy();

session_start();

}

function write_log_in( $text )

{

echo ”

<p>$text</p>

<form method=’post’ action=”>

<p>User ID: <input type=’text’ name=’user_name /></p>

<p>Password: <input type=’password’ name=’password’ /></p>

<p><input type=’submit’ value=’Log In’></p>

</form>

“;

} // end write_log_in function

function verify()

{

// check to see if they’re already logged in

if ( session_is_registered( “valid_user” ) ) return true;

// check to see if visitor has just tried to log on

$user_name = $_POST[”user_name”];

$password = $_POST[”password”];

if ( $user_name && $password )

{

// verify password and log in to database

$db = mysql_pconnect( “localhost”, “$user_name”, “$password” );

if ( $db )

{

// register session variable and exit the verify function

$valid_user = $user_name;

$_SESSION[’valid_user’] = $valid_user;

return true;

}

else

{

// bad user and password

$text = “User Name and Password did not match”;

write_log_in( $text );

}

}

else

{

// user must log in

$text = “This is a secure server. Please log in.”;

write_log_in( $text );

}

} // end verify function

?>

<!DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Strict//EN’ ‘http:// www.w3.org/ TR/ xhtml1/ DTD/ xhtml1-strict.dtd’>

<html xmlns=”http://www.w3.org/1999/xhtml”" xml:lang=”en” lang=”en”>

<head><title>Dan McConkey’s Free Web Marketing Guide</title></head>

<body>

<p>Dan McConkey’s Free Web Marketing Guide</p>

<?php

// check for valid user

if ( verify() )

{

echo “<p><a href=’?log_out=1′>Log out</a></p>”;

// begin secure content

echo “<p>Clatu, verata, nicto</p>”;

// end secure content

} // end if ( verify() )

?>

</body>

</html>

End Ex. 7

That’s a pretty hefty code block to put at the head of every web page. Typically, I would put my verify() and write_log_in()functions into a seperate file and reference them with an include() function. That provides the added benifit of updating your entire website by editing one file only.

Hope that helps.

Copyright (C) 2005 Dan McConkey

What is computer security?
Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as “intruders”) from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.

Why should I care about computer security?
We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications “top secret,” you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).

Who would want to break into my computer at home?
Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.

Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.

Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

How easy is it to break into my computer?
Unfortunately, intruders are always discovering new vulnerabilities (informally called “holes”) to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.

When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.

Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

Technology
This section provides a basic introduction to the technologies that underlie the Internet. It was written with the novice end-user in mind and is not intended to be a comprehensive survey of all Internet-based technologies. Subsections provide a short overview of each topic. This section is a basic primer on the relevant technologies. For those who desire a deeper understanding of the concepts covered here, we include links to additional information.

What does broadband mean?
“Broadband” is the general term used to refer to high-speed network connections. In this context, Internet connections via cable modem and Digital Subscriber Line (DSL) are frequently referred to as broadband Internet connections. “Bandwidth” is the term used to describe the relative speed of a network connection — for example, most current dial-up modems can support a bandwidth of 56 kbps (thousand bits per second). There is no set bandwidth threshold required for a connection to be referred to as “broadband”, but it is typical for connections in excess of 1 Megabit per second (Mbps) to be so named.

What is cable modem access?
A cable modem allows a single computer (or network of computers) to connect to the Internet via the cable TV network. The cable modem usually has an Ethernet LAN (Local Area Network) connection to the computer, and is capable of speeds in excess of 5 Mbps.

Typical speeds tend to be lower than the maximum, however, since cable providers turn entire neighborhoods into LANs which share the same bandwidth. Because of this “shared-medium” topology, cable modem users may experience somewhat slower network access during periods of peak demand, and may be more susceptible to risks such as packet sniffing and unprotected windows shares than users with other types of connectivity. (See the “Computer security risks to home users” section of this document.)

What is DSL access?
Digital Subscriber Line (DSL) Internet connectivity, unlike cable modem-based service, provides the user with dedicated bandwidth. However, the maximum bandwidth available to DSL users is usually lower than the maximum cable modem rate because of differences in their respective network technologies. Also, the “dedicated bandwidth” is only dedicated between your home and the DSL provider’s central office — the providers offer little or no guarantee of bandwidth all the way across the Internet.

DSL access is not as susceptible to packet sniffing as cable modem access, but many of the other security risks we’ll cover apply to both DSL and cable modem access. (See the “Computer security risks to home users” section of this document.)

