- Firefox is customizable with add-ons and themes at addons.mozilla.com, but internet explorer only supports toolbars.

- Firefox is more secure, since it is not part of the operating system and anything stored in its cache will not directly affect your computer.

- Many people have criticized Firefox for not supporting windows update and that some websites run better on internet explorer. This problem has an easy solution: An add-on called IE-tab, which integrates Internet Explorer into firefox destroying the need to use Internet explorer.

- Some say that Internet explorer looks better than Firefox. There is an easy solution to this as well. There is a theme for firefox which makes Firefox look exactly like internet explorer.

- Firefox's address bar drop down menu is much nicer than Internet Explorer's because it shows the title in large font above the URL of the history.

- Are you scared about websites putting cookies on your computer that you don't want? There are plenty off add-ons that do this in firefox but Internet Explorer cannot do this.

- Firefox can save your opened tabs from your last browsing session. Internet explorer cannot.

- Firefox has a tool called "Fashion your firefox" which automatically installs the correct add-ons for your personality (Social butterfly, Rockstar, Shopaholic, etc.). Internet explorer doesn't have add-ons.

Still not convinced? Try Firefox and figure it out for yourself.

The Mozilla browser “Firefox” has many hidden text and graphics message stored internally within a “dynamic library list" (the file will have a name ending with “*.dll”) that if the savvy user types in the correct command on the addressbar and hits ENTER on the keyboard, this calls up the image, program or user message.

One of the ones I enjoyed in an earlier version of Firefox, was typing in:

About:kitchensink

And you would be shown an ASCII image of what appeared to be a large stainless kitchen sink basin. This ‘Easter egg’ seems to be absent from my current version of Firefox (3.x). I think that “about:kitchensink: still worked in Firefox v. 2.x

Mr. Roboto

Here is an Easter egg that works in v3.x of Firefox that is really nice.

About:robots

This is an ‘active window’ and if you click the gray “Try Again” button on the bottom-left, you get another message…

I like the “And they have a plan.”, -this taken straight from the new (albeit imho, over-hyped) “Battlestar Galactica” TV series. Which by the way I should add that despite my being an avid fan of the original series back in the late 1970s even with it’s laughable plots and uber-bad acting, I can’t seem to get my head around the new series despite it being leaps and bounds better than the original. That shaky shoulder-mounted handi-cam thing has GOT to GO! It's just too scary and unnerving. I mean, it makes me want to puke! -It's a commercial TV series you idiots, not "The Blair Witch Project"!

And if you are epileptic, you should probably avoid “CSI:Miami” for they are the WORST show that I can name at the moment for bad use (read: overuse) of split-second splicing and faux digital toaster effects. It’s a superfluous SPFX that is supposed to draw-in viewership to 'the busy-ness' of their work, the way the great theme music successfully did for “Miami Vice.” It's just a hook. Except in the case of Miami Vice, that show was at least, viewable. Even entertaining, - for what it was.

The Granddaddy of Easter Eggs

Of Course(!) I have to mention the biggest most important Firefox Easter egg if for nothing else, to benefit the truly uninitiated:

About:mozilla

A warning about ‘the beast’ is presented when you enter “about:mozilla” which is a parody play against Internet Exploder opps, -I means Explorer, the quintessential Microsoft browser product. Various versions of Firefox (and Mozilla) use varying themes of text, but the messages are clear.

Turnabout is Fair Play

This by Firefox/Mozilla supposed to be a retaliatory poke at Internet Explorer for it’s previous inclusion of a similar Easter egg in its browser. Whereby typing “about:whatever” and then next try “about:mozilla” you are shown different results. They were apparently trying to poke fun at chief rival Netscape Navigator (a "Mozilla" product) with a suggestive BSOD, -the so-called “Blue Screen of Death.” This clearly to imply that Netscape ‘crashes browsers.’ Most of this was going on unbeknownst to me at the time as I was still learning how to use a computer.

But for IE to suggest that 'another brand' of browser causes BSOD… -that is a classic case of the pot calling the kettle black if you know what I mean! “BSOD” is like entirely an IE-thing, imho. Windows ME was the messiest, most unstable browser of its time. That is, until VISTA came along last year. Whew… what were they thinking there?! I tried typing "about:whatever" and then, "about:mozilla" in my current version, IE-7, but nothing happens. This must have been removed from the later upgrade. I have just read that Microsoft formally stopped using added 'Easter Eggs' in its programs as part of its "Trustworthy Computing Initiative" in 2002.

Yet they are about the repeat themselves again with yet another 'broken by design' release...Windows-7 They just keep going 'round and 'round like a moron trapped in a revolving door, -repeating their errs, hoping against hope for a different outcome! Sheez!

If You Forget the Past, You Are Doomed To Repeat It…

I just read a report at PCWorld.com about Microsoft’s ‘new’ OS called “Windows 7” (formerly codenamed Blackcomb and Vienna) and early reports on it are looking even worse than VISTA! Things that worked in VISTA now don’t work in “Windows 7” it seems. Yeah, -what are they thinking, -indeed!

I tried an anagram server to generate new words from the imputed “Blackcomb and Vienna” and while I did get over 1000 possible outputs, none of them were outstandingly helpful nor useful. I suspect that the same will be prevalent in Windows 7. Their Operating Systems browser was, is and probably shall continue to be a full 10+ years behind Standards. -A Generation-4 browser in a Generation-7.x/8 world. But enough Windows bashing (hey, -THAT was kind of clever, eh?)

Shiny New Google Chrome!

Have you tried Google’s “Chrome” browser?” It is amazing, for me it loads up from double-click to useable in just about 5-seconds! Okay, -I am amazed here. And Like Mozilla’s Firefox, Chrome also has ‘Easter eggs’ too!

About:internets

Note the “s” at the end. You will need this.

You get, well, “internets” I guess you could call them. Intertwined tubes that are also called “pipes” in other operating systems/browsers. Somehow though this is still fun to watch. Note the "Don't Clog the Tubes!". And sometimes though, if you get no animation you get instead a message that says "The Tubes Are Clogged." These both are probably Google’s way to slamming a snicker at something Sen. Ted Stevens said regarding the Net Neutrality Bill… he said something to the effect of "The internet is a series of tubes!" Yeah, -uh-huh. Not the brightest bead on the Rosary, is he? :(

Have You Ever?

