Tuesday 30 September 2008

ScreenAudit 1.3 Released

This version introduces a Tools Menu. From this menu you can choose to create a QuickTime Movie / Slideshow of all your archived images in chronological order.

Once the movie is created, it along with the images that make up the movie are moved into a new folder called Archive_Date_Time within your ScreenAudit destination folder. The movie can be used to easily view the captured activity.

Download Here: http://www.artenscience.co.uk/artenscience/ScreenAudit.html



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Monday 29 September 2008

macVCR 1.1.3 Released

Another update for macVCR featuring some functionality requested by customers and potential customers.

Todays update adds the following features:

Feature: The ability to record a selected area only, of any of your monitors.
Feature: Speech feedback for certain actions
Feature: The user manual has been refined and updated.

The trial version allows 60 seconds continuous recording.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Friday 26 September 2008

macVCR 1.1.2 Released



Another update for macVCR featuring some functionality requested by customers and potential customers.

Todays update adds the following features:

Feature: Export Quicktime Movie, from the Tools Menu (Many Movie Format Options).
Feature: Compression is now shown as nn% as well as showing the Slider
Feature: Check for Updates menu now available.
Tweak: Refined the AutoUpdate Procedure.

The trial version allows 60 seconds continuous recording and cab be downloaded here: http://www.artenscience.co.uk/artenscience/macVCR.html

This Sample Movie was recorded with macVCR using the settings shown below, it was 16Mb in Size. It was then exported as MPEG4 using macVCR and is now 2.1Mb in size.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Wednesday 24 September 2008

macVCR 1.1.0 Released

Following the release of macVCR yesterday evening I have received a deluge on emails. Most complimentary, some critical and many with suggestions on how to make the product better, or more useable for a particular purpose. I also had quite a few sales as well which suggests I did something right :-)

Todays update adds the following features:

Adjustable Resolution for the saved movie. The default is for the original resolution of your screen but this can now be changed.
Multiple Monitor Support, record from either of your first two monitors.
New Tools Menu with the option to calculate the Theoretical Maximum Frames Per Second.
FPS and Frame Interval (ms) shown prior to recording.
The settings screen has been re-designed to support the new options.

I have also resolved a small timing issue.



The latest version can be downloaded from here: http://www.artenscience.co.uk/artenscience/macVCR.html

The trial version allows 60 seconds continuous recording.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Tuesday 23 September 2008

Arten Science Releases macVCR Screen Recording Software



We've just released macVCR 1.0.0.

macVCR allows you to record what happens on your computer screen to a Quicktime movie which you can then replay later at your leisure. macVCR doesn't require any form of installation, just double click the Icon and the program will launch.

* Specify Recording Length or Operate Manually
* Adjustable Compression Quality
* Choice of Codecs
* Specify Frames Per Second
* Low Disk and CPU Usage
* Trial Version Available for Download





www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Monday 22 September 2008

ScreenAudit Minor Update 1.2.2

A minor update to ScreenAudit. A customer requested that I make it possible to screenshot the contents of the primary monitor only. This can now be done by selecting an option in the Preferences screen.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Sunday 21 September 2008

ScreenAudit 1.2.1 Released

ScreenAudit 1.2.1 is a minor release with an option to specify the size of the image captured by the webcam. In addition ArtenView, which is included with the download, has been updated to correct a minor display problem.








www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Friday 19 September 2008

Automatic Serial Number Generation and Order Fulfillment

So, I'm having emails arrive from Kagi notifying me that somebody has bought one of my products. At that point I fire-up my Serial Number generator software that I wrote, input the users name and click the button for the product they have purchased. This generates a serial number and email to the customer.

Their serial number is an encryption of their user name using a 16 digit key that is unique to each product. Encryption duties are handled by AES128.

So far so good. However if I take a few hours to respond this can be seen as less than ideal. The user has paid their money and they want their serial number - NOW. At least I would in their shoes. During the hours of sleep with the best will in the world I cannot get a serial to the user until morning, my morning, bearing in mind that my users are mainly from the states and in a different time zone.

I need to look at some kind of automated service. A web service to take a user name and respond with a serial number is the easy part, the difficulty is how do I restrict this to users who have actually purchased something ? Do I setup something with Kagi that gives the user a password that allows them a (one time only) access to the serial number web service, with a different password depending on the product they have purchased ? Do I capture the Kagi emails, scrape them for details and pass that through the serial number generator and send a response back that way ?

It's tricky but has obviously been solved many times before. What do you guys do ?

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Wednesday 17 September 2008

ScreenAudit 1.2 with ArtenView

I’ve been working hard on adding all the features to ScreenAudit that my customers are requesting.

Version 1.2 of ScreenAudit comes with ArtenView, a utility to list, find and view images from your ScreenAudit archive.
1.2 is of course a free update to existing customers.




www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

ScreenAudit 1.1.6 Released

Another small update to ScreenAudit:

Updates for 1.1.6

Allows you to store the captured webcam and screen images anywhere on your hard disk or any attached network storage. Use the Choose button to navigate to the required folder.

Option to Speak a warning 3 seconds before image capture.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Types of Encryption

IPSEC

IPSec (IP Security) is based on the concept of a shared secret. The encoding and decoding of the information can only be done if the two devices share a piece of key information. This means that the data can be captured but not understood unless the third party shares the secret.

IPSec was designed to support the secure exchange of packets at the IP Layer. IPSec supports two modes of operation, Transport and Tunnel. Tunnel is the most secure and is the one we are most likely to be familiar with as it is widely used in the VPN domain.

