For most S/MIME compatible email clients, you must obtain a PKCS12 format certificate before you can upload your private key and/or others’ public key for secure email communication.

The first way you can do this is, of course, to apply such a certificate from a trusted Certificate Authority (CA), such as VeriSign. But can you do this without a CA?

Yes, it is possible for you to generate such a certificate manually using open source software. However, note that the certificate is self-signed, meaning it is signed by you as the trusted root source.

To do this, you have first to download a piece of software than can generate PCKS12 format certificates. The most common one is OpenSSL software.  You can visit this website to know more:

http://www.openssl.org.

The original OpenSSL software is made primarily to be run on the Linux platform. As a general Windows user, you might need to use the program on a Windows platform, and may not know how to compile the source code of OpenSSL to make it run on a Windows platform. If you have this headache, you can try the Windows compatible OpenSSL work available for free here:

http://www.slproweb.com/products/Win32OpenSSL.html

Upon successful installation of the software, go to the bin directory of your installation to locate the software openssl.exe that you need to use to generate PKCS12 certificate.

I followed the instructions here to create my own certificate:

http://tinyurl.com/4s5zqo

I have added my own explanations and remarks and simplified a bit the process. Here are the steps:

Assume you have installed your software on the path c:\Openssl

1.    Generate a RSA Private Key in PEM format

Type:
>C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048
Where:

• my_key.key  is the desired filename for the private key file
• 2048  is the desired key length of either 1024, 2048, or 4096

2.    Generate a Certificate Signing Request:
Type:
>C:\Openssl\bin\openssl.exe req –new –key my_key.key –out my_request.csr

• my_key.key is the input filename of the previously generated private key
• my_request.csr  is the output filename of the certificate signing request

3.    Follow the on-screen prompts for the required certificate request information.
4.    Generate a self-signed public certificate based on the request.
Type:
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt

my_request.csr  is the input filename of the certificate signing request
my_key.key is the input filename of the previously generated private key
my_cert.crt  is the output filename of the public certificate
3650 are the duration of validity of the certificate. In this case, it is 10 years (10 x 365 days)
x509 is the X.509 Certificate Standard that we normally use in S/MIME communication

This essentially signs your own public certificate with your own private key. In this process, you are now acting as the CA yourself!
5.    Generate a PKCS#12 file:
type:
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name “my-name”

• my_cert.crt  is the input filename of the public certificate, in PEM format
• my_key.key  is the input filename of the private key
• my_pkcs12.pfx  is the output filename of the pkcs#12 format file
• my-name  is the desired name that will sometimes be displayed in user interfaces.

6.    (Optional) You can delete the certificate signing request (.csr) file and the private key (.key) file.
7.    Now you can import your PKCS#12 file to your favorite email client, such as Microsoft Outlook or Thunderbird. You can now sign an email you send out using your own generated private key. For the public certificate (.crt) file, you can send this to others when requesting them to send an encrypted message to you.

Tags: self-signed Public Key, OpenSSL command

Technorati Tags: S/MIME, PKCS12, private key, public key, secure email communication, Certificate Authority, OpenSSL, RSA, self-signed public certificate, X.509, PKCS#12, self-signed Public Key, OpenSSL command

You can use PGP (Pretty Good Privacy) freeware to communicate freely. PGP freeware can be downloaded here:

http://www.pgpi.org/products/pgp/versions/freeware/

However, since they have recently taken down the freeware for the Windows platform, I’ll show you how to use another piece of software called “gpg4win” to do the same thing.

This software was created from an open source effort, and it supports OpenPGP standard. With a suitable plugin, you can use this with some other email clients such as Thunderbird and Clawmail for S/MIME email encryption.

You can download the latest version here:

http://www.gpg4win.org

Upon successful installation, you’ll find the following welcome screen:

Select “Generate key now” if you do not have a PGP private and public key pair.

Input your full name and email address, then carefully input a passphrase. This is an important step, so select something you can recall because you need to correctly enter your passphrase when you want to use your private key later.

Follow the onscreen instructions and create your key pairs. If you require a backup key to be generated, make sure you save the key pair in a safe place.