Have you ever read the FAQ/TOS and User Agreements of the sites that we submit content to? Sometimes they are just plain funny! From MIXX, a social networking site, comes this:

Mixx General Terms of Use

By using the Mixx site, you are agreeing to play by our rules, which will govern your use of Mixx on what some Senators describe as "a series of tubes," or what we just call "the web." If you don't agree with these rules, we're sorry to say that you have to leave now....

Additional Chrome Stuff

Here are some additional Chrome ‘Easter Eggs’ to crack open and enjoy;

• about:memory
• about:stats
• about:internets
• about:histograms
• about:dns
• about:cache (this one takes a moment to load)
• about:plugins
• about:version
  

There are more, of course. And oh, -while this is not “Easter egg” but in keeping with the underlying theme of bad/better/best browsers and platforms, here is a video of awesomeness that you need to see and enjoy!

Hi, I'm a Mac! Hi, I'm a PC! Hi, -I'm LINUX!

(Static images are screenshots taken directly from my computer, by thestickman. -That's me)

#4

Opera Browser

A free to distribute browser which is light and flexible.

Opera has the basics : tabbed browsing, mouse-over previews, a customizable search bar, advanced bookmarking tools, and very simple integration with e-mail and chat clients. When you first install Opera you will notice that it looks extremely similar to Internet Explorer.

Opera is pretty fast on surfing but unfortunately not on all sites. Some sites cannot be loaded by this browser. There are meny shortcuts loaded on and v9 has some nice themes. There are also custom built widgets and the latest version (v9) includes anti-malware protection software.

Overall not a very bad choice.

#3

Google Chrome

It is true. Google chrome has many features. In fact too many...

Chrome is amazingly fast and is obviously the the quickest browser available. Unlike in other browsers when one tab crashes Chrome does not crash. The other tabs can go on working without and botheration from the crashed tabs.

There are also application shortcuts, a feature that allows you to create desktop icons for web-only applications, such as Gmail.

One of the main disadvantages of Chrome is that it has high memory usage meaning your PC may get slow if it is not up to the standard. Chrome also lacks plug-ins.

If you have a good computer and want speedy browsing Chrome maybe your best choise.

#2

Internet Explorer

IE 7 is very much improved than their last version bot actually the truth is that it may not be your best choice. If you are concerned of the speed then this is not your choise. Most pages do not load at speeds which can be expected by other browsers.

This also has the option to install plug-ins. People were actually looking forward for the next browser by Microsoft. They took years to do this but then when it was released it did not turn out to be so great.

So if you are happy with the browser you have then you may not need this. If you really want to try Microsoft's latest browser then you may want to download IE8 (beta) - give it a try.

#1

Mozilla Firefox

Firefox 3.0 is full-featured and a lightning fast web browser.

Even though Firefox 3 lacks an important feature, it offers significant improvements not to be missed. Impressive new features include password confirmation before adding it to the saved passwords list and the ability to pause and resume downloads.

Firefox 3 runs very faster and most importantly does not eat up your RAM. It is many times lighter than IE. Also according to Mozilla, is less vulnerable to hacks and other threats.

According to recent experiments it is said that Firefox is the most downloaded web browser in history. Firefox 3.0 is also open-source meaning the codes of this magnificent web browser is revealed to the public so that errors maybe identified and fixed up.

So the next time you feel like changing your browser or if you simply want to rediscover the web the Firefox is your ideal choice.

***

Well that's all the information about some of the most famous browsers. I personally recommend Mozilla firefox and I still use it as my deafult browser. If you have any questions please leave a comment and I would be glad to answer.

Winners and Losers

Let's face it; there can be little doubt that both sides (the bad guys and the good guys) want to be on the winning side of the cyber security tug "o" war game. To complicate matters even more the speed at which the whole cybercrime and cyber attack situation evolves can at times become a bit overwhelming; even for the seasoned professional.

Fortunately there are a number of simple, easy to implement steps that you as an individual can take to reduce both your individual personal risk/threat impact levels as well as those of a large organization and everyone in between.

I will now present a number of simple but effective long standing “tried and true” strategies that have shown time and time again their capacity to reduce or mitigate your risk and your exposure to the most common attacks of today. Also note that reducing the impact and consequences of an attack; should it become a reality, and the measures and countermeasures available to you will be dealt with as well.

Realization and Understanding - Security Awareness

The first thing that we need to acknowledge is that there is always somebody (individuals and/or groups) out there looking to make a fast buck. Denial of this and you are destined to be perpetually on the losing side.

We also need to address such factors as “insider” or “insider” collaboration attacks, scams, social engineering, hacking, cracking, phishing etc. In addition; attacker motivations need to be determined, understood and recognized as this will allow us to construct more specific targeted responses and proactive countermeasures along with custom preventative initiatives.

Some of these motivations include: fraud, identity theft, malicious intent, revenge, financial greed, scams (e.g. Nigerian 419 attacks), extortion, thrill seeking and espionage etc.

Importantly however; most attacks are not perpetrated mindlessly and without any predefined purpose. The attacker always has some goal in mind when perpetrating the attack. This comes as no surprise when one considers the amount of effort that goes into the planning, design and implementation of many attacks.

When we understand what it is that the attacker hopes to achieve through the attack we can implement both reactive and proactive initiatives that will negate a particular type of attack. Using attack specific countermeasures means that the defenders will need to implement and maintain a considerable number of strategies in order to meet most threats head-on. Most current antivirus software is effective against considerable numbers of potential threats.

Password/Pass Phrase Policy

The development of a suitable password policy is always one of the first tasks that you should undertake whenever assessing, planning, implementing, administering, maintaining, documenting and updating your authentication methods and credentials. Passwords/pass phrase are no exception to this most basic of authentication rules.

• Policy Contents - Your password policy should outline and detail all requirements concerning and about passwords and their usage by yourself or within your organization. Consistency across the board is always one goal that a password policy should address.
• Policy Documentation and Enforcement - Thorough documentation and enforcement of your password/pass phrase policies are factors critical to the attainment of the goals and directives set forth in your password/ pass phrase policies.
• Assessment - Be a realist and assess your current password security procedures and status honestly. Do not let anyone else know the details of your self-assessment. The primary purpose of a password security assessment regime is to identify areas of weakness so that you can put them right.
• Logon Password Dialogue - Always reactivate the logon password dialogue if it has been disabled
• Logging, Accounting and Auditing - With logging turned on you will be able to identify such events as attempted, successful and unsuccessful system and network logon attempts. Here you can glean considerable information that may very well point to the presence of an intruder or even attempts by an insider attempting to access system and network resources for which they do not have the necessary account privileges.
• User Education - Through continual user education and updating it is possible to create an environment with a high level of user security awareness. This goes a long way toward the establishment of a security aware culture. The benefits of a security aware culture include a considerable reduction in exposure to potential attacker(s).