How are broadband services different from traditional dial-up services? Traditional dial-up Internet services are sometimes referred to as “dial-on-demand” services. That is, your computer only connects to the Internet when it has something to send, such as email or a request to load a web page. Once there is no more data to be sent, or after a certain amount of idle time, the computer disconnects the call. Also, in most cases each call connects to a pool of modems at the ISP, and since the modem IP addresses are dynamically assigned, your computer is usually assigned a different IP address on each call. As a result, it is more difficult (not impossible, just difficult) for an attacker to take advantage of vulnerable network services to take control of your computer.

Broadband services are referred to as “always-on” services because there is no call setup when your computer has something to send. The computer is always on the network, ready to send or receive data through its network interface card (NIC). Since the connection is always up, your computer’s IP address will change less frequently (if at all), thus making it more of a fixed target for attack.

What’s more, many broadband service providers use well-known IP addresses for home users. So while an attacker may not be able to single out your specific computer as belonging to you, they may at least be able to know that your service providers’ broadband customers are within a certain address range, thereby making your computer a more likely target than it might have been otherwise.

The table below shows a brief comparison of traditional dial-up and broadband services.

Dial-up Broadband
Connection type Dial on demand Always on
IP address Changes on each call Static or infrequently changing
Relative connection speed Low High
Remote control potential Computer must be dialed in to control remotely
Computer is always connected, so remote control can occur anytime
ISP-provided security Little or none Little or none
Table 1: Comparison of Dial-up and Broadband Services

How is broadband access different from the network I use at work?
Corporate and government networks are typically protected by many layers of security, ranging from network firewalls to encryption. In addition, they usually have support staff who maintain the security and availability of these network connections.

Although your ISP is responsible for maintaining the services they provide to you, you probably won’t have dedicated staff on hand to manage and operate your home network. You are ultimately responsible for your own computers. As a result, it is up to you to take reasonable precautions to secure your computers from accidental or intentional misuse.

What is a protocol?
A protocol is a well-defined specification that allows computers to communicate across a network. In a way, protocols define the “grammar” that computers can use to “talk” to each other.

What is IP?
IP stands for “Internet Protocol”. It can be thought of as the common language of computers on the Internet. There are a number of detailed descriptions of IP given elsewhere, so we won’t cover it in detail in this document. However, it is important to know a few things about IP in order to understand how to secure your computer. Here we’ll cover IP addresses, static vs. dynamic addressing, NAT, and TCP and UDP Ports.

An overview of TCP/IP can be found in the TCP/IP Frequently Asked Questions (FAQ) at

http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/ and

http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part2/

What is an IP address?
IP addresses are analogous to telephone numbers – when you want to call someone on the telephone, you must first know their telephone number. Similarly, when a computer on the Internet needs to send data to another computer, it must first know its IP address. IP addresses are typically shown as four numbers separated by decimal points, or “dots”. For example, 10.24.254.3 and 192.168.62.231 are IP addresses.

If you need to make a telephone call but you only know the person’s name, you can look them up in the telephone directory (or call directory services) to get their telephone number. On the Internet, that directory is called the Domain Name System, or DNS for short. If you know the name of a server, say www.cert.org, and you type this into your web browser, your computer will then go ask its DNS server what the numeric IP address is that is associated with that name.

Every computer on the Internet has an IP address associated with it that uniquely identifies it. However, that address may change over time, especially if the computer is

dialing into an Internet Service Provider (ISP)
connected behind a network firewall
connected to a broadband service using dynamic IP addressing.

What are static and dynamic addressing?
Static IP addressing occurs when an ISP permanently assigns one or more IP addresses for each user. These addresses do not change over time. However, if a static address is assigned but not in use, it is effectively wasted. Since ISPs have a limited number of addresses allocated to them, they sometimes need to make more efficient use of their addresses.

Dynamic IP addressing allows the ISP to efficiently utilize their address space. Using dynamic IP addressing, the IP addresses of individual user computers may change over time. If a dynamic address is not in use, it can be automatically reassigned to another computer as needed.

What is NAT?
Network Address Translation (NAT) provides a way to hide the IP addresses of a private network from the Internet while still allowing computers on that network to access the Internet. NAT can be used in many different ways, but one method frequently used by home users is called “masquerading”.

Using NAT masquerading, one or more devices on a LAN can be made to appear as a single IP address to the outside Internet. This allows for multiple computers in a home network to use a single cable modem or DSL connection without requiring the ISP to provide more than one IP address to the user. Using this method, the ISP-assigned IP address can be either static or dynamic. Most network firewalls support NAT masquerading.

What are TCP and UDP Ports?
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both protocols that use IP. Whereas IP allows two computers to talk to each other across the Internet, TCP and UDP allow individual applications (also known as “services”) on those computers to talk to each other.