The primary protocol used by IPSec for exchanging the secret is called Internet Key Exchange (IKE). Most of the IKE exchange process is based on a mechanism called OAKLEY, which works with assorted key exchange modes. Another similar mechanism also used by IKE is SKEME, this supplies IKE with the method of Public Key Encryption and its fast re-keying facility.


RSA / RC4

RSA was developed by three mathematicians, Ron Rivest, Adi Shamir and Lee Adleman. This system used a Public and Private Key. It is probably the most popular method for Public Key Encryption, and digital signatures, in use today.

RC4 was also invented by Ron Rivest and is used in certain commercial systems such as Netscape and Lotus Notes. It has a bit size of 2048 which makes it a fast and strong cypher.


DES / 3DES

DES (Data Encryption Standard) was developed by the US Government in 1977 as an official standard. It is used in many areas within computer security including UNIX password security. DES is a block cipher that uses 56 bit keys. When the standard was developed 56 bit encryption was virtually unbreakable, however the technology now available can break the 56 bits encryption within an unacceptably short timeframe.

3DES encrypts the data three times and uses a different key for at least one of the passes, which gives it a cumulative key size of 112-168 bits. A much stronger encryption standard.


Blowfish

BLOWFISH is a symmetric block cipher similar to IDEA or DES. The key length can be between 32 to 448 bits. Bruce Schneier designed BLOWFISH in 1993 as a free and fast alternative to the existing encryption algorithms. BLOWFISH is gaining acceptance as a strong and flexible encryption algorithm.


IDEA

IDEA (International Data Encryption Algorithm) was developed by Dr Lai and Professor Massey in Switzerland in the early 1990’s. The idea (pun intended!) was to replace the DES standard. The same key is used for encryption and decryption and like DES it works with 8 bytes at a time.

However IDEA uses a 128 bit key. A 128 bit key is currently defined as unbreakable using any technology currently available. IDEA is a fast algorithm, and as it has even been implemented in some hardware chipsets it can be extremely fast given the right equipment.


AES

AES (Advanced Encryption Standard) is a block cipher that has been adopted by the US Government. Two Belgian cryptographers Joan Daeman and Vincent Rijden developed AES as Rijndael. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

In June 2003, the US Government announced that AES may be used for classified information:

"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."


CAST

CAST is available with a key size from 40 to 128 bits. It is a DES like cipher. It features an absence of weak and semi-weak keys. It is a good candidate for general purpose use throughout the internet community. CAST is available in two variations: CAST-128 and CAST-256.


Key Systems

There are two main types of encryption system, Symmetric and Asymmetric.

Symmetric Key Cryptography
With this system the sender and receiver of a message use a single common key to encrypt and decrypt the message. The symmetric system is the simplest and fastest type of encryption, but the main drawback is that the two involved parties must somehow exchange the key in a secure manner. Symmetric key cryptography is sometimes known as Secret Key Cryptography. Probably the most popular symmetric key system at the time of writing is DES. A big advantage of Symmetric Key Encryption over Asymmetric Key Encryption is speed.
Click here for More Information


Asymmetric Key Cryptography
With the asymmetric system two keys are used. A public key to encrypt messages and a private key to decrypt them. The advantage of public key encryption is that the public key can be made available easily to anybody (in fact it has to be for the system to work) and this avoids the problem that faces symmetric key encryption which involves the secure exchange of a single key. The private key is never transmitted.


Hashing

A Hash is a signature for a piece of data. It is always the same size regardless of the size of the source data. Hashing is a one way process, the Hash cannot be converted back to the data that was the source of the Hash. Some common types of Hashing Algorithms are MD4, MD5 and SHA-0.

The smallest change to a piece of source data can produce an entirely different Hash. Hashes are used in a number of ways, the most popular ways in which Hashes are used is for Passwords and File Verification.

Passwords
If we store passwords as clear text it would be possible for a hacker to view and read the passwords. If however a Hash is stored instead, an attacker can view but not read the passwords. This means he cannot know what password generated the Hash. When a legitimate user attempts to login their password is run through the same Hashing Algorithm and the output from this operation is compared to the Hash value stored in the password file. If the Hash values match then access is granted, if not then an incorrect password was input and access will be denied.

File Verification
If you download some software from a website you cannot be sure that what you received what was the author intended you to receive. One way to ensure that you have an original unchanged copy of the software is to compare the Hash value of the software with the published Hash value for that particular download. If these differ, then your software is different to the version you were intended to receive.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Tuesday 16 September 2008

Security: Securing The Network: Non Technical Guide to Corporate Security

Securing the Network
A Non Technical Guide to Corporate Security



Introduction

Security can be likened to Insurance. Most people and organisations never really consider it worthwhile until the worst happens. Today we live in an age where computer and network security has to be at the top of the CIO’s agenda. There is too much at stake for security to be an afterthought.

Unfortunately security and convenience/practicality are at opposite ends of the user experience. As such security will always be a compromise. To give a contemporary example: It is extremely easy to stop terrorists getting on airplanes. Use airplanes for cargo only. Problem Solved. This however is not a practical solution and so a compromise between security and practicality is necessary.

This document looks at the computer and network security that is needed within the modern enterprise and explains in layman’s terms the policies, procedures and settings that are essential to ensure that if security is going to be compromised then somebody is going to have to work hard to do it.

Implementing the ideas from this document does not guarantee that your network will be secure, a spokesman for the FBI recently said that the only secure computer was one buried under 20 feet of concrete, and even then he wasn’t sure !

Assuming you don’t design military hardware or do research into Biological Warfare, following this document will ensure that you have done the majority of things that can be done to secure your network considering the overriding factor of practicality.