Users are less likely to become victims of phishing and social engineering attacks and so enhance an organization's overall resistance to these types of attacks. Remember that it is breaches of user security that is the most common means by which attackers gain authentication credentials including logon account names and password pairs.

Password Complexity

The more complex a password, the harder it is for an attacker to crack. Most attackers will simply move on to easier targets. It is strongly recommended that you ensure that any passwords that you use comply with the following guidelines:

• Minimum Length - Make sure that your passwords are 8 characters or greater in length. The more characters in a password/pass phrase the better so using 14 characters provides immensely better password security than using 8, 9, 10 or 11 characters.
• Case Sensitive, Mixed Case, Numbers and Symbols - Ensure that all password authentication mechanisms are case sensitive and that they use a mixture of upper and lower case characters along with at least one numeral and one non-alphanumeric character (symbol) in every password
• Dictionary - Try not to use any real words that can be found in a dictionary
• Social Engineering - Try not to use names or dates that are associated with you as a person. This means that you should not use your address or birth dates or the names of family, friends or pets either.
• Defaults - Change all default authentication credentials at the earliest possible time. This will include the default administrator account and password. Also disable the Anonymous and Guest account access privileges. Do this for every device including your modems, switches, routers, workstations, firewalls, mobile devices etc.
• Retry Attempts and Retry Rate (Time-to-Wait) Limits - You can use Local Users and Groups > Passwords policy to limit the number of retries available to a user when logging on to the system/network.

Setting the maximum number of retries permitted before the account is locked-out to two or three will go a long way to preventing most password cracking attempts. It also makes brute-force dictionary attacks much harder and for most attackers impossible or undesirable to implement. They won't bother wasting their time on you when there are a lot easy fish to be had.

You can also severely restrict the retry rate. Setting the time that the system waits after an unsuccessful password logon attempt (mismatch) is registered before another password retry will be permitted to 5 seconds will thwart most “brute force” password cracking tools.

• Pass Phrases - Use pass phrases rather than passwords
• Password Renewal - Regularly change authentication credentials including passwords and passphrases

Security in Depth

Surprisingly many systems today still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance.

• Single Point of Failure - By using password only authentication you are introducing a single point of failure/attack (the logon name/password combo) into to your network. There is little doubt that this situation does make you considerably more exposed to the efforts of cybercrime.
• Multilevel Authentication - In short; a security-in-depth strategy entails the implementation of more than one authentication mechanism at all points of your system/network. If an attacker can penetrate one authentication mechanism they will still not be granted access to your system and network resources as they are yet to successfully complete all required authentication mechanisms. More often than not the casual attacker (attacker of opportunity) will simply move on to the next potentially easier to “crack” system or network. In this way much of the potential damage that an attacker might cause is averted.

For example; your defenses may be based around the use of user entered passwords to; once authenticated to permit the user to gain access to the next level in your authentication process. Here they will need to correctly complete this element of the authentication process. Once logged into the system or network the user may be required to supply additional authentication verification in order to gain higher levels of privileges. This can of course be as simple as the user being required to enter another different password in order to proceed any further.

Multilevel Password Only Authentication - Here is an example to illustrate the security-in-depth approach using password only authentication systems:

The user logs onto the network using one password, which in association with that account's logon user name will, once authenticated, grant the user access to basic network assets, services and resources.

At a later time the user needs to access a higher privilege level asset or resource; such as a database or administrative capabilities, the user will be prompted to supply another user account name along with a different password for authentication before the user is permitted to go any further.

In this way, we now have implemented a two-tiered hierarchy of access privileges to specific resources. Although; still solely password-based, it is immeasurably more secure than would be the case for all system(s)/network(s)/resource(s) that require just the one logon user account and password to accesses all system/network assets and resources.

If the user needs to have access to assets and resources including the personally identifiable information contained within the customer database they will need to provide an additional different user account logon name and password. In this way we have built a three-tiered password-only authentication system.

Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

Multifactor Authentication - When implementing a multifactor authentication system many different types of authentication mechanisms are used jointly. This means that in order for a user to gain access to system/network resources and assets they will need to provide many different types of information for authentication validation. For instance a user may be required to supply a password as well as a smart card or thumb print, retinal scan or even a voice sample to the authenticating system.

Password Hard Copies

The best advice concerning the practice of making hard copies (paper) of authentication credentials is DON'T DO IT. Physical hard copies of your passwords are liable to the additional risk of physical theft. Here are some more practices you should not do if you feel that you must make a hard copy of your passwords and keep it near to hand:

• Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor.
• Do not maintain a hard copy (paper) of your passwords and keep them locked in your desk drawer. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know-how and a flat-edged envelope opener. It usually takes no more than five to ten seconds to open the majority of desk drawers. Forgetting to lockup your desk compounds the crime.
• Do not make a hard copy of your logon and password details and leave it in open public view
• Do not write your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor. This is probably the worst password hard copy security practice of all.

Electronic, Magnetic and Optical Password Copies

While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of authentication credentials.

• Encryption - You should always encrypt authentication credentials data; or any other data for that matter, when storing it in an electronic, magnetic or optical format.
• Physical Security - As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC too big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together. Do not leave any of these devices lying around or in a position where they may be stolen.
• Physical Security Measures - Protecting electronic, magnetic and optical physical copies of your data always begins with physical security measures such as using data vaults, lock and key and off-site storage etc.
• Password Protection - Always use a password to add an additional layer of protection to the encrypted data which you need to store. This includes all electronic, magnetic and optical storage media. You should also encryption and password protection for all folders and files including those on your computer.

Maximum Protection

Always afford passwords and other authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network.

• Nondisclosure - Never disclose account authentication credentials such as logon names and passwords to anybody. This means your account's authentication credentials as well as those of other users which you may be managing or administering.
• Confidentiality - At all times and under all circumstances you must ensure that authentication and authorization credentials remain known only to you.
• Need to Know - The only exceptions to this being the user in question, your security personal, administration and support personal and then only on a need to know basis.
• Secure Communications - Always assume that you are being tapped or your networking and communications traffic is being “sniffed”. Thus; wherever and whenever possible opt for the highest level of secure communications. Never transmit “plain” English passwords are to be transmitted over publically access networks and transmission media such as wireless networks.
• Hashing Algorithms - Hashing algorithms; such as MD5, should be used to ensure the integrity of files as they will help you to identify that a file has been tampered with. This should be applied to all data that you store as well as your password data.