Now you can see your newly generated key in the application windows like the one I have generated for myself:

However, before you ask someone to send an encrypted message to you, you need to export your public key to them. You can select the “Export” function of the application window to do this.

After selecting the Export function, the program will ask you where to save the exported public key. Select a location where you can retrieve the saved public key later.

Now you can send your key to anyone who needs to send you confidential messages. Those who have your public key can then encrypt the message using your public key. Those encrypted messages can only be opened by you, who owns the private key.

As an example, suppose there is someone who already has encrypted a message (or simply a file) using your public key. Let’s call the original file “plaintext.doc,” and the encrypted file you received should be “plaintext.doc.gpg”. (The software adds the file extension “.gpg” to the output file it has encrypted)

Pressing the “Files” button under the application window displays the program’s file manager. You can locate and select the file “plaintext.doc.gpg” that has been saved in your computer previously.

By pressing the Decrypt button, you are prompted to enter the passphrase for your private key to decode the file. Upon presenting the correct key, you should now have the decrypted file under the same directory of your encrypted file.

To encrypt any file to other people, you need to import their public key by using the Import function of the main application screen. Select the public key file you obtain from other people (this should be a file with file extension “asc”), and click okay to proceed with the import.

By using the same file manager, you can select the file you want to encrypt and then choose the “Encrypt” function to produce the encrypted output file. Remember to use the public key of the person you have just imported to encrypt the file. You can then send this file to the party who owns the private key of the corresponding public key you have just imported to encrypt the file. That party should be able to decrypt the file using his/her private key.

Try this software and let me know if you have any problems or issues by leaving a message here.

Tags: GNU Privacy Assistant

Technorati Tags: PGP, Pretty Good Privacy, PGP freeware, gpg4win, OpenPGP, GNU Privacy Assistant

I read a piece of news about the security issue of the new Google Browser Chrome from ComputerWorld.

The Google Browser is an open source project, and many of the components it was built on use open source software. One of them is the open-source rendering software called WebKit. This component was found to have a security flaw in its older version. It allows the attacker to maliciously trick web surfers into downloading a java (or other types of) executable file from a webpage. As the downloaded file appears, a button under the Chrome browser could be pressed by the user and hence run the program.

Since a java executable file will not warn the user before it runs, the user could accidentally trigger a malicious java program.

For details of this news, refer to this article:
http://www.cw.com.hk/article.php?id_article=2236

This security flaw has been identified previously with Safari, the browser from Apple. Apple patched the flaw last June.

To avoid the possible download of a malicious file, you can turn on the option to prompt the user for the file download path under Options → Minor Tweaks → Ask where to save each file before downloading.

In fact, other than this security issue, I always recommend using browsers under open source efforts such as Firefox, or now Chrome, because those browsers are built using program sources that are open to everyone. Then, security experts can always look at the program code details inside the program to uncover potential security flaws. This makes the software safer to use in the long run.

Tags: Google Chrome, Apple Safari, Google Chrome Security Issue, Google New Browser

Technorati Tags: WebKit, Google Chrome, Apple Safari, Google Chrome Security Issue, Google New Browser

This article will tell you about a simple way to check whether your computer system has a trojan horse (spyware) implemented.

A trojan horse or spyware operates by running on your computer and opening a communication port (TCP port) to communicate with the remote hacker, so he or she can “spy” on your computer. The easiest way to detect this activity is to look at the ports opened on your computer by using the built-in DOS function netstat. At the DOS prompt, type this command with the switch “-a”, (i.e. “netstat -a”) to look for the ports opened on your computer.

If you have no idea what ports are usually related to a trojan horse, you can do a search on any search engine for the term “common trojan horse ports”. Here are two of the reference sites I’ve found:

http://www.doshelp.com/Ports/Trojan_Ports.htm

http://personal.telefonica.terra.es/web/oscarmartinez/_articlesan/article49-Trojan-horse-ports.htm

If you still have a hard time decoding the lists from these reference sites, you can use a handy program called “fport“. Download this here:

http://www.foundstone.com/us/resources/proddesc/fport.htm

This program helps match your opening ports with the programs in your computer. This is easier way to locate a particular suspicious program in your computer to uncover any potential spyware residing on your computer.

