The concept of having a password for any system is similar to a key for home. The key for home is essential in order to lock and protect personal belongings from others who are not authenticated or desired to enter home. Today, due to globalization and Internet revolution, a person may have several online properties or accounts that are as important as properties physically existing at home. Those may be e-mails, portal, website subscriptions, network servers, databases, online banking accounts, credit cards, etc. Strong passwords for these helps in having a secure and strong lock just like lock to home.

Most people, who are new to the online world, have lack of knowledge on setting up a strong password for their online accounts. But the increasing cyber crime can easily trace the passwords. And the results can be as terrible as the attack on Microsoft’s Hotmail and other web-based email services. A recent survey on these missing passwords revealed that many of the accounts had easy-to-guess passwords and the most frequently used password among these was “123456″.

Some general methods that attackers use for identifying a victim’s password include:

• Guessing—The attacker tries to log on using the user’s account repeatedly by guessing probable or expected words and phrases like their children’s names, their birth city, and local sports teams.
• Online Dictionary Attack—The attacker utilizes an automated program, which consists of a text file of many words. The program frequently tries to log on to the target system by testing a different word present in the text file on each attempt.
• Offline Dictionary Attack— It is similar to the online dictionary attack, the attacker extracts a copy of the file in which the hashed or encrypted copy of user accounts and passwords are saved and runs an automated program to find out what password is used for each account. This type of attack can be finished very quickly if the attacker gains a copy of the password file.
• Offline Brute Force Attack—This is a modified form of the dictionary attacks, and designed to discover passwords, which are not present or available in the text file used in those attacks. Even though a brute (very strong) force attack can be tried online, because of network bandwidth and latency they are generally attempted offline utilizing a copy of the target system’s password file. In a brute force attack, the attacker utilizes an automated program, which produces hashes or encrypted values for all possible passwords and analyzes them with the values in the password file.

Microsoft suggests that the use of strong passwords can slow or sometimes break the various attack methods. This shows the importance of having a strong password.

Creating a Strong password:

Passwords are case-sensitive and may be as long as 127 characters. A strong password:

• Should never consist of user name.
• Should be minimum of eight characters long.
• Should compulsorily include both lower case and uppercase alphabets (minimum one from each group is suggested).
• Should consist of minimum one number (0 to 9).
• Should consist of at least one symbol. (Eg: *, ^, $, #)

A string, which has all the above characteristics, is known as strong password. A complex password should not be something, which is difficult to remember. Forgetting a strong or complex password, which is difficult to remember, is as harmful as getting attacked by a weak password.

The password created must be easier to remember but difficult for anybody to guess. It can also be a favorite phrase or quotation or mixture of two words. Substitutes for alphabets can also be used to satisfy the above criteria for a strong password. For example ‘a’ in password can be substituted with ‘@’, similarly ‘i’ can be replaced with ‘!’; and ‘o’ with ‘0’ or ‘()’.

It is a good practice if password is changed periodically like monthly or quarterly.

With the increase of online banking, online e-mail, online purchases, etc., there is a need for increased password security. If you are like many people who use the same password for most sites, you are in trouble if your password gets hacked. You need to make your passwords complex and tough to crack and create a separate password for each account. Once you create a different complex password for each site , the problem is how to remember these passwords. The last thing you want to do is write the passwords down on a paper or notebook and carry them in your wallet/purse.

KeePass is an open source utility that works on almost any platform, including your smartphone ( Clients available for Windows, Ubuntu, Linux, MacOS X, J2ME (Cell Phones), Blackberry, Windows Mobile and more). You can store your passwords in a password protected and encrypted database and use the passwords when needed. It will even generate a complex password for you. KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases. There are many plugins available that will allow things like filling forms, onscreen keyboard, etc.

Click here for more information on Keepas.

Keepas Demo Screenshot

Source: http://vjalagam.blogspot.com/2009/09/keepass-opensource-password-safe.html
Read the rest of this entry »

Many anti-phishing browsers have been implemented till date and some of them include embedding features in browsers, as extensions or toolbars in browsers, and as part of website login procedures. Most websites that are targeted for phishing are secure, meaning that SSL with strong cryptography is used for server authentication. In principle, it should be possible to confirm the site using the SSL authentication, but in practice, it is easy to deceive the user.