This is not a comprehensive security document and it does not cover every eventuality. The suggestions it makes however, if followed, are likely to lead to more comprehensive security than what your competitors and most other companies have.

After all, you don’t always have to be able to run fast, as long as you run faster than the other person when you are both being chased by a bear …


What is a Hacker ?

You will see references to the word ‘Hacker’ throughout this document. I have used the word ‘Hacker’ as it should be used, not as it is often used in modern literature or in Hollywood films.

A Hacker is someone who likes to know, in depth, about a subject. Someone who is willing to study and tinker until they gain mastery of their craft. Generally accepted to be gifted Programmers or System Administrators they can I believe be categorised by their belief that if the knowledge is worth pursuing they won’t necessarily let laws or restrictions stop them. The average Hackers attitude is probably a bit ‘Grey’ as opposed to either ‘Black’ or ‘White’.

A Hacker , like anybody else can have either good or bad intentions, and be capable of either good, bad or indifferent acts. In this document you should understand the type of Hacker I am describing by the context of the paragraph in which they are mentioned.


The Security Triad

The three cornerstones of information security are:

Confidentiality
Integrity
Availability


Confidentiality is concerned with information being accessible to only the intended recipient. This may be documents, database information, emails or even instant messages.

Integrity is concerned with the fact that for information to be trusted we must know that it has only been modified by those who are authorised to do so. In addition the data must be 100% accurate.

Availability is making sure the information is available to the right person(s) when it is needed. Factors that affect this delivery of information such as incorrect permission settings or denial of service attacks are examples of how availability may be compromised.

TECH NOTE: Denial of Service Attack: This is when several hundreds or thousands of computers are commandeered by a Hacker and all set to send requests to a targeted website simultaneously. This can often cause the targeted website to crash or become otherwise unusable.

The concept of security in the enterprise involves considering and balancing these three concepts, every step of the way.


The Laws of Security

Client side security does not work.
You cannot securely exchange encryption keys without a shared piece of information.
Malicious code cannot be 100% protected against.
Any malicious code can be completely altered to bypass signature detection.
Firewalls cannot protect you 100% from attack.
Any Intrusion Detection System (IDS) can be evaded.
Secret cryptographic algorithms are not secure.
If you don’t have a key, you don’t have encryption, you have encoding.
Passwords cannot be securely stored on the client, without password protection.
For a system to be considered secure, it must undergo an independent security audit.
Security through obscurity does not work.

Source: INFOSEC Career Hacking, Syngress 2005.


Threats

The main threats that we face as a business if our network or computer or security systems are compromised, are listed below:

Data Loss
Data Theft
Identity Theft


The main ways in which these threats can be realised are listed below:

Malware / Trojans
Viruses
Pod Slurping
Social Engineering
Physical Destruction
Employee Dishonesty



Physical Security

Physical Security in the context of this document can be split into two areas, security of your building/office and security of your computers/servers.

The security of your building or office is covered in this document because if it is possible for somebody unauthorised to gain access to your building or office then the best computer security in the world will not help. They could steal your computer, plug a laptop into your network, put a tap on your phone, steal confidential information etc. etc.

Gaining access, even to a secure establishment can be as simple as ‘piggy backing’. This involves walking into a building close to a group of others, if this is done casually enough then you are extremely unlikely to be questioned. One way around this, typically used in high security installations, is the idea of a ‘man trap’, basically an enclosed ‘chicane’ type area which allows one person through at a time.

At the very least anybody visiting your establishment should be made to wear a ‘Visitors Badge’ displayed prominently, which should be handed in when leaving the premises.

Secondary entrances and Fire Exit’s should be kept closed and secured as far as possible.

Physical security of your computers and servers means paying particular attention to the CD/DVD Drives, USB Ports, Firewire Ports Etc. There items can all be used to apply Malware/Trojans/Viruses to a computer and in most cases can also be used to take data off the computer, and out of your control.

Any electrical device of value should be attached to a secure point via an armoured cable, available from many suppliers. Many desktop and laptop computers now have points that are designed to be used with the armoured cable and padlocks currently available.


Firewall

A Firewall is a device connected between your internal computer network and the external internet. A Firewall can either be software running on a computer or a dedicated hardware device.

The purpose of a Firewall is to stop undesirable access to the machines on your network and at the same time allow access and capabilities that you deem desirable.

A Firewall is not a guaranteed safeguard. Nevertheless it is an important item in your security portfolio. Without some sort of Firewall between you and the internet it is likely that your computer would be compromised within minutes.


User ID

Traditionally access to many computer systems has been via a ‘username’. Some examples are shown below:

Bilbo
Bilbobaggins
Bilbo.baggins

The problem with this of course is that an attacker can utilise employee information gained from many sources to guess the logons names to the computer system. If they know the logon name they are 50% of the way there to getting access.

Even worse, many people use the same ‘username’ as their email address, see below:

Bilbo@hobbit.com
Bilbobaggins@hobbit.com
Bilbo.baggins@hobbit.com

This means that an attacker has only to learn the name of an employee to have a good idea as to both their computer logon and their email address, or alternatively they only need the email address to learn an individuals computer logon and name.

TECH NOTE: Email SPAM: An additional problem with using name as an email address is the fact that some spammers now use code to churn out millions of emails to a domain name ie: hobbit.com using variations of peoples names. This in itself is a potentially massive problem.

My suggestion is that systems designed or re-engineered nowadays should use logons and email addresses that bear no relation to the name of the individual. For example:

M7071@hobbit.com

This may not be as simple or as intuitive as previous methods but it is a lot more secure, and anything we can do to secure ourselves that little bit more, is worth doing.