Please note that since this is a command mode program, you need to bring up a command prompt window by choosing Start ==> Run and then type in the command “cmd” in the “Run” window. Next, type in the exact path of the program. For example, if you have installed the program under c:\, type in c:\fport to run it. The program will create a list of programs associated with your computer under inspection. If you have difficulty comprehending a long list of ports on the command prompt window, you can tell the program to redirect the outputs to a text file for printing and later analysis. You can do this by typing, for instance, “c:\fport > c:\output.txt” to create a file named “output.txt” on your c:\ drive.

This is a handy tool for running an inspection on your computer to detect any possible hacker’s attack. I recommend that you use it regularly – it’s to your benefit.

Tags: Trojan Horse Removal, Popular Trojan Horse Port List

Technorati Tags: trojan horse, netstat, fport, Trojan Horse Removal, Popular Trojan Horse Port List

When applying asymmetric cryptography technique, there is an important element in the success of this technology – the issue of “trust”.

To illustrate this, let’s suppose Bob wants to send a message to Mary securely over the Internet. He needs Mary’s public key to encrypt the message. Theoretically, it is Mary, who owns the one and only one private key of her own, who can decrypt the message. So Mary is the only recipient who can open this message. Bob achieves his objective of keeping the secrecy of this message and revealing it to Mary only.

But the problem is: how can Bob get Mary’s correct public key? Suppose hacker Tom wants to intercept their communication. He can create a fake public key for Mary and send it to Bob. Bob, without knowing that this key is fake, uses it to encrypt the message he intended to send to Mary. The message could then be compromised by Tom for he is the person who owns the corresponding private key to the fake public key he created for Mary.

Tom can then even further re-encrypt the secret message using Mary’s real public key, sending it to Mary, and she doesn’t realize that someone other than her has read the message. And worst of all, Tom can modify the message before he encrypts and sends it, compromising both the confidentiality and the integrity of the message.

How can Bob solve this problem? He can ask for a trusted third party to help verify Mary’s public key. Let’s say this third party is Peter. Peter can help Bob by signing on Mary public key using his own private key. However, there are two conditions that need to be satisfied for this verification to work:

• First Bob must have full faith in Peter’s role as a verifier.

• Second, Bob must have an authentic public key for Peter in his key database. He needs Peter’s public key to verify Mary’s signed public key and hence reconfirm the validity of Mary’s public key sent by Peter. (Without Peter’s authentic public key, Bob has no way to ensure he has Mary’s correct public key.)

If the above two conditions are satisfied, there is no way that hacker Tom can send a fake public key for Mary to Bob, because Bob can identify it as fake, with the help of Peter.

But then this leads to another problem: Bob must have a trusted and verified public key for Peter! This seems to create the very same problem involved with verifying Mary’s public key. Bob needs to repeat the same verification procedure used for Mary’s public key, looking for someone who can verify Peter’s public key. This problem can go on and on in a circle until Bob can find an ultimate trusted “root” of public keys.

In the modern public key infrastructure (PKI), the role of Peter is played by a so-called Certificate Authority (CA). In a communication system, CAs are trustworthy organizations that have the corresponding, verified public keys of the users you want to communicate to. The CA holds a database containing the signed public keys it issued for the users who have applied and obtained the public key/private key pair through it. The private key is kept by the user, and the public key is posted to the public and maintained by the CA.

You must have trusted CAs in your database or otherwise the above story can never reach its end.  Take our popular Internet Browser IE as an example. If you take a look at Tools ==> Internet Option ==> Content ==> Certificate ==> Trusted Root Certificate Authorities, you can see it contains a long list of trusted Root CAs.

The popular ones in the USA are VeriSign, Thawte, etc., which are commercial organizations. In most other regions, CAs come from Government initiatives. Take my home country of Hong Kong as an example. The official CA here is the Hong Kong Post Office, which is a governmental department, with its original function serving the postal service in Hong Kong. Government-backed organizations possess the “trust” factor, and that is an important criterion for a root Certificate Authority who needs to sign and verify its publicly issued keys.