In the same way that a telephone number or physical mail box might be associated with more than one person, a computer might have multiple applications (e.g. email, file services, web services) running on the same IP address. Ports allow a computer to differentiate services such as email data from web data. A port is simply a number associated with each application that uniquely identifies that service on that computer. Both TCP and UDP use ports to identify services. Some common port numbers are 80 for web (HTTP), 25 for email (SMTP), and 53 for Domain Name System (DNS).

What is a firewall?
The Firewalls FAQ (http://www.faqs.org/faqs/firewalls-faq/) defines a firewall as “a system or group of systems that enforces an access control policy between two networks.” In the context of home networks, a firewall typically takes one of two forms:

Software firewall - specialized software running on an individual computer, or

Network firewall - a dedicated device designed to protect one or more computers.

Both types of firewall allow the user to define access policies for inbound connections to the computers they are protecting. Many also provide the ability to control what services (ports) the protected computers are able to access on the Internet (outbound access). Most firewalls intended for home use come with pre-configured security policies from which the user chooses, and some allow the user to customize these policies for their specific needs.

More information on firewalls can be found in the Additional resources section of this document.

What does antivirus software do?
There are a variety of antivirus software packages that operate in many different ways, depending on how the vendor chose to implement their software. What they have in common, though, is that they all look for patterns in the files or memory of your computer that indicate the possible presence of a known virus. Antivirus packages know what to look for through the use of virus profiles (sometimes called “signatures”) provided by the vendor.

New viruses are discovered daily. The effectiveness of antivirus software is dependent on having the latest virus profiles installed on your computer so that it can look for recently discovered viruses. It is important to keep these profiles up to date.

More information about viruses and antivirus software can be found on the CERT Computer Virus Resource page

http://www.cert.org/other_sources/viruses.html Computer security risks to home users

What is at risk?
Information security is concerned with three main areas:

• Confidentiality - information should be available only to those who rightfully have access to it
• Integrity — information should be modified only by those who are authorized to do so
• Availability — information should be accessible to those who need it when they need it

These concepts apply to home Internet users just as much as they would to any corporate or government network. You probably wouldn’t let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on your computer confidential, whether it’s tracking your investments or sending email messages to family and friends. Also, you should have some assurance that the information you enter into your computer remains intact and is available when you need it.

Some security risks arise from the possibility of intentional misuse of your computer by intruders via the Internet. Others are risks that you would face even if you weren’t connected to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that you probably cannot plan for every possible risk. The good news is that you can take some simple steps to reduce the chance that you’ll be affected by the most common threats — and some of those steps help with both the intentional and accidental risks you’re likely to face.

Before we get to what you can do to protect your computer or home network, let’s take a closer look at some of these risks.

Intentional misuse of your computer
The most common methods used by intruders to gain control of home computers are briefly described below. More detailed information is available by reviewing the URLs listed in the References section below.

Trojan horse programs
Back door and remote administration programs
Denial of service
Being an intermediary for another attack
Unprotected Windows shares
Mobile code (Java, JavaScript, and ActiveX)
Cross-site scripting
Email spoofing
Email-borne viruses
Hidden file extensions
Chat clients
Packet sniffing
Trojan horse programs
Trojan horse programs are a common way for intruders to trick you (sometimes referred to as “social engineering”) into installing “back door” programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus. More information about Trojan horses can be found in the following document.

http://www.cert.org/advisories/CA-1999-02.html

Back door and remote administration programs
On Windows computers, three tools commonly used by intruders to gain remote access to your computer are BackOrifice, Netbus, and SubSeven. These back door or remote administration programs, once installed, allow other people to access and control your computer. We recommend that you review the CERT vulnerability note about Back Orifice. This document describes how it works, how to detect it, and how to protect your computers from it:

http://www.cert.org/vul_notes/VN-98.07.backorifice.html

Denial of service
Another form of attack is called a denial-of-service (DoS) attack. This type of attack causes your computer to crash or to become so busy processing data that you are unable to use it. In most cases, the latest patches will prevent the attack. The following documents describe denial-of-service attacks in greater detail.

http://www.cert.org/advisories/CA-2000-01.html
http://www.cert.org/archive/pdf/DoS_trends.pdf

It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.

Being an intermediary for another attack
Intruders will frequently use compromised computers as launching pads for attacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an “agent” (frequently through a Trojan horse program) that runs on the compromised computer awaiting further instructions. Then, when a number of agents are running on different computers, a single “handler” can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack is not your own computer, but someone else’s — your computer is just a convenient tool in a larger attack.

Unprotected Windows shares
Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer’s owner, but it is also a threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of computers attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in http://www.cert.org/incident_notes/IN-2000-01.html

Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate. One such example is the 911 worm described in http://www.cert.org/incident_notes/IN-2000-03.html

There is great potential for the emergence of other intruder tools that leverage unprotected Windows networking shares on a widespread basis.

more…
please visit site…

For complete article please visit: http://ramis.aspfreeserver.com/Home_Network_Security.asp

Are you aware of the need for security?