Passwords

User passwords should conform to the following criteria:

Minimum Length, 9 Characters
Combination of Letters, Numbers and Special Characters
Mixed Case
Does not form Proper Word

To ensure that the user remembers her password and does not stick it underneath the keyboard on a Post-It note, you may implement the following suggestions:

Let the user choose her own password
Build the password from a phrase, such as a line from a song.


The system should be setup so that after a given number of password attempts the account is locked, this helps prevent against Brute Force password attacks.

In addition the policy should be enforced so that passwords are changed at least twice a year, quarterly or more often would be better.


Authentication

Authentication is the act of confirming that someone is who they say they are. From the perspective of computer or network security the device needs to be able to cross reference the data that is input as the data that is expected in order to be able to allow access to controlled resources.

Authentication comes before, and is different to Authorisation. Once you are authenticated with a system, you can then be Authorised to access agreed system resources. Access criteria is the crux of Authorisation.

There are generally thought to be three ways to authenticate:

Something a person knows
Something a person has
Something a person is

Something a person knows:
Password, Pass Phrase or Pin Number Etc.

Something a person has:
ID Card, Security Token, Mobile Phone Etc.

Something a person is:
Fingerprint, DNA, Retina Scan, Voice Scan Etc.


Routers

Your internet router should be setup so that it does not respond to an ICMP query from the Internet, i.e. disallow external pings.

In addition UPNP (Universal Plug and Play) should also be switched off.

Unless you desperately need access to remotely configure your router then you should also disable the remote access facility.

TECH NOTE: ICMP (Internet Control Message Protocol) Query: This is generally known as a ‘Ping’. One computer can Ping another as a way of saying ‘hello, are you there ?’. A reply is expected from the computer that receives the message.

TECH NOTE: UPNP (Universal Plug and Play): This is a set of protocols designed to simplify device configuration by attempting to automatically configure them for you.



The Administrator Account

The Administrator account on each server should be setup with a large and complex password and then disabled. Changing the name of the Administrator account will not fool a decent hacker, under Windows the Administrator account always has the ID of 500, even if you do choose to rename it to BilboBaggins or BartSimpson.

Each Administrator should then be given their own Admin account and password, no Admin should know the password for another Admins account. This ensures that you are able to Audit the Administrator level access to the servers and tie it down to a specific individual.


Resources

When considering the resources that you provide for your users you should look at them in the context of:

Confidentiality
Integrity
Availability


The general rules to use when setting up access to resources are:

Need to know
Least Privilege


Need to Know
This applies to users and the information they need. There is nothing to be gained by passing on information to users regarding server and router IP addresses, DNS and DHCP if they do not need to be told these things to so their job.

Least Privilege
Basically what we are saying here is that users and employees should be given the lowest and most restrictive access possible, whilst still enabling them to do their job. It is easier to control the escalation of access rights than it is to try reducing them at a later date!

When setting up Access Control within a Network Operating System it is common to use Groups as a logical object to apply permissions to, instead of applying permissions against an individual user object. This makes system administration so much quicker and simpler. However from a security standpoint this practice is not recommended.


Servers

If somebody has physical access to your servers then all further security is completely compromised. Your servers should be located in a secure location, i.e. safe from theft, tampering, fire and flood and ideally accessed only remotely using tools such as Remote Desktop and VNC.

TECH NOTE: VNC (Virtual Network Computing): This is a desktop sharing system ideal for use when attempting to administer a computer that is located inconveniently.


Service Packs / Updates

As with anything else concerning security, the installation of Service Packs and Updates is a compromise.

Install them quickly when released and you may secure your servers from a current threat, however if you have not had time to test the updates then they may cause serious problems on your systems.

Personally I lean towards installing them quickly on machines that may be exposed to the external threat and taking my time on machines that are unlikely to be threatened.


Wireless Networks

Wireless networks are a major potential security breach. The following are some ideas on what you can do to minimize your exposure.

Change Your SSID
A SSID is the public name of your wireless network. SSID stands for Service Set IDentifier. Many people leave this set to the factory default, which may be LINKSYS or 3COM or similar. Change the SSID to something that describes your own network, this will at least ensure that people do not accidentally connect to your network instead of their own.

TECH NOTE: AP (Access Point): This is transmitter / receiver which connects your wireless network to you LAN (Local Area Network).

Turn off the Access Point Beacon
When you have setup your wireless network there is no further need for your AP to transmit it’s beacon that basically says ‘I AM LINKSYS. I AM HERE’. So within the administration software or webpage that you use to administer your AP, turn off the beacon. This will make your wireless network invisible to somebody who is just scouting around. If they know you have a network already or if they know the SSID they can still see and/or connect to you.

Restrict Access to specific MAC Addresses.
Each network card within a computer contains a Mac Address that is (to all intents and purposes) unique. With some AP’s you can restrict access to your wireless network to computers of a known MAC Address. The procedures differ for each AP and some do not even support this, but if your AP does support this it is worth pursuing. This assumes that you do not regularly have new computers needing to connect to your network. Also be aware that valid MAC Addresses can be sniffed from your network and the attacker can spoof his MAC Address so that it looks like yours ...

TECH NOTE: MAC (Media Access Control) Address: This is a unique identifier attached to most sorts of networking equipment and consists of two parts, the first part related to the manufacturer of the device and the second part is a serial number.

Change the Admin Password on your Access Point
This one goes without saying.

Implement Encryption
At a minimum, enable WEP. However if possible WPA should be setup and used. Use the maximum encryption length.

