A Password Cracker is a piece of software that attempts to break into a system by trying many different user names and passwords.

To break a password, a Password Cracker uses two methods of attack to break into your account.

The first method is Brute Force Attack. In this type of attack, the software generates passwords of every possible combination of words, letters, or even symbols to try to break into your account. The longer the password, the longer it takes to break into the system. However, since computers are gearing up the speed every year (according to Moore’s law, the computer speed doubles every 18 months), the time to break a password of any certain length reduces 50% every 1.5 years.

The second method is Dictionary Attack. This is a more clever method in which the attacker uses a pool of words such as names, common vocabularies, etc., and tries various combinations of them to crack the system. The pool of effective possible choices to use in the trial and error process is much smaller than in a Brute Force Attack because of the more confined choices of numbers and letters to combine. It is very easy to get a word list. Do a search on Google for the search phrase “word list” to look for many databases available on the web.

Originally, I’d planned to write a summary on tactics you can use to choose passwords that you can easily memorize but at the same time are difficult to be cracked. But then I accidentally stumbled upon a page that has this done nicely. And in the interest of not reinventing the wheel, here is the link to that page:

http://www.wikihow.com/Remember-Your-Password

Enjoy, and if you have other innovative ways to remember difficult passwords, let me know.

Tags: password management, password generation methods, how to craft a password

Technorati Tags: Password Cracker, Brute Force Attack, Dictionary Attack, password management, password generation methods, how to craft a password

I wrote this article because I need to talk about this topic to a group of local bank executives. What I have in mind is how to get them to understand the vague differences between these three terms using illustrations from our daily lives.

For these reasons, I picked up a number of books to read. Indeed, I have to give credit to the book Beyond Fear by Bruce Schneier, as he gave a number of analogies about these terms in chapter 13 of his book.

I hope writing this article can help clarify my explanation of the key concepts of these three terms.

To start, let’s use some simple ideas to describe these three terms:

Identification: Who are you?

Authentication: Prove it!

Authorization: Okay, you are allowed to do these things because we have successfully authenticated you (proved you are who you say you are)

Let’s look at an example to illustrate this. Suppose you take your passport (containing your photo and signature) and go through an immigration counter to get into a country. The immigration officer asks who you are, and you reply politely with your name. This is the step of Identification. The office then verifies your identity by looking at your photo, and may check your signature on your immigration form against that of your passport. After this process, hopefully you are authenticated by him to be the genuine holder of the passport you have shown. This is the step of Authentication. Then the officer will check against your country of origin and whether you need and have any visa to show that you have the authorization to get into the country. This is the step of Authorization.

In an Access Control system, these three steps are crucial since they control whether a person is authorized to gain access to the particular area of a system. This is essentially a Prevention Control System.

In Schneier’s book, he used another interesting example using the London Underground ticket system. A passenger can purchase a monthly ticket with unlimited travel for a month. This ticket (authorization) contains no authentication capability. The passenger has to bear another photo card (which is permanent) with a unique number for authentication. The unique number has to be written down on the monthly ticket the passenger purchases to get it validated. So, these two items form an authentication-and-authorization system. Note there is no serious identification element in this system (though you can write your name on the ticket beside the photo card number) since no one will check your ID to verify if you really own the name shown on the photo card. The London Underground only cares to prevent two persons from sharing the same monthly ticket, and your photo card is already an effective tool to prevent this from happening (unless you have a look-alike or a twin, in which case you can ride at half-price!). The ticket itself is sufficient to serve the purpose of authorization.

However, in an IT system, we need a full identification system. This is because we need the information to complete an entire authorization process (just like the previous example of using a passport to get into a country).

We also need to track against the users’ activities in the system for the purpose of having an Audit Trail (a kind of security detection control). Without a good identification element, we can still analyze the system log to uncover abnormal user activities, such as when a breach of a user’s limit of accessing certain network resources, etc. But we will have a hard time following up without knowing the identity of the user.

In this way, the three-step authentication, identification, and authorization process serves both the prevention and detection access control for an IT system.