Your awareness of the need for security, is the best place to begin a discussion on physical property security. What is security awareness? Our definition is multi-faceted, and includes the ability to identify known and unknown threats, being aware of the technologies, products and services that can defuse those threats, knowing how to operate the products and systems you have, and most importantly the awareness that these systems must be used, and must be used all of the time. This security awareness may be more important to the security of your home and business than any of the security hardware or systems you install. Why is this? Any lock or security system, will not do you any good unless, You use it!

An old adage states that “locks only keep honest people honest”, and is possibly very true. If the “bad guys” really want to get in, all we can really hope for is to slow them down. If you, with our help, choose and have installed the correct hardware and/or systems, we CAN slow them down - or at least discourage them from threatening your loved ones and your property.

We’ve all heard the stories, usually from older relatives, about never having to lock our doors or cars, because the town was so safe, and they knew everyone. Well it is sad to say, but those days are gone. When people choose not to secure their property, they are not doing only themselves a disservice, they are also hurting their community. If any one of us makes it easier for the “bad guys” to prosper, they will multiply, our communities become less safe, our property values decline, and our quality of life suffers.

Yes that’s right, if a lock is not locked, it’s only a decoration. You need to be aware of using your locks every time you leave as the “bad guys” don’t advertise what day they are coming!

In medieval times security was easy; the property owner built a castle, dug a moat, and erected a drawbridge. Today these measures are not practical, or even desired. In today’s society, if you lived in a castle, and made all of your decisions based on safety and security, you would at the very least be labeled as paranoid. It is important that you balance the level of security you install, and how it operates, with your unique situation. You and any other persons need to fully understand how your systems operate - does it require you to lock it manually or will it fortify your property automatically. If you have too much security, you will not use it; too little security, and it will not do the job.

Back to our medieval castle. The property owner recognizing that he might have to increase the level of security at a moments notice, made provisions to place his archers along the walls. We don’t have any archers, but we can be sure that systems and plans are in place. Thus, we can increase the level of security and protection if the threat level increases.

You can combine this security awareness with properly chosen and installed hardware and/or security systems. And with the general security tips provided at this site. Then you can take this information and apply it to your particular situation. With a little initiative and the use of this new security awareness you will be on the way to creating “Peace of Mind” for your family, business and community.

Please visit http://www.SecureYourStuff.com for links to manufacturers sites and crime prevention sites, many of which have additional security tips.

Jim Newell a Security Professional and Consultant for over 35 years, operates a wed site who’s mission is to bring you information about security systems , security devices and security hardware. To help you to make informed and educated decisions about securing your personal property, your home and your business property. Visit http://www.secureYourStuff.com for more info.

After seeing many people complain about their weak Internet security I decided to write down some things that will help you for your Internet security.

First, here are some tips to make windows safer :

For basic security and update patches install Service Pack 2 for Windows XP or Service Pack 4 for Windows 2000.

Once a month use Windows Update so you can get the latest pacthes.

When you download software from the Internet make sure you download it from the original website.

Always run anti Trojan and anti virus software.

Even if you don’t use it you have to make your Internet Explorer as safe as possible.

When you access the Internet you are browsing the web using a browser such as Internet Explorer.The Internet Explorer contains several security vulnerabilities. You should make it as safe as possible or switch your default browser to an alternative. You will have to set some options from the Manage Add-Ons in the Internet Options. You will see a list of add-ons that can be activated or deactivated. If you see any unusual entries just deactivate them so you can be sure you don’t have a trojan/worm.

Under Internet Options -> Security -> Internet -> you will see the Edit Level.You should set it to high in order to disable most of the security threats.

Your Web Browser should be ok now. Let’s see what we have to do from our email point of view.

Because it’s built-in in their Windows system lots of users like to use Outlook Express for emailing. But it’s a fact that it contains many security vulnerabilities so I advise you to use alternatives. If you use a web based Email (you can browse your email with your web browser) you can delete viruses even if you don’t download them to your PC.

Make sure you have installed an Anti Virus for 100% virus protection. One that I’ve found to be very good and never disappointed me is the AVG Anti virus. If you take the time to regularly update it you will be safe enough with it.

Lots of people install Firewalls because they belive their Internet security will be higher. I personaly disagree. If you do not know how to best configure it, and you have to know much about the tech behind it to do so, it will just make your PC slow and software not working.You can just use the Windows XP SP2 firewall for basic security.

All this tips should make your PC safer. I browse the Internet every single day for some time now and they worked great for me. I haven’t met a virus/worm for some time now.