TECH NOTE: WEP (Wired Equivalent Privacy)
TECH NOTE: WPA (WI-FI Protected Access)



Workstations

Employee workstations can be the most difficult device to secure properly. For a start the employee has unrestricted physical access to the computer and (hopefully) restricted access to the network.

As much data and information as possible should actually be stored on the server with limited facilities for the employee to download and copy the data via his computer.

Ideally technologies such as server based profiles, Active Directory, Terminal Services and SMS (Systems Management Server) should be used to lock down employee access as much as possible without restricting them to the point of severe inconvenience.

Features of the operating system that the user does not need on a day to day basis, such as access to the Command Prompt on Windows, should be locked down and access restricted.

Users should never logon to their computers with the Administrator or Root account. See the sub-section on Least Privilege.


Laptops / Portable Devices

Data that is installed on a device that is going to be used in the field, must be encrypted. Under Windows a superb solution is Truecrypt.

Truecrypt allows you to set up a ‘container’ in which the contents are heavily encrypted, an encryption key must be entered every time the computer is turned on. This ensures that if the device is lost, you data will remain secure.


Auditing

It is important that part of your security initiative involves auditing your systems. A lot of important information is contained in logs that are scattered around your servers and devices.

It is necessary to look at what devices produce logs that are important and need regular monitoring, and then ensure that you do monitor them. It will be beneficial to introduce some mechanism so that the logs are sent to you on a regular basis, rather than you having to go and get them each time.

You should set up a document that details all your important logs along with the schedule for checking and auditing them.


Separation of Duties

Am important part of corporate security is Separation of Duties. This basically means that no one individual should be able to control a process from beginning to end.

Separation of Duties allows for checks to be made by a different individual which helps eliminate mistakes and minimises the risks of fraud.


Viruses

A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user. Though the term is commonly used to refer to a range of Malware, a true virus must replicate itself, and must execute itself. The latter criteria is often met by a virus which replaces existing executable files with a virus-infected copy. While viruses can be intentionally destructive—destroying data, for example—some viruses are benign or merely annoying.

(Source: WikiPedia)

The main source of a Virus infection today is via an email attachment. The ultimate solution of course is to stop the email attachments. Unfortunately due to the lack of an easy, user friendly alternative to sending files, email is now used in a way it was never originally intended, i.e. as a way of transporting files between individuals.

(A fast, easy to use, fully secure method of sending files between users instead of via email is something I am currently looking at creating personally next year)

Destructive Viruses are now far less common than previously. Capitalism has reared it’s ugly head and you are far more likely nowadays to have your computer compromised and used for criminal activities for which the instigators and controllers of this criminal activity receive payment in return for them supplying your computer as part of a ‘slave army’ of cycles and computer horsepower.

Viruses can be the transport , or distribution method for Malware. See the next section.

A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an ‘infection’, and the infected file, or executable code that is not part of a file, is called a ‘host’.

A computer virus will pass from one computer to another like a real life biological virus passes from person to person. For example, it is estimated by experts that the Mydoom worm infected a quarter of a million computers in a single day in January 2004. In March 1999, the Melissa virus spread so rapidly that it forced Microsoft and a number of other very large companies to completely turn off their email systems until the virus could be dealt with. Another example is the ILOVEYOU virus, which occurred in 2000 and had a similar effect. It stole most of its operating style from Melissa.


Malware

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a blend of the words ‘malicious’ and ‘software’. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, ‘Virus’ is used in common parlance and often in the general media to describe all kinds of Malware.

Software is considered Malware based on the perceived intent of the creator rather than any particular features. It includes computer Viruses, Worms, Trojan horses, Spyware, Adware, and other malicious and unwanted software.

(Source: WikiPedia)


Pod Slurping

The most popular MP3 player, the Apple iPOD has sold 100 Million units since 2001. In addition to the iPOD there are many different and competing products in the portable music player space.

From a security standpoint the one thing they have in common is the ability to be plugged into a computer and copy huge amounts of data, (possibly confidential data) onto the device in a matter of a few minutes. This can be done very discreetly and easily.

A common misconception is that if the outside perimeter of your network is secured, with Firewalls and Routers, then your network is safe. Very little thought is given to the security of computers and data inside the perimeter and yet around 50% of all security breaches occur from inside the corporate firewall.

This is a very real problem, with no easy solution. If you are in charge of security for your organisation then it’s a problem you will want to address as it will not go away. These portable devices are getting smaller and their capacity is increasing.


Instant Messaging

Instant Messaging using tools such as MSN Messenger, Windows Live Messenger, Skype, AOL IM and ICQ, have become standard applications for many of us. They do however have their risks.

It is important that a policy is in place that covers the use of Instant Messaging within your organisation, a policy that should be rigorously enforced by the IT Department.

Content sent through to your employees via IM tools completely bypass your perimeter network defences and due to the ignorance of most people where these matters are concerned, they pose a very real threat.


IDS (Intrusion Detection Systems)

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.

Sometimes, a distinction is made between misuse and intrusion detection. The term intrusion is used to describe attacks from the outside, whereas, misuse is used to describe an attack that originates from the internal network. However, most people don't draw such distinctions.

The most common approaches to ID are statistical anomaly detection and pattern-matching detection.

Intrusion Prevention Systems
Quite often discussed in the same context are IPS (Intrusion Prevention Systems). Intrusion prevention systems were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of Intrusion Detection Systems, they continue to be related.

An IPS is very similar to an Application Layer Firewall.