If you include the file attributes in the hash then you will be able to tell if someone has attempted to open the file. This works best on NTFS systems such as Windows XP, Vista, Server 2003 and Server 2008.

By knowing that you are under attack the attacker loses the element of surprise. Furthermore; they will most likely be unaware that you know that somebody has been there.

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is through the development, documentation and implementation of a rigidly enforced password/pass phrase policy that you have the greatest chances of overcoming these issues.

Recreation and/or Personal Gratification

For the Thrill of it - Believe it or not there are those who get their jollies by hacking into networks purely for the “fun and adrenalin pumping thrill” of it. The thrill of the chase has often been shown to be the most alluring of motivations. This has been attributed by many social and behavioral analysts to originate from our deeply rooted subconscious drives to “hunt”.

Primitive Instincts - The advent of agriculture on a massive scale has; in the majority of Western societies, removed the direct “life or death” importance embodied by a successful hunt. As a society we no longer actively participate or depend heavily on traditional hunter/gatherer or subsistence farming lifestyles. Through attacking information systems many are able to fill this perceived gap in their everyday life experiences.

Self-Importance - Then there are those who instigate attacks against information systems to prove their “technical prowess” either to themselves and/or their friends and associates. This class of attacker genuinely believes that their actions will somehow raise their standing in the community. While this result may be true of attacks at the micro-level (the attacker and/or small group of the attacker's peers), we tend to find that society in general will for the greater part collectively think otherwise.

The Group Effect - Never underestimate the power of peer group pressure or the compulsive behaviors that can result both directly and indirectly (collateral damage) from it. On top of this; the “group effect” is just as relevant and applicable to both individual styled attacks and group attacks.

Group Dynamics - The fact that many of these collectives/groups of attackers are such loosely bound collectives makes defending against them all the more difficult.

Group Effect Gratification - The specific gratification that many perpetrators of information systems attacks desire can often be as simple as believing that; in some manner or way, successful attack exploits will result in the elevation of their (the attacker) perceived level of esteem within the group collective. It could also be a means of proving their “worth” in the eyes of those they perceive to be their peers.

Sociopathic Tendencies - The motivation behind this group of information systems attackers can be deeply rooted, long seated, anti-establishment or genuinely deep antisocial tendencies. Many times have; the initiatives and outcomes instigated and driven out of sociopathic intentions and behaviors, so nearly resulted in chaos/anarchy. Collateral damage is most common when an attacker's sociopathic tendencies take center stage.

Counterculture - Underground and counterculture type motivations are also prime factors contributing to information system attacks. It's all about some sort of “the in thing” among a group generally priding themselves in their “alternative” lifestyles and views.

Notoriety - Never forget those driven to personal gratification through notoriety. Getting one's 15 minutes of fame has often proven too hard to resist and driven purely by this desire an attacker will perpetrate many attacks.

Sometimes hearing of the consequences of their actions is not anywhere enough. The maximum publicity to be gained from becoming a “hacking legend” anonymously simply won't do for some people. They need to be caught in order to truly become the center of the universe.

Those motivated to commit persistent multiple attacks in order to gain notoriety are one of the more dangerous types of attackers since crashing or denying access to a large number of prominent web sites brings the highest publicity and hence the greatest notoriety. This group also exhibits a very strong underlying compulsion to do as much malicious damage as possible for the same reasons as stated above.

Spam - Spammers are a group where notoriety and fiscal gain meet in the cyber war. Being the world's most prolific spammer has an egocentric side to it that most people quite simply just don't understand.

Forbidden Fruit - We should not forget the “forbidden fruit” factor either. More or less similar to the “dangling the carrot in front of the donkey” to get it moving. The need to reach that which is just out of reach is so deeply in-grained into some people that they cave-in to temptation.

Curiosity - Curiosity can be such a compelling core human motivation that it also merits mention here. I think all of us have at some time or other wondered “I wonder what it's like on the other side of the fence”.

In the case of membership privileges websites this can be manifest in users lacking the appropriate credentials and access permissions and privileges attempting to gain entry into the restricted registered member only zone. “The grass is always greener on the other side”.

The Age Factor - While the mass media tends to portray many of these “hacker” groups as being comprised solely of persons under the age of 25 (and usually in their teens) the reality of the statistics gathered in a number of recent studies tells a very different tale.

In what is more or less a case of mistaken identity or being hung out to dry by default. In reality they were wrongly maligned and innocent of malicious intent. Their “crime” was that due to a total absence of forethought or lack of appropriate due care and consideration they may have unwittingly created havoc for others. Quite often this class of attackers does what they do simply because it was there.

Increased Access Rights and Privileges - One group commonly found to be engaging in “hacking-type” activities are those modifying the system functions in order to maintain greater levels of user access rights, privileges, privacy and freedom for themselves (personal gratification).

The recent rise in the numbers of publically accessible anonymous proxy servers now available on the Internet bears witness to just how strong an influence the pursuit of privacy by users can be. At some time or other, we all feel the urge to surf the net anonymously. Our desire to avoid spam greatly motivates one and all.

Fiscal Gain

There are a considerable number of individuals and/or groups whose sole purpose for invading other networks; to which they have no authentic access, is for personal fiscal gain. Common attack motivations and strategies in this category include:

Financial Records - Manipulation of financial records is often the ultimate objective driving an attacker to gain access to a network. They may desire to attempt to transfer funds to their own bank accounts or to erase all records of their debts.

Hacker for Hire - Some hackers are paid by others to break into various networks designated by those engaging the services of the hacker. Corporate espionage is included in this category.

Bot-Master for Hire - Bot-masters are also known to perform similar services for a fee of course although in their case this usually means a DoS or DDoS attack or PPC fraud.

Extortion and DDoS Attacks - The attacker instigates a DDoS and then contacts the victim to inform them of the fact. The attacker then halts the attack. At this point the attacker usually contacts the victim again to make demands upon the victim.

Basically; the message is “Pay up or I will continue crashing your network and thereby halt your ecommerce endeavors”. This is very much a new spin on the traditional “stand over” extortion practices of the past. The main difference is that in this version the extortionist does not need to threaten their victim with physical injury (break an arm if you don't pay up).

So long as the victim keeps paying the will attacker hold-off their attacks. No prize for guessing that if the victim stops paying the attacker will strike immediately by launching a denial of service attack (DoS or DDoS) specifically designed to debilitate the victim network. In this way the victim's ecommerce can be halted in the blink of an eye.