Each CA must possess a very robust infrastructure of its Internet public key directory in serving the intended communication parties of its certificate clients.

Without CAs, you would have to verify the public key yourself. In the above case, Bob would need to verify Mary’s public key before he sends her any message encrypted by the public key he has on hand. This can be done with offline communication such as phoning Mary to verify the key, or simply getting the key from Mary by meeting her face-to-face. Of course, this is very inconvenient and impractical in most electronic communication cases.

Tags: Asymmetric Encryption, Root CA, Root Certificate Authorities, Trusted Root Certificate Authorities, confidentiality of message, integrity of message

Technorati Tags: public key, private key, public key infrastructure, PKI, Certificate Authority, Certificate Authorities, trusted Root CAs, VeriSign, Thawte, root Certificate Authority, Asymmetric Encryption, Root CA, Root Certificate Authorities, Trusted Root Certificate Authorities, confidentiality of message, integrity of message

I have been using Gmail, Yahoo! Mail, and Hotmail for very long time. My general feeling is that the super-powerful spam filtering capability of Gmail is unprecedented. It can eliminate almost 98% of spam emails while at the same time maintaining an almost zero error rate of filtering legitimate emails. It definitely outperforms the other two free email systems.

I am always curious how it achieves this phenomenal success rate, but I find no clue at all. Having had no success in finding its algorithm, I turn to a very practical question: How we can make use of its powerful spam filtering capability to handle our daily corporate email reception task?

The first solution is to use Gmail for receiving emails from your contacts. That sounds easy and straightforward, but the downside is that you have to give up the corporate email address that signifies your corporate identity. How can we preserve that?

Here is a quick solution you can try. Since Gmail allows email received to be forwarded to another email address, you can follow these steps to set this up.

First, you’ll need to create the following three email addresses for each staff member of your company:

1. The primary corporate e-mail, which is shared with contacts. Say, for John Doe of your company XYZ Inc., you can john.doe@xyz.com.
2. A second corporate e-mail, called john.doe_filtered@xyz.com. (You’ll see the use of this second e-mail in a few minutes.)
3. A Gmail account, with an address similar to: john.doe-xyz@gmail.com

Next, configure the first, primary email address to forward email to the Gmail address.

In the Gmail account settings for the Gmail email address, select the option “Forwarding and POP/IMAP” as shown below:

You will see the following screen:

Set this to forward to the second corporate email address of your staff (i.e., the john.doe_filtered@xyz.com address, as shown in the above screen capture).

Now John Doe can configure his email client to read spam filtered email from the second email account. Those emails are originally addressed to his primary email address, filtered by Gmail, then automatically forwarded to his second corporate email account.

What John needs to remember is to make sure the email address john-doe_filtered@xyz.com is hidden from his contacts. He only uses it as a tool to receive the filtered emails.

If you really want to own the Gmail account as a private labeling service to your company (and that entitles you to own the big storage space of Gmail for each of your private corporate email account and also the spam filtering service), you can register for a private label email program through Google Apps here:
http://www.google.com/a/help/intl/en/index.html

However, this involves pointing all your corporate emails to Google’s Server for storage and processing. I am not so sure if this is a good idea for your company, although this service is basically free with an option to pay a small fee to receive technical support service.

Technorati Tags: Gmail, Yahoo! Mail, Hotmail, spam filtering, spam, Google Apps

Recently I spotted a piece of news about a type of network attack combining techniques we have discussed in recent articles involving Google Hacking and Buffer Overflow Attack . The incident, according to Forbes News¹ involves “using Google searches to track down sites vulnerable to so-called ‘SQL injections’.”

Essentially, the hackers use Google to hunt for sites with a problem in the web server program codes and exploit them using the knowledge gained from the error messages displayed on the problem websites. In this particular case, the hackers used the SQL command to take control of the sites under attack.

(If you are interested to know about how to work safely using SQL commands, read our post about Buffer Overflow Attack here: http://www.bestinternetsecurity.net/52.)