The superficial flaw is in the browser’s security User Interface (UI) that is insufficient to deal with today’s strong threats. There are 3 parts for secure authentication: first,indication that the connection is in authenticated mode,second, the site which the user is connected to and third,which authority says it is the site that it claims to be.

Secure Connection: The user easily misses the padlock that was the standard display for secure browsing from the mid-1990s to mid 2000s. Mozilla featured a yellow URL bar in 2005 as a better indication that the connection is secure. However, unfortunately, this innovation was then reversed due to the EV Certificates, which replaced high value certificates with a green display and the rest with a white display.

Which Site: The user is expected to be sure that the domain name in the browser’s URL bar is in fact where they wanted to go. URLs can be too complex to be parsed and users often do not know or recognize the URL they intend to go making authentication meaningless. Many e-commerce sites will change the domain names within the overall set of websites making it harder for the user to trace himself. Also simply displaying the domain name of the visited website as some anti-phishing toolbars do is insufficient.

Firefox offers an alternative- a pet name extension which lets users type in their own labels for websites that they can recognize when they later return to the website. In addition, if the site is not recognized then the software warns the user or detects it outright. This symbolizes the user-centric identity management of the server. A graphical image selected by a user could be a better identification.

With the introduction of EV Certificates, browsers display the organization’s name in green making it more visible ad hopefully more consistent with the user’s expectations. But then the browser vendors have limited this display to only EV Certificates, leaving the user groping in the dark for other certificates.

Who is the Authority As far as the user is concerned, the browser is the authority at the simplest level since no authority is stated at this stage. The current practice is for the browser vendors to control a root list of acceptable Cas. The problem is that all Certification Authorities (CAs) employ neither good nor applicable checking. In addition, neither do all CA s subscribe to the same model and concept that certificates are only about authenticating web sites or e-commerce organizations. Certificate Manufacturing is the term given to low value certificates that are delivered on a credit card and an email confirmation, which can be easily perverted by fraudsters. Thus, a valid certificate issued by another CA may spoof a high value site. This could happen because the CA is in another part of the world and it is unfamiliar with high value e-commerce sites. Nevertheless, since the CA is charged with protecting its own customers and not the customers of another CA there is an inherent flaw in this model.

The solution to the above problem is that the browser should show and the user must be familiar with the name of the authority that issues the certificate. This projects that the CA as a brand and allows the user to come in contact with the handful of CAs in their country. The use of brand provides the CA with an incentive to improve their checking and the user would demand good checking for high value sites.

This solution was put into action in early versions of IE7 when displaying EV Certificates where the issuing CA was displayed. Nevertheless, this turns out to be an isolated case. There is resistance for branding CAs on the chrome resulting in a fallback to the simplest level above: the browser is the user’s authority.

Mozilla Firefox is a popular browser used by millions of Internet users all around the world. The coolest feature of Mozilla Firefox is its compatibility to add more and more plugins and enable yourself with advanced browsing.

However, we need to update our plugins as soon as a new version is available. Updates of these plugins will not only cover new features of the plugin, but also will address some vulnerability to security threats during browsing. Many people ignore it as it takes little time (a matter of no more than 2 minutes) for the plugin to update and restart the browser. This increases their risk to security threats online like malware, viruses, botnets, etc.

How to check if your plugin is up-to-date? Just click here or copy paste this URL in your browser https://www-trunk.stage.mozilla.com/en-US/plugincheck/.

The window that opens will let you know the status of your plugin.

• Green indicates that your plugin is up-to-date.
• Yellow indicates outdated but without known vulnerabilities.
• Red indicates that the plugin is known to have security holes and is outdated.
• Don’t worry about the Grey colored plugin.

Update your plugin frequently for safe and better browsing.

The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication is known as Phishing.

Types of Phishing

Phishing is usually carried out by email or instant messaging and it often directs users to enter details at a fake website, which is similar to the legitimate one. Since the fake website is similar to the original one, it requires tremendous skill to determine whether a website is fake or not.