Encryption

IPSec
IPSec (IP Security) is based on the concept of a shared secret. The encoding and decoding of the information can only be done if the two devices share a piece of key information. This means that the data can be captured but not understood unless the third party shares the secret.

IPSec was designed to support the secure exchange of packets at the IP Layer. IPSec supports two modes of operation, Transport and Tunnel. Tunnel is the most secure and is the one we are most likely to be familiar with as it is widely used in the VPN (Virtual Private Network) domain.
The primary protocol used by IPSec for exchanging the secret is called Internet Key Exchange (IKE). Most of the IKE exchange process is based on a mechanism called OAKLEY, which works with assorted key exchange modes. Another similar mechanism also used by IKE is SKEME, this supplies IKE with the method of Public Key Encryption and its fast re-keying facility.

RSA
RSA was developed by three mathematicians, Ron Rivest, Adi Shamir and Lee Adleman. This system used a Public and Private Key. It is probably the most popular method for Public Key Encryption, and digital signatures, in use today.

RC4
RC4 was also invented by Ron Rivest and is used in certain commercial systems such as Netscape and Lotus Notes. It has a bit size of 2048 which makes it a fast and strong cypher.

AES
AES (Advanced Encryption Standard) is a block cipher that has been adopted by the US Government. Two Belgian cryptographers Joan Daeman and Vincent Rijden developed AES as Rijndael. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

In June 2003, the US Government announced that AES may be used for classified information:
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."


Social Engineering

‘The art and science of getting people to comply to your wishes’ (Source: Bernz 2), ‘an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system’ (Source: Palumbo), or ‘getting needed information (for example, a password) from a person rather than breaking into a system’ (Source: Berg).

In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (Source: Sarah Granger)

Social Engineering is probably one of the biggest threats we face in security and the one we can protect against the least. We have to rely on our employees to question and be vigilant. To do that we need to make them aware of security and the issues surrounding it. See the section on Employee Education.


Reverse Social Engineering

This is where the attacker assumes a position of authority and gets the victim to freely offer information and ask advice. This requires a high level of skill, preparation and research.


Disaster Recovery and Business Continuity

A Disaster Recovery and Business Continuity plan is essential. If the worst happens you want to be able to refer to a document that covers the steps to take to enable you to be back up and running without delay.

The scope of DR and BS could encompass everything from a server crashing and data being lost, to the building going up in flames.

Many companies have a ‘cold’, ‘warm’ or ‘hot’ site standing by to be used in the eventuality of the main place of work being destroyed through fire, flood, terrorist activity or something similar.

A Cold Site generally refers to an empty building, a Warm Site refers to a building with maybe desks and networking and a Hot Site refers to a building that is fully fitted with everything including computer systems, ready to have the backups loaded and be up and running in a very short space of time.

Definitions

Disaster Recovery Plan: Provides procedures for recovering from a disaster after it occurs and also documents how to return the normal IT functions back to the business.

Business Recovery Plan: Addresses how business functions will resume after a disaster, preferable at an alternate site.

Business Resumption Plan: This addresses how critical systems and the functions of the business will be maintained.

Contingency Plan: This addresses what actions can be performed with regard to the normal business activities after a disaster.


Disposal and Destruction

It is a little known fact that even following a format, data can be recovered from your computers hard disk by a determined hacker. This makes it essential that when disposing of old computers, unless you physically destroy them, you must go to some lengths to make sure that the data that was contained on the computer cannot be recovered.

There are various methods that can be used to securely wipe the data from a hard disk. It is important that you select a method that offers the level of protection you require and then use it. Always.


Employee Exit Procedures

When an employee leaves the company, or announces their intention to leave, this should trigger a sequence of documented events that are related to the job they do or did. For example the series of steps to be taken when the IT Manager leaves are different to the series of steps to be taken when the Receptionist leaves.

This series of steps should incorporate the removal of their access card, token, key or any other device they have that can be used to gain physical access to your premises.

Their access to the computer network via remote means should also be removed and any access to confidential data prior to their departure should be logged.

Each and every employee should have an exit interview where their responsibilities to the company are discussed as are any restrictions that are placed upon them contractually.


Employee Education

Good security is impossible to implement without the cooperation of the users and employees.

To this end investment in security training and briefings is likely to pay dividends. Posters should be placed around the working area highlighting key information relating to security threats and reminding users of their responsibilities.

Security cannot be delegated to one department and each and every user should understand that they have a part to play. Training and education for the users in basic security threats should be mandatory.

A lot of excellent material including leaflets and posters are available from the Department of Trade and Industry (DTI) website.


Security Testing

To ensure that your security policies are enforced it will be necessary to implement Security Testing. Security Testing can be carried out in any and all of the following ways:

Drills
Penetration Testing
Query Employees
Review the Procedures

In many cases the only way to adequately test you security is through the use of a third party company.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Security: Agreeing a Secure Session Key in Public

Agreeing a Secure Session Key in Public
(Without Disclosing this Key to any Listening 3rd Party)




When setting up a secure connection across the internet, for example between your browser and your online banking site, the key used to create the encryption has to be negotiated ‘in the clear’. What would be the point of setting up an encrypted secure channel when the key had previously been send across the network for anyone to see ? Of course the key isn’t sent across the network and the following document describes *very simply* how this key negotiation is done without the actual key being sent over the network, where of course it could be seen by anybody running Ethereal or similar network sniffing software.

The method shown below is based on the Diffie-Hellman Key Exchange which was first published in 1976. See NOTE at the end of this document.


The exchange that can is transmitted openly across the network is shown in bold.

Client tells Server the starting number. This is a prime number generated at random

Client Tells Server: STARTNUM = 5

Client then picks another random number that is not disclosed.