Pay-Per-Click (PPC) Fraud - Certain notorious bot-masters have been known to use their botnets (hundreds even thousands of compromised machines) to commit PPC fraud for some time now.

These scams work by exploiting the fact that website owners are paid advertising revenues on a per click basis by the likes of Google and Yahoo as part of their advertising strategies on behalf of legitimate advertisers.

Even though many sites may only receive 1 or 2 cents per click having a botnet consisting of thousands of zombie machines cruising the Internet performing these actions can be very rewarding. It really doesn't matter which ad gets clicked just as long as it is on a specific web page or website. Click through analysis and advanced traffic analytics can detect these activities.

PPC Greed - Because human nature is what it is greed can often overrun their better judgment with the result that some of the perpetrators of this type of scam get so overzealous that they have a website suddenly earning hundreds and even thousands of dollars a day.

Google and Yahoo are not that stupid and will promptly revoke the offending site's revenue generating advertising privileges and services. Advertisers can afford themselves some protection by capping their maximum daily or site click through limits.

Revenge

Revenge can also be a motive behind an information system attack. For example; dissatisfied customers, disgruntled former employees, jealous or angry competitors and even people who have a personal grudge or bear some other umbrage against someone in the organization rate among the highest incidence for reasons that an attack against an information system is perpetrated.

This group comprises the most persistent of all information systems attack motivations as well as being the attack motivation category that tends to cause the maximum malicious damage. Someone scorned is a very dangerous adversary indeed because more often than not they don't care about whether or not they are apprehended. On the contrary apprehension is in itself justifiable as they will present the aggrieved attacker with further opportunities to publically air their grievances.

Identity Theft

Motivations for identity theft related attacks include the likes of: avoidance of penalties (punishment for other crimes committed), fraudulent impersonation, character assassination, espionage, revenge, extortion and elevation of authentication credentials and the associated access rights and privileges.

Quite often criminal activity is required to commit identity theft which in turn is used to commit further crimes. Identity theft can vary considerably in form, nature, method and intent but can be loosely grouped as follows: financial identity theft, criminal identity theft, identity cloning, masquerading and impersonation and business/commercial identity theft.

It is through a basic understanding of the motivations behind information systems attacks that we can better arm ourselves and be truly ready for the cyber wars. We will also be better placed to know where and when to look as well as what to look for. Our next steps will be the construct of robust proactive defenses teamed with the essential knee-jerk responses we are more familiar with.

These internal threat sources can be as simple as duly authenticated authorized users attempting to exceed their access rights and permissions or unauthorized users trying to go where they should not be at all. Part of these types of attack can be relatively unthreatening and in no way exhibit or infer malicious or malevolent intentions on the part of the source of the attack.

For example; it may well be that a duly authenticated authorized user is attempting to perform an action that exceeds their current logon account's specific user access rights and privileges such as trying to install a piece of software. As an information systems administrator; I too must confess, that I have been guilty of absent mindedly using inappropriate logon credentials. It just goes to show that those things we don't do or are not reminded of “day in, day out” quickly gather cobwebs in the cogs of our minds.

One can very easily forget that the general purpose logon account credentials one uses in the production network environment outside of the higher security administration administrator only access room has considerably fewer access rights and privileges than ones full administrator account credentials has. For a Microsoft Windows-based network this is the full access rights and privileges administrator account or as “root” in the Linux/UNIX world.

Danger Potential is Relative

The insider attack is potentially more dangerous than an outsider attack because the insider (he, she or it) already has a level of access to both facilities and systems that the outsider does not. If nothing else the insider has physical accessibility options the remote or outsider does not usually enjoy. Not all insider originating or complicated attacks are perpetrated by members of the organization the attack is directed against.

False Sense of Security - One area in which “insider” attacks have recently been proliferating is in the exploitation of unsecured internal wireless networks. In many cases these attacks exploiting the not so truly secured, fully patched, locked up and locked down internal wireless networks have been perpetrated against wireless networks considered to be “safe“ by their owners on the assumption that this sector of the corporate network is entirely “internal”. It cannot be connected to by randomly passing external wireless traffic. Wrong again.

Subterfuge - Attackers have been using various ploys to gain physical accessibility to such vulnerable supposedly secure internal wireless networks for quite some time now. Generally some form of deception or teams of perpetrators implementing quite elaborate ruses such as the impersonation of maintenance or utility workers to gain access to restricted areas and then either taking advantage of their now more privileged location to install a device to which they can later connect in relative safety (from a distance) to initiate their attack against the victim network.

Non-Exclusive Access - Organizations with shared areas or multiple tenant scenarios are prime candidates for these types of ploys. I have even seen situations where the plant could be done from the other side of a hollow core wall without the target even knowing they had been penetrated.

The Plant - Placing a wireless enabled device in the suspended ceiling in a company's toilet facilities has long been a favorite here. Persons accompanied by infants will simply ask to use the toilet on behalf of the infant. Smelly nappies do not promote business in areas where the general public is served. Law enforcement has even reported that some of these tricksters are using hydrogen sulfide (rotten egg gas) to enhance their deception.

Traditional “Insider” Attacks - Even the more traditional “insider” attack where an employee, business partner, associate or other individuals with authenticate accessibility credentials does; for one reason or another, decide to partake in subversive activities is difficult for most organizations to foil. Quite simply many organizations lack the internal preventive controls and other countermeasures to adequately defend against attacks from insider instigated threats.

Beyond Public Access - Once beyond publically accessible areas; networks are often wide open. Servers might even be sitting in physically unsecured areas, system patches might be out of date, and system administrators might not review security logs or have the time to review them properly.

Inside/Outside Collusion - The greatest threat, however, arises when an insider colludes with a knowledgeable structured outside attacker. The outsider's skills, combined with the insider's access, nearly always results in substantial damage or loss to the victim or victim organization.

Attack Categories

In essence all attacks can be divided into three main categories:

Reconnaissance Attacks - Many attackers/hackers attempt to discover systems and gather information. Perusing the landscape to see what is out there and to hopefully determine the vulnerability status of those systems discovered.

Attackers can save themselves considerable time if they take the effort to determine whether or not those systems they discover or those which they have decided before hand to make victim are vulnerable to a whole host of known and documented exploits and vulnerabilities. The types of security holes the attacker is looking for will often depend upon the true purpose of their intended attack.

In most instances, reconnaissance attacks are used to gather information to set up an access or a denial of service (DoS) attack. In a typical reconnaissance attack a would-be hacker might ping a range of IP addresses to discover what is alive on a network. The hacker might then perform a port scan on the systems to see which applications are running as well as identifying the operating system and its version on potential target machines.