Some security experts attribute this situation to the usage of Microsoft-related technologies in web sites, such as Microsoft’s own Internet Information Servers (IIS) and its SQL server.

“Whitehat Security’s Grossman speculates that machines running that software were targeted because they allow several commands to be injected in a single user input field on the sites they host, making those sites easier to hijack,” according to Forbes News.

However, I have a different view, and this is the same comment that I expressed in my previous post: It does not matter what technologies you are using to run your websites. What does matter is taking extra care in writing programs that use SQL commands to manage program data. If in the original program design you fail to carefully validate users’ inputs, you will open doors to possible attacks. This is especially disastrous if you fail to do so with web application programming, like in the case we are discussing now.

But as I have also said, it is extremely difficult (if not totally impossible) to write completely bullet-proof code. But to be aware of what can happen if you do not take extra steps to write code that carefully lessens the risk of attack is more than half of the battle. Read the news in the reference section to know more about this case.

Reference:

¹Greenberg, A. (2008), Google-Hacking Goes To China, Forbes.com LLC, Available from: http://www.forbes.com/2008/04/28/hackers-google-china-tech-security
-cx_ag_0428hack.html?partner=yahootix [Accessed 28 April 2008]

Tags: SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack

Technorati Tags: SQL injections, Buffer Overflow, web application programming, SQL Programming, Application Security, Google Hacking, Buffer Overflow Attack

The Domain Name System (DNS) relies on a hierarchical database system. At the top of this system sit thirteen root servers with names following the format letter.root-servers.net, where the letter ranges from A to M.

Many people mistakenly assume that there are only 13 root servers in the world. In fact, each root server notation represents a cluster of servers dispersed all over the world. Each of these is administrated by different organizations.

The cluster of servers working for a particular letter of root servers uses the routing technique of “anycasting,” according to RFC 1546¹:

“There are a number of situations in networking where a host, application, or user wishes to locate a host which supports a particular service but, if several servers support the service, does not particularly care which server is used.  Anycasting is an internetwork service which meets this need.  A host transmits a datagram to an anycast address and the internetwork is responsible for providing best effort delivery of the datagram to at least one, and preferably only one, of the servers that accept datagrams for the anycast address.”

Check out these links for a geographical mapping of the root servers’ locations:
http://www.icann.org/maps/root-servers.htm
http://www.circleid.com/posts/dns_root_servers_google_maps/ (on Google Maps)

Root servers serve as the final point of resort to resolve the Top Level Domain (TLD). For example, if your DNS servers do not know where to locate the DNS record of the “.jp” of the domain name www.jetro.go.jp, it will query the root servers to locate the DNS server taking part in the resolution of TLD “jp” and then continue the resolution of the domain “go.jp” by the DNS server referred by the root server. This domain name resolution process works recursively until it gets an authoritative answer for the requested host of the domain name www.jetro.go.jp.

In fact, DNS servers rarely query the root servers as they cache any previously resolved domain names, including those of the TLDs. Depending on a DNS server’s configuration, it usually keeps those responses in the cache for two days. Therefore, considering the example given above, the DNS server will store the DNS server information to process TLD “jp” in the cache memory, so that each query related to TLD “jp” will go directly to the DNS server handling “jp” TLD without repeatedly querying the root servers.

Perhaps the most common reason for your DNS servers to query root servers is an error in typing a non-exiting TLD. For instance, if you mistakenly type “jq” instead of “jp” in the above domain name, your DNS servers have not yet resolved any TLD of “jq”. Therefore, it has to go to the root server to check for its related information. Of course, in this case, the root server will return a non-existing error message to your DNS servers, and you are notified of the failure to locate the domain name.

As the root servers are dispersed all over the world, it is quite difficult technically to launch an attack on all of them at the same time. Therefore, it is unlikely that this robust system will stop servicing the Internet community because of common attack such as DOS (Denial of Service), even by the most well planned hacking activity. This is fortunate, since the DNS root server system is a vital part of the Internet, serving thousands or millions of people online everyday.