1. Misspelled URLs: Phishers use some sort of deceptive techniques, which design a link in an e-mail (and the spoofed website it leads to) apparently belong to the spoofed organization by using misspelled URLs or of sub-domains. Sometimes the phishers make the anchor text for a link appear to be valid, whereas the link actually goes to the phishers site.
2. Whaling: Phishing attacks directed specifically at senior executives and other high profile targets within businesses is known as Whaling.
3. Image Phishing: Phishers have also used images instead of text to make it difficult for anti phishing filters.
4. Cross site scripting: An attacker can even exploit flaws in the original website’s script against the victim making it even more difficult to detect since everything from the web address to the security certificates seem to be original. This technique is known as cross site scripting.
5. Phone Phishing is the case where in a customer gets a call asking him to call back to discuss his problems while accessing his bank accounts. The person then is trapped into giving his sensitive information such as credit card information and the like.

Measures to counter phishing

People need to change their browsing habits when it comes to phishing. For example, when asked to reveal their sensitive information they should directly contact the company to make sure the mail is genuine and shouldn’t fall prey to mails that address them as “Dear Customer”. Paypal, for instance makes it a point to address the users by their usernames.

One of the major flaws of the user is the Click-through syndrome where he treats any pop-ups as a case of misconfiguration and proceeds with his work without heeding to the warning of the computer.

Related Links:
Unified communications

The main advantage of online shopping is its convenience where anybody can search and buy a product at a click of their mouse of their PC.

However, online shopping has some concerns and risks associated with it. A lot of these risks are basically people dependent and can be prevented by being a little vigilant and following some basic precautions.

Precautions to keep online shopping secure:

Selecting a website: It is little difficult to check for a reliable website for shopping online. As we know, creating a website is quite easy has no restrictions. One must make sure that the website that they are transacting with is reliable. Always opt for buying from companies you already know. If you are planning to buy from an unknown website, start with smaller orders till you are contented with their service and reliability.

The URL of the website also helps you to find if the website is reliable or not. It should start with https://. The “s” that is displayed after “http” indicates that Web site is secure. Often, you do not see the “s” until you actually move to the order page on the Web site.

Checking if website is secure: Make sure the website is consistent on security grounds. The company may be reliable, but if it has no proper mechanism to secure their customer’s information from hacking, it is troublesome. Try to find if the merchant stores your data in encrypted form. Be sure to read privacy and security policies of the website before providing your personal information to them.

Checking for its reputation: Though there is no good logic to prove relation between reputation and reliability, reputed businesses cheat very rarely. Thus, it is good to go with the reputation of the website before doing business with it. You can check this with the help of search engines. Reputed businesses often have first page search listings.

Checking for its usability: Usability of the website helps you to attain certain knowledge on its credibility. Popup windows are always troublesome while doing the transaction in any website. Stay away from popup windows, and if possible, from the sites which allow them.

Run Antivirus Software: Before doing any online transaction one must update their antivirus software, which can help you to stay secure from unwanted cookies and applications.

Reveal Only the Bare Facts: It is common for any online merchant to ask you to signup before ordering a product. However, make sure you disclose only data which is mandatory and makes sense to provide. You do not require providing your social security number to any eCommerce merchant. If the site is trying to push you on edge to get too much information, it is recommended to simply leave the website.

Rechecking: Before doing or finalizing payment to the merchant make sure that the shopping cart has all and only the products that you have selected. You can add or delete any product only at this stage.

Payment Options: When it comes to payment options for purchasing online, there are many options like credit cards, debit cards, cash and cheques. Of all these options, credit cards are the safest option for purchasing online. It is recommended to have a separate credit card for e-commerce purchasing so that it will help in tracking dissolute credit charges easily.

Recheck again: After the transaction is complete, recheck for transaction details. Try to record them if possible. Finally, don’t forget to sign off from the site.

Online shopping is a trendy boon for shoppers, only if they are cautious during the transaction.

Related Links:
Automotive marketing
Wan optimization
Unified communications