In short reconnaissance attacks are pretty much as you would guess from standard military usage of the term reconnaissance; to learn as much as possible about an intended target without the target being aware or alerted in any way as to your presence or actions.

Access Attacks - Simply put an access attack is an attack in which an intruder attempts to gain unauthorized access to a system to retrieve information or leave a nasty covert surprise such as user activity recording and transmitting malware. Sometimes the attacker needs to gain access to a system by cracking passwords using so-called dictionary attacks, brute force attacks or through using an exploit. At other times, the attacker already has access to the system (an insider or by using an insider's credentials) but needs to escalate his or her privileges.

Denial of Service (DoS) Attacks - Attackers use DoS attacks to disable or corrupt access to networks, systems, or services. The intent is to deny authorized or valid users access to these resources. DoS attacks typically involve running a script or a tool, and the attacker does not implicitly require access to the target system, only a means to reach it. Buffer overrun exploits are an example of a DoS attack.

In a distributed DoS (DDoS) attack, the source consists of large numbers of compromised computers (called zombies) that are usually spread across a large geographic boundary. When the zombies are collectively under the control of a central controller they are referred to as a “botnet” and the central controller is known as the “bot-master”.

Not all botnets are used for DoS and DDoS attacks. It would be amiss of me not to mention the use of botnets for perpetrating Pay-Per-Click fraud. The bot-master directs zombie machines in sections of his botnet to visit specific web pages and then execute a script imitating a user clicking an advertising link.

The mechanism by which the DDoS attack immobilizes the target is often buffer overrun-related in nature. Due to the severity and speed with which a DDoS attack can be initiated and its victim nullified there have been a number of instances of extortion related to the actual attacks.

The Essence of Information Security Objectives

In essence, information security involves making sure that only authenticated authorized entities (people and systems) are granted access to secured information. Therefore it is the people, the information systems (hardware and software) and the data (information) contained within them that information security aims to protect from unauthorized or inappropriate modification or corruption.

The objectives of ensuring information and information systems remain confidential, of trustworthy and reliable integrity and available whenever desired to duly authenticated, authorized personal with the appropriate levels of user access rights and privileges is of paramount importance.

Tools of Information Security

There are many tools that can be employed in our endeavors to ensure adequate protection is afforded our information systems. Some of the more prominent ones being: cryptography, authentication servers, appropriate backup and restoration strategies, complex passwords and passphrases, digital certificates, biometrics, access controls, firewalls, intrusion detection and prevention systems, auditing, accounting, logging, analysis of access control logs, audit and accounting log analysis and diversionary tactics such as honey pots.

Multi-factor authentication systems when incorporated transparently with a host of other initiatives should always be designed with a security in depth ethos. The more layers of protection that an attacker must penetrate the greater the odds they will become frustrated and simply move on to easier targets.

Yet; even with all of this technology we still find that user education and the development, implementation and maintenance of appropriate security policies and practices including regulated regular information systems updating and patching regimes in conjunction with alert attention to physical security are perhaps the most valuable of all of our front-line defenses.

The Defining Goals of Information Security

Without doubt the defining goals of information and information systems security initiatives must be the promotion of confidence in the users of those information systems that said information systems will remain free from undetected outside interference, corruption or attack whilst being immune to subversion from within.

Thus; the people, the information systems (hardware and software) and the data (information) contained within them (the people and the information systems) are all entities that information security is concerned about “securing”. Not only does information security have this as an objective but it must also secure these very same entities from themselves and each other. The key factor here is that you need adequately cover all bases and not just a selection. If there are any holes in your defenses the worms are sure to get in.

Thus; in order to provide adequate, expansive and multi-level protection free from any single points-of-failure the security afforded information systems must function at both the macroscopic and microscopic levels. Information and information systems security initiatives must promote confidence in the users of the information systems that said information systems will remain free from undetected outside interference, corruption or attack whilst being immune to subversion from within.

Confidentiality, Integrity and Availability (CIA)

Often referred to by the acronym CIA; Confidentiality, Integrity and Availability are the three primary tenets of information security and have traditionally been defined as follows:

Confidentiality - The goal of information confidentiality is to ensure that only duly authenticated authorized entities have appropriate access to that information. Encryption is the most commonly used tool to achieve confidentiality.

Authentication, authorization and entity (users and systems) access rights and privileges such as those implemented and enforced through RADIUS, TACACS, Kerberos and directory services including Novell's Directory Services and Microsoft's Windows Server Active Directory and Group Policy also play keys roles in ensuring information confidentiality.

Integrity - It is imperative that keeping information confidential is closely partnered with ensuring its trust-worthiness. Thus; we also need to ensure that our information systems and the information contained within them remain free from modification by unauthorized parties as well as not being improperly modified by authorized ones. Only then can they be relied upon.

Due to the difficulties of categorically enforcing attack-proof measures so that we can be 100% confident that the integrity of our information systems is not compromised we are best advised to implement additional measures that will be reliable in the detection and determination of alterations and interferences of all kinds. To this end checksums and hashes are used to validate data integrity, as are transaction-logging systems.

Availability - Information systems serve no purpose if they and the information they house are not readily accessible to duly authenticated authorized users and systems with appropriate levels of access rights and privileged as and when it is needed or desired. This should be more or less instantaneously and at a whim. The latter point concerning whimsical access is important as it does present the need for both scheduled and non-scheduled random access capabilities.

In addition to simple backups of data and disaster planning and recovery mechanisms, availability includes ensuring that systems remain accessible in the event of attack such as denial of service (DoS) and distributed denial of service (DDoS) attacks.

Critical data must be adequately protected from erasure, be it accidental or otherwise. For example, preventing the erasure of data on your organization's external Web site is of high priority for ecommerce and information and support sites alike.

Information and Information Systems Additional Concerns

Now; that we have a basic handle on the key roles played by confidentiality, integrity and availability in the information security picture, we need to augment them with additional controls to further extend our ability and those of our information systems to deliver a united and truly secure information and information systems environment. Additional areas of concern with regards to information security include:

Authentication - The purpose of implementing authentication systems and processes is to ensure that information users and information systems are, in fact, who they say they are. Various password authentication mechanisms are; without doubt, the longest standing traditional way to authenticate users.

Highly complex passwords or passphrases using in excess of 12 mixed upper and lower case alphanumeric characters as well as signs and symbols do provide reasonable levels of rapidly verifiable authentication security. It is important to note that they are not the only method available to us. Cryptographic tokens, “smart” cards and biometrics also have a role to play.