If you are interested to understand more about root DNS servers’ operation, go to this link for more details:
http://www.isoc.org/briefings/020/

¹ Partridge, C., Mendez, T., Milliken, Walter. (1993) Request for Comments: 1546, Network Working Group, Available from: http://rfc.net/rfc1546.html [Accessed 4 April 2008]

Tags: DNS Root Servers Attack, anycasting, TTL

Technorati Tags: Domain Name System, DNS, letter.root-servers.net, 13 root servers, RFC 1546, Top Level Domain, TLD, DOS, Denial of Service, rfc1546, DNS Root Servers Attack, anycasting, TTL

What does the name Trojan Horse imply in way of network security, and what threats do Trojan Horses bring to a network computing system?

First let’s look at history to understand the name “Trojan Horse.” The Trojan War, as you may already know, is the ancient war between the Greeks and the city of Troy that took place during the thirteenth century. The Greeks won the war with Troy because of a very clever and deceptive trick. Greek soldiers pretended to withdraw from the battle, leaving behind a huge wooden horse. Troy, believing that they had won the war, dragged the wooden horse into their city and began to celebrate victory. However, by doing so, they walked right into the trap set by the Greeks. Greek soldiers were actually hiding inside the wooden horse. As they waited patiently inside the horse, the people of Troy celebrated heavily. When the soldiers emerged from the horse during the night, the inebriated citizens of Troy were easily defeated.

In today’s world of computer security, we now use the term “Trojan Horse” to refer to certain malicious software (or “spyware”) programs that are designed to remotely control a computer by a hacker. Much like the ancient Greeks, a hacker will attempt, in every conceivable way, to lure users to unknowingly install the Trojan Horse on their computers.

For example, hackers can start an attack by sending malicious emails inviting the recipient to download and install Trojan Horse programs that actually appear to be useful. Another way hackers lure unsuspecting users is by offering interesting or seemingly practical programs on a site as a free download. Users install these software programs containing malicious code, unknowingly giving the hacker access to their computers.

How Trojan Horses work
A Trojan Horse program works by opening a connection point in your computer (usually a designated TCP port) and waiting for the hacker to remotely connect to this port. Upon a successful connection, the hacker immediately takes control of the victim’s computer, reading and changing data inside the machine, remotely monitoring the user’s activities. Some versions of powerful Trojan Horse software can even monitor the user’s screen in real time, log his or her keyboard strokes, and remotely shut down the machine.

Since some popular Trojan Horse programs will open a well known connection port inside the victim’s computer, an attacker can regularly scan the Internet for computers being “planted” with Trojan Horse looking for opened ports. For example, popular Trojan Horse programs like Netbus uses TCP port 12345 and 12346, and Back Orifice uses 31337. You can always find popular Trojan Horse ports by doing a search on Google using the search phrase “popular ports of Trojan Horse.”

Once found, the hacker can immediately take control of the machine by connecting to these easily recognized ports. This means hackers don’t need to spend time implanting the program to the victim’s machine if someone else has previously introduced the Trojan Horse software to the user’s system.

Trojan Horse programs pose a very great threat to computer security. The user’s naiveté as to its existence gives the attacker further power to intrude on other computers within the same network associated with the victim’s machine. As you can imagine, this can cause problems in catastrophic proportions.

How to Know If Your Computer Has a Trojan Horse
You can find out if your computer is infected by performing a simple audit. Access your command prompt screen and type in the command “netstat –n”. This will show all the open local ports and remote ports.

If you are interested in determining what programs are tied to specific ports, you can use the program fport which is available here:
http://www.foundstone.com/us/resources/proddesc/fport.htm

How to Avoid Trojan Horses
A number of spyware monitoring and removal software programs are available. If you are using Windows XP, perhaps the easiest one you can attain is Windows Defender from Microsoft found here:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Also, the related spyware removal tool from Microsoft can be found here:http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0
-E72D-4F54-9AB3-75B8EB148356&displaylang=en

In addition to relying on Trojan Horse detection and removal tools, a better way to control problems with spyware is user education. A careful computer user should not casually download programs from unknown sources off the Internet or open email attachments that appear suspicious or unfamiliar.