Tags: Access Control System

Technorati Tags: Beyond Fear, Bruce Schneier, Identification, Authentication, Authorization, Access Control, Audit Trail, Access Control System

The original definition of a firewall is: “a partition made of fireproof material to prevent the spread of a fire from one part of a building or ship to another or to isolate an engine compartment, as on a plane, automobile, etc.” ¹ Today, in the computer world, the term refers to any piece of hardware/software used to protect a private network from network attacks coming from external networks. It acts as a gatekeeper to keep hackers from reaching the internal network, protecting your crucial network resources from being compromised.

Many people know what a firewall does, but few understand that a firewalls needs careful configuration before it can start protecting your network.

I still remember more than 10 years ago, as I visited clients to talk about the security configuration of their network, many were proud to tell me that they had gotten firewalls installed to protect their network. (At that time, a firewall was considered advanced networking equipment!) But when I logged into their administration menu to check their firewall policies, there were none there! They didn’t know that they needed to “configure” their firewall before it would function properly.

A firewall is actually the deployment tool used carry out your network access policy. The network access policy refers to the organizational management’s intention regarding the various network access rules for both the internal employees and external visitors. Without properly configured firewall rules, a firewall’s existence is meaningless.

Take a packet-filtering firewall as an example. It works on Network and Transport Layer (TCP/IP). It hunts down filtering rules by examining the source port/destination port (Transport Layer) and IP address (IP Layer) to decide whether it will let go a particular packet in or out of your network.

For example, if your company does not allow internal employees to access ftp servers during work time, then you need to set up a firewall rule to block any access to port 20 and 21 of remote server during the office time. The following table illustrates a typical set of firewall access rules to achieve this:

The different columns’ meanings in above table are explained here:

• Direction: The direction of the packet going through the firewall, either IN or OUT, or   EITHER
• Source Addr: The source address;, either internal (INT) or external (EXT)
• Dest. Addr: The destination address, either internal (INT) or external (EXT)
• Protocol: Transport Layer Packet Type, either TCP or UDP
• Source Port: The source port at the TCP layer of the sender
• Dest. Port: The destination port at the TCP layer of the receiver
• ACK set: The acknowledge flag at the Transport Layer of the Packet, either SET (Y) or DOES-NOT-MATTER (Any)

There are many cases when packet filtering rules do not work. For example, if you want to block the users’ access to particular remote web-based email services, chances are that you will not able to control this by blocking certain designated IP numbers (as filling in the Destination Address in the above packet-filtering table) since some web-based services are based on more than one sever of varying IP addresses, and thus cannot be shut down by only a set of fixed IP addresses. In this case, you need the firewall to work at higher layer.

A firewall working at higher layer provides more refined control over network access. For previous example, if you use an application-level firewall, it can screen the URLs of web-based emails access, such as www.hotmail.com for Microsoft’s email services, and does now allow it to pass through.

An application-level firewall can even zoom into the details of the applications’ data passing through - such as the authentication information, application types, and other types of information - to decide to allow or disallow a particular network connection to continue or not. It can even carry out a detailed inspection of the users’ data going through.

A proxy server is one kind of application-level firewall. I’m sure you have heard of this type of server being used in your or some other company’s network. It’s a popular device because it provides more control of the network traffic passing through. However, it also requires more firewall computation power, so it is slower in performance. It also requires modification of the internet network client to go through the proxy before it can access external network resources.

No matter which type of firewall you are deploying, you need to work out the network access policy with senior management. Otherwise, you will not know what rules you need to set up in your firewall rule table. Simply put, you’ll be installing a tool that has no idea how to protect your network.

¹firewall. (n.d.). Dictionary.com Unabridged (v 1.1). Retrieved June 18, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/firewall

Tags: Packet Filtering Firewall Application-Level Firewall

Technorati Tags: firewall, network access policy, firewall rules, packet-filtering firewall, application-level firewall, proxy server, Packet Filtering Firewall, Application-Level Firewall