Client Secret Number: CLI_SECNUM = 6

Client does the following maths: STARTNUM^CLI_SECNUM = 15625

Client tells the Server: CLI_PUBNUM = 15625

Server picks a random number that is not disclosed.

Server Secret Number: SVR_SECNUM = 3

Server does the following maths: STARTNUM^SVR_SECNUM = 125

Server tells the Client: SVR_PUBNUM = 125

Client does the following maths:
SVR_PUBNUM^CLI_SECNUM = 3814697265625

Server does the following maths:
CLI_PUBNUM^SVR_SECNUM = 3814697265625


The Client and Server now have a number (3814697265625), a key, that can be used to encrypt any further transmissions between them.

So the key that was calculated in public is secret and known only to the Client and Server. This works because exponential maths in not affected by the order in which the multiplications are done (power associative), and it is virtually impossible for the 3rd Party using the data available to it (5, 15625 and 125) to calculate the secret key as it is missing the equally important data of 6 and 3 (the secret numbers).

In reality though the real strength of this method lies in the size of the numbers that are used. Our example uses very small numbers so that the maths are easily checked, a real world example would use numbers that were into the billions, depending on the bit length of the encryption used. The typical length of encryption used for this type of key exchange would be at least 512 bits.

NOTE: In actual fact the Diffie-Hellman Key Exchange works as shown above with the addition of a second prime number being used in conjunction with the STARTNUM, this second number is a primitive root modulo. I have avoided this in the calculations shown above for the sake of clarity.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

An Overview of Penetration Testing

Introduction
Penetration Testing is an attempt to break the security of a computer system or network, under instruction from the owners or maintainers of that facility. It is an attempt to simulate an attempted break in by a computer savvy criminal. A Penetration Test gives a snapshot of the security at a moment in time, and is not a full security audit.

If a criminal attempts to breach your computer network they will generally follow a sequence of five steps:
Reconnaissance
Scanning
Gain Access
Maintain Access
Cover Tracks

It therefore makes sense that a Penetration Test follows a similar, although obviously not identical, sequence of events.

Planning and Preparation
This stage involves a meeting between the Penetration Tester and the Client. Key areas to be covered are: Scope, Objective, Timing and Duration. In addition documents must be signed to cover the Penetration Tester and the Client, generally in the form of a Non Disclosure Agreement (NDA).

Information Gathering and Analysis
This next stage involves the Penetration Tester finding as much information as possible about the company he will be asked to target. His first stop will probably be the companies own website, from there he may consult services such as www.netcraft.com. The information he is looking for is Domain Names, Server Names, ISP Information, Host Addresses and anything else that will help him build a picture of the target. The second part of this process involves Port Scanning and OS Fingerprinting.

Vulnerability Detection
If Stage 2 has been successful then the Penetration Tester now has all the information he needs to make the decision as to what hosts to target, and with what vulnerabilities. Some techniques he may use at this stage include Password Cracking, SQL Injection, Rootkit, Social Engineering and Physical Security.

Analysis and Reporting
This is where the Penetration Tester reports back to his Client. The information he is going to present to the client, includes the following:
An Overview of the work done
Detailed Analysis of all Vulnerabilities
Summary of Successful Penetration Attempts
Suggestions for the next step

Finish Up
This is where the Penetration Tester makes sure that anything he has done in the course of his work will have no effect when he has finished. For example he will remove any backdoors and additional user accounts that he has created, leaving the system how he found it.

The above is a quick overview only of the procedures that may be followed by a Penetration Tester while undertaking their assignment.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

ScreenAudit 1.1.5 Released

This is a small update:

The format of the preferences file has changed and you may need to re-enter your preferences information.

Licensing is now handled using the same binary along with a User Name and Password. This simplifies updating to a later version for licensed users.

The Countdown and Window Transitions are now halted when the About or Preferences windows are displayed.

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

ArtenSPEAK for Special Needs ?

I just came across an article on the Alltogether blog http://alltogether.wordpress.com/ which mentioned my freeware program ArtenSPEAK.

I'm thrilled that it is mentioned on a site for people with special needs, it gave me a buzz to think that a little program I created in a couple of hours may be of use to someone disadvantaged. I never designed it with that in mind - and I feel rather ashamed it never occurred to me. It was designed so I could put me feet up on the desk, close my eyes and still catch up with my email or web page reading ...

As Samual Sennott mentions in one of his posts on the site (on a completely unrelated topic) 'imagine what could be done if thousands of people gave just one hour of their time'. The world would be a better place no doubt.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Monday 15 September 2008

Using ScreenAudit for some Time Lapse Photography with my iSight

I went away for the weekend and thought it would be interesting to point my iSight webcam out over the garden and tell ScreenAudit to take a photograph every 30 minutes. I also hoped to capture on camera the big cat beast (ok, it's a fox) that sneaks into my garden every night and uses it as a toilet ...

Forgetting that night means the absence of light I didn't get any pictures of the fox, but i did get nearly 4 days worth of time lapse photographs which was fun :-)

I found these interesting. The photos below show the arrival of dawn at around 06:50 and the way the sun illuminated the garden through to around 11:20.

If you've purchased ScreenAudit, let me know what you are using it for.





















www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Join BAARF. You Know It Makes Sense



I have recently been initiated into BAARF.

Battle
Against
Any
Raid
Five

Enough is Enough

If you too wish to show your support and enlightenment please join BAARF at www.baarf.com

Once upon a time when I was less enlightened than I am now, I worshipped at the foot of the false idol that is Raid 5. Having been awoken to the danger I have since rejected it wholeheartedly and am now well on my way to recovery.