Passwords and Cryptography - Concerning password-based authentication mechanisms it must also be noted that in today's information climate cryptography also plays a key role in ensuring that passwords remain confidential. It is no longer appropriate to transmit unencrypted passwords over such publically accessible media as is the case with wireless networking. Not only should the password not be transmitted unencrypted it is desirable that verification of password authentication credentials takes place seamlessly, transparently to users and eavesdroppers alike.

One tactic employed here is to encrypt the password and then use a hashing algorithm to produce a digest of the encrypted password. It is the digest that is transmitted between end-systems. On the authenticating end-system it is the digest that is stored and used for verification and validation of the local or remote end-user. The user still keys in their password as per usual but that is all.

Machine Authentication - Passwords are not anywhere secure enough or practical when it comes to the authentication of information end-systems; that is to say machine to machine authentication. This is where digital certificates and other machine friendly mechanisms are employed. Without proper and reliable authentication of information end-systems such attacks as the “evil twin” and phishing can take place. Both ends of a conversation or transaction need to be able to reliably authenticate each other. Failure to ensure this is tantamount to no security at all.

Authorization and Access Control - Ensuring that a user, once authenticated, is only able to appropriately access information to which he or she has been granted permission by the owner of the information.

This can be accomplished at the operating system level using file system access controls or at the network level using access controls on routers or firewalls. Similar measures can be implemented for machine accesses such as those required during automated backup and recovery procedures over the network. Too often we fall into the trap of forgetting that computers need appropriate authorization and access controls.

For instance MAC Address Filter Tables can be used to regulate authenticated device access to a wireless network. In this case dual authorization is required. Once for the user being given wireless network access privileges and another for the machine as being a device permitted to access network resources wirelessly.

Many administrators employ similar measures to ensure that all automated backups occur thoroughly and as desired regardless of who is or who has been using the device being backed up.

Appropriateness - We need to ensure that only appropriate access requests by duly authenticated user(s) or system(s) are granted in such a manner that their current access request is executed in a manner appropriate for the purposes for which they are requesting said access.

For example a backup operator verifying the success or lack of success of a backup operation is concerned that the data backed up is valid and not corrupted. This does not mean that the backup operator needs to be able to manually visually peruse the data. A hashing algorithm and checksum will do this even if the data is fully encrypted.

Auditing and Accountability - To ensure that all activity and all transactions taking place on a system or network are consistent with the system or network's appropriate usage policies we can automatically monitor and record them. Creating logs is only part of the story; you need to review and analyze them if you actually want to learn what they can tell you about system availability and to detect instances of unauthorized use.

These processes can take many various forms including: logging by the operating system, logging by a network device such as a router or firewall, or logging by an intrusion detection system (IDS), logging by an intrusion prevention system (IPS) or packet-capture (network sniffing) software and devices such as a PC with EtherPeek, Wireshark (formerly Ethereal), Snort, Kismet etc installed.

Non-Repudiation - Implementing processes and procedures to ensure that a person initiating a transaction is irrefutably authenticated and validated to an extent sufficient enough that he or she cannot reasonably deny that they were the initiating party. Public key cryptography is often used to support this effort.

It is also important that users actively practice appropriate security and authentication practices such that it would be unreasonable to assume the possibility of authentication credentials substitution. Multi-factor authentication systems are very prominent in this regard.

Additional Access Controls - Firewalls, intrusion detection devices (IDS) and intrusion prevention devices (IPS) are also used to control user access and access capabilities at both the network and systems levels. Creating areas of reduced user rights and privileges can be done via the implementation of demilitarized zones (DMZs) in which case using a dedicated robust full-featured firewall device is a better option. This does not mean Windows native firewall which is of use to end-users but is most definitely not up to the job when asked to perform as an information network firewall.

Honey Pots - Using honey pots as sacrificial lambs; so to speak, can divert would-be attackers unknowingly away from their true objectives and so save more serious breaches of information security.

In fact terminating a honey pot in a “black hole” route can deliver considerable enjoyment for information security administrators. Not only have you led them up the proverbial garden path but you have delivered them unto the abyss.

The moral of the story is that it is not just the attacker that can have a malicious streak; so to can the defenders. All is fair in information love and war.

Most of the bloggers like the idea of using ads in their blogs. Many earn healthy revenue from their blogs. Many others try to follow them and fail. It is heartbreaking when you see that your blog has no readers. And this is where traffic exchange services come into the picture. They offer you free traffic. You rise statistics of other's pages and your statistics get raised. Isn't it the reality?

Take a common scenario. A web site owner is surfing one such site which offers free traffic. Why is he visiting other's sites? Because he wants traffic to his own site! When the page is loaded, countdown starts. He has to stay on the page for that time to get credits. But is it possible in this world, the world with tabbed browsing? He can surf with multiple tabs open. So, he can do the required action and then switch to another tab for something else. After some time, he switches back to the traffic site tab and does the required action and again switches the tab. What about the site to which the traffic is sent? Statistics are rising but sales are not! No one clicks on their ads. The traffic is completely useless.

Now consider a visitor coming from search engine. He is interested in the site from scratch. In many cases, he won't just stop by getting the information he wants. There is a good chance of him subscribing or clicking the ads or coming back. A subscriber or regular visitor is always better than a 30 second visit to site.

Many traffic exchange services have listed websites that are completely useless. There are sites that offer to make you a millionaire in days, Rank 1 in search engines, double your adsense click through rate and so on. There are some traffic exchange services that are specifically targeted on a niche but there is nothing special beside this.

So, what do you think? Should you use traffic exchange services? If you are still interested in traffic exchange services, go to this short review to know a bit about them and features.

Cybercrime Tug "o" War

As attackers develop new strategies defenders develop new countermeasures. So the attackers develop counter-countermeasures to which the defenders respond with counter-counter-countermeasures and so on it goes and at such a rate that it sets your mind spinning. It really does seem to get quite overwhelming at times.

Everybody's objective in the cybercrime, tug "o" war games is to be on the winning side. Nobody likes losing especially when the prize is your own personal property or even worse your identity that is at stake. However, there are steps you can take to reduce both an organization's and your individual personal risk/threat impact levels.

Single Point of Failure

Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.

Ostrich tactics won't work here so be a cold-blooded pragmatic realist and assess your current password security procedures and status honestly. Do not let anyone else know the details of your self-assessment. Identify areas of weakness and put them right.

Passwords - Hard Copies (Paper)

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive ongoing long-running issues facing the information security specialist.