Failure to follow simple preventative measures such as these can lead to serious security breaches. Remember in 2005, when the Atlanta-based credit card processing company CardSystems Solutions Inc. was hacked? A Trojan Horse program was implanted in the company’s network and it was estimated that the information of more than 40 million credit card customers was leaked as a result of this security incident.1 A class-action suit was then filed in the California Superior Court in San Francisco against CardSystems Solutions Inc, Visa, and MasterCard.²

You certainly don’t want you and your company to be the next victim, do you?

¹ Evers, J. (2005) Details emerge on credit card breach, CNET News.com, Available from: http://www.news.com/Details-emerge-on-credit-card-breach/2100-7349_3-5754661.html [Accessed 31 March 2008]

² Evers, J. (2005) Lawsuit seeks disclosure in credit card heist, CNET News.com, Available from: http://www.news.com/Lawsuit-seeks-disclosure-in-credit-card-heist/2100-7350_3-5765383.html [Accessed 31 March 2008]

Tags: CardSystems Solutions Inc. Spyware

Technorati Tags: Trojan Horse, spyware, Netbus, 12345, 12346, Back Orifice, 31337, Windows Defender, spyware removal tool, Visa, MasterCard, CardSystems Solutions Inc, Spyware

According to Convery, S.(2007)¹: “RADIUS was developed by Livingston Enterprises (now part of Alcatel-Lucent) in the early 1990s, became an Internet standard through the IETF in 1997, and today is the most widely accepted AAA protocol.

Another widely adopted AAA protocol, which predates RADIUS as an RFC by four years, is the Terminal Access Controller Access Control System (TACACS). Though never an Internet standard, TACACS evolved into XTACACS and then TACACS+, the latter of which is the only version of TACACS in use today.”

RADIUS server is one of the most popular remote access technology components.  Its main functions are to:

• consolidate the login request received by the remote network authenticator(s) within an organization,
• verify the eligibility of the remote user’s right to access inside the corporate network, and
• authenticate the user per the agreed-upon authentication methods.

The acronym AAA stands for Authentication, Authorization, and Accounting. The authentication process performs verification of a remote user’s identity, the authorization process determines what a remote user is allowed to do on the network, and the accounting process logs the user’s activities in relation to network access.  These actions are activities the RADIUS server performs with other network remote access components within a corporate network environment.

RFC 2865² describes in detail the authentication methods and the packet format of a RADIUS server, and RFC 2866³ describes a protocol for carrying accounting    information between a Network Access Server and a shared Accounting Server. It should be noted that RFC 2866 does not specify an Internet standard of any kind.

TACACS+ (Terminal Access Controller Access-Control System Plus) is another popular protocol that provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. The main difference between TACACS+ and RADIUS is that TACACS+ separates the two operations: authentication and authorization are combined within the RADIUS server.  Also, TACACS+ uses TCP to communicate, while RADIUS uses UDP. (Source: Wikipedia.org)⁴

¹ Convery, S. (2007), Network Authentication, Authorization, and Accounting: Part One, The Internet Protocol Journal - Volume 10, No. 1, Available from: http://www.cisco.com/web/about/ac123/ac147/
archived_issues/ipj_10-1/101_aaa-part1.html  [Accessed 31 March 2008]

² Rigney, C. Ed. (2000) Request for Comments: 2865, Network Working Group, Available from: http://rfc.net/rfc2865.html [Accessed 31 March 2008]

³ Rigney, C. (2000) Request for Comments: 2866, Network Working Group, Available from: http://rfc.net/rfc2866.html [Accessed 31 March 2008]

⁴ Wikipedia, the free encyclopedia (2008) TACACS+, Available from: http://en.wikipedia.org/wiki/TACACS%2B  [Accessed 31 March 2008]

Technorati Tags: AAA, Terminal Access Controller Access Control System, TACACS, XTACACS, TACACS+, RADIUS server, authentication, Authorization, Accounting, TCP, UDP, http://rfc.net/rfc2865, rfc2866