Help us to rid the world of this evil !

Steve Cholerton
Born Again Raid10ian
First Battalion BAARF

Disclaimer: It's actually OK for some things. Just don't run a database on it :-)

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Arten Science Forum !

I've setup a Feedback Forum for Arten Science. It's very quite in there at the moment, we're looking forward to your feedback :-)

http://artenscience.uservoice.com/

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Thursday 11 September 2008

ScreenAudit 1.1.4 Released



I've released an update to ScreenAudit. 1.1.4 gives the user the option of configuring ScreenAudit to capture the Camera, the Screen(s), Both or Neither (!!). Previous to 1.1.4 the assumption was made that screen capture would be the predominant use for ScreenAudit.

Feedback from customers has indicated that they would like the ability to perform *only* webcam capture for some kind of 'time lapse' / security recording purpose. This is a small update and was released a few minutes ago. It can be downloaded from the following location:

http://www.artenscience.co.uk/artenscience/ScreenAudit.html

Since sending the Press Release for ScreenAudit the traffic to my site has been many, many times more than usual, so I apologise if it seems slow. I will be increasing bandwidth from next Tuesday.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Wednesday 10 September 2008

New Product: ArtenQUERY 1.0

I’ve just uploaded ArtenQUERY 1.0. ArtenQUERY is a useful, very inexpensive, easy to use query tool for use with SQLServer and Oracle databases. Fast and with some very nice features including multiple results grids, query history, large grid support, user prompting for parameters and export to XML and HTML.

It's written in Visual Studio and so requires the .NET Framework 2 to be installed.

This is a project I've had on the back-boiler for a year or more and I decided it was time to fix a few bugs and release a 1.0. The support for large grids has been a real benefit during some data migration projects I've done over the last few months.

More Information can be found here: http://www.artenscience.co.uk/artenscience/ArtenQUERY.html



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Friday 5 September 2008

ScreenAudit Update: Timed Webcam Photos



The latest version of ScreenAudit gives you the option of getting photos taken from your computers webcam at a timed interval as well as screenshots from your monitor(s).



WHO did WHAT and WHEN on my Mac ? - ScreenAudit will show you.



Snapshots of your screen and webcam at definable timed intervals
Reminds you what you were doing, and when
Never forget to bill for your time, your actions recorded
Monitor if someone else uses your computer, and for what
Keep an eye on your children’s online activities
Monitor your home / pet / garden remotely
Supports multiple monitors
Speaks your own message when taking the snapshot
Adjustable snapshot quality
Can take snapshots of the Dashboard or all ‘Spaces’




More Information here: ScreenAudit

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Thursday 4 September 2008

ArtenCHAT Beta Program



I’m currently developed a Local Area Network based Instant Messaging Chat and File Transfer Client. It will be Cross Platform, the intention is to support Windows 98 > Windows Vista, Mac OSX 10.5 Universal Binary and also Linux. It will have the ability to send and receive encrypted messages which will have to be decoded before being viewed. That should stop the embarrassment of a personal instant message arriving when you are not at your desk ... :-)

Many IT Departments are clamping down on the use of Instant Messaging clients because of the security risk with running open ports to the internet. ArtenCHAT will be a safe alternative for Departmental, Peer to Peer and Group Chat within the LAN. Easy and fast file transfer will be another advantage of ArtenCHAT.

I intend to make the software available free of charge for under 5 concurrent users, with an unlimited corporate license for £49. Feedback is welcome on the pricing as well as the concept.

If anyone would like to be a part of the Beta program they will receive a free full license when the product is complete, assuming of course that they actually provide me with some feedback :-)

For an invite to the Beta program please email artenchatbeta@artenscience.co.uk

www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Freeware Upload: ViewCSVTAB

I wrote this for a specific purpose. It takes a Comma Separated (CSV) or TAB Delimited (TAB) file and loads it. You can then check the file for formatting issues and also search any of the columns for a specific value.

I wrote it for use during a data migration project but it has since been used by customers for searching archived data.

You can download it here: http://www.artenscience.co.uk/artenscience/FreeSoftware.html



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Freeware Upload: Lottery

Lottery is a Lottery Number Generator I wrote years ago. Someone may find it fun! If you use it and win please send 10% of your winnings to my offshore account :-) You can download it here: http://www.artenscience.co.uk/artenscience/FreeSoftware.html



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Webclip - Superb !

One of the features of Mac OSX Leopard and Safari is the Webclip. I’ve ignored it until recently and now having used it I can say it really is great.

Basically Webclip allows you to select a portion of a webpage that you are interested in, and that gets updated. To avoid going and manually checking for these updates you can select the page area and assign it to your Dashboard, where it is a mouse click away and constantly refreshed.

Some examples of use:

Google Analytics Graphs
Twitter Followers
Software Download Statistics

I have used it for all these purposes and more.

To use Webclip click the webclip button on the toolbar of your Safari browser and then select the portion of the page that interests you. When you have defined the area you need, click the Add button shown at the top right of the page.

That’s it. That portion of the page is now visible from your Dashboard.

Very Simple, Very Cool :-)

Below is an image as shown in my Dashboard from the MacUpdate Developers Account which I setup yesterday.



www.artenscience.co.uk
Honest Expert Independent Technology Advice for Business

Wednesday 3 September 2008

ScreenAudit Update

ScreenAudit has just been listed on the Apple Downloads Site. We’ll see how much interest that generates ... ?

http://www.apple.com/downloads/macosx/imaging_3d/screenaudit.html