The best advice concerning the practice of making hard copies of authentication credentials is DON'T. But we live in the real world and people do. So here is what can be done to tighten security for password hard copies.

Keeping a Copy in the Desk

Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk.

The locks on most desks are merely a trivial inconvenience to those with a little know-how and a flat-edged envelope opener. Five to ten seconds is usually all that it takes to open the majority of desk drawers.

Failing to lockup your desk compounds the crime. It may save damage to your desk's lock but will do nothing to save the hard copy of your passwords. You cannot keep watch over your desk 24/7 so there really is no way that you can guarantee that your desk is a secure location to store password authentication credentials.

Password Hard Copy Security Basics (If You Really Must)

• Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor
• Do not make a hard copy of your logon and password details and leave it in open public view
• Do not write your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor. This is probably the worst password hard copy security practice of all.
• Lock desk
• Use a safe
• Store the credentials in another room or even off-site

Passwords - Electronic, Magnetic and Optical Copies

While not as risky as maintaining hard copies of your authentication details considerable care still needs to be taken when storing electronic, magnetic or optical copies of authentication credentials. Here are a few pointers to improve your security preparedness with regards to storing password authentication credentials on electronic, magnetic or optical media:

Encryption - You should always encrypt the authentication credentials data when storing it in an electronic, magnetic or optical format.

Password Protection - Use a password to lock and protect the file for additional security.

Hashing - While you are at it I do recommend using a hashing algorithm; such as MD5, to ensure the integrity of the file. It will help by identifying that the file has been tampered with. Apply the hashing algorithm after the file has been saved to disk and make sure that you include the files attributes in the hash. This works best on NTFS systems such as Windows XP, Vista, Server 2003 and Server 2008.

Using a hash will tell you if anybody has attempted to access the file in the period between when you applied the hash and are now checking the files validity. It will not tell you as to whether or not they had any success but it will tell you that they were there. It may not be able to tell you who it was but if it was another network user then they may well have left identifying evidence behind.

Forewarned is forearmed. Knowing that you are under attack removes the advantage of surprise from your attacker they will most likely be unaware that you know that somebody has been there.

Theft - As with paper hard copies, any physical copy of any data is liable to additional risk of physical theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC too big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.

Physical Security - Protecting electronic, magnetic and optically stored physical copies of your data always begins with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies.

Password Protect Electronic Copies - Password locking the files containing the copies of your password authentication credentials is also important.

Password Complexity

The more complex a password, the harder it is for an attacker to crack. Most attackers will simply move on to easier targets. It is strongly recommended that you ensure that any passwords that you use comply with the following guidelines:

Minimum Length - Make sure that your passwords are 8 characters or greater in length. The more characters in a password/pass phrase the better so using 14 characters provides immensely better password security than using 8, 9, 10 or 11 characters.

Case Sensitive - Ensure that all password authentication mechanisms are case sensitive

Mixed Case - Use a mixture of upper and lower case characters

Numbers - Include at least one numeral in every password

Symbols - Include at least one non-alphanumeric character (symbol) in every password

Dictionary - Try not to use any real words that can be found in a dictionary

Social Engineering - Try not to use names or dates that are associated with you as a person. This means that you should not use your address or birth dates or the names of family, friends or pets either.

Defaults - Change all default authentication credentials at the earliest possible time. This will include the default administrator account and password. Also disable the Anonymous and Guest account access privileges.

Retry Limits - You can use Local Users and Groups > Passwords policy to limit the number of retries. Setting the maximum number of retries permitted before the account is locked-out to two or three will go a long way to preventing most password cracking attempts. It also makes brute-force dictionary attacks much harder and for most attackers impossible or undesirable to implement. They won't bother wasting their time on you when there are a lot easy fish to be had.

Retry Rate (Time-to-Wait) - You can also severely restrict the retry rate. Setting the time to wait before another password retry will be permitted after a mismatch to 5 seconds will thwart most “brute force” password cracking tools.

Password Renewal - Regularly change authentication credentials including passwords and passphrases.

Password Policy - Develop, document and implement a password/pass phrase policy and enforce it.

Pass Phrases

Using pass phrases rather than passwords is a far more secure practice. It also means that a higher degree of complexity can be built-in while still remaining user friendly. As an example you could use pass phrases like this - 2Shorts&3Longs. Note that in this example we have a total of 14 characters and that it includes a mixture of upper and lower case, numeric characters and a the ampersand symbol.

A simple modification of this could be - 2*Shorts&3*Longs. Simply including the two asterisks has made this a 16 character mixed upper and lower case alphanumeric with symbols included pass phrase. It is easy to remember if you think of it like this - 2 times Shorts & 3 times Longs.

Automatically Generated Passwords

Most modern operating systems including Windows and Linux have the capacity to automatically generate passwords that adhere rigidly to a predefined set of rules such as those contained within password policies.

The passwords so generated are not necessarily easy to remember for most us mere mortal humans. Thus pass phrases as outlined above may be more appropriate for you.

Here is another pass phrase - InTheDoor4*4 at 12 characters of mixed upper and lower case with numerals and a symbol this is quite a strong pass phrase and will be accepted by most if not all systems. Say it as “In The Door 4 by 4”. It's the rhyming factor that makes it easy to remember.

Security-In-Depth

Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build multiple layers of defenses based around password authentication.

One set of credentials (user logon name and password) to open a channel after which you use additional passwords to gain any additional access privileges and user rights as required. This is a strategy that Cisco has used with their IOS. They have also provided the capacity to make the password encrypted through the use of the “enable secret” command.

Here is an example to illustrate the security-in-depth approach using password authentication systems:

1. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources
2. If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based, but immeasurably more secure than just a one password accesses all system implementation provides.
3. Now suppose you wish to gain access to and modify sensitive information held within that database. In this case, you will need to supply another different user name and password. A third layer of password protection access has now taken place. Your level of security has increased yet again and the best bit is that it is not going to cost you anything.

Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

A classic example of this would be your email account. Your operating system will require you to supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.

WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure. To overcome this you can configure more secure communications channels and use multifactor authentication systems, which I do recommend and will discuss in another article which I hope to have finished in a day or two.

Conclusions

NEVER disclose account authentication credentials such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to you, the user in question, your security, administration and support personal and then only on a need to know basis.

NEVER keep hard copies of passwords and other authentication details

ALWAYS store data in an encrypted format

ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network

ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.

REACTIVATE the logon password dialogue if it has been disabled

One final thought is to remember the 3 A's:

AAA - Appropriate Authenticated Accessibility