The word Cryptography is somehow a rarely used word in the common conversations and even in some cases; some people have not even heard this word. The origin of the word Cryptography is form the combination of two Greek words kryptos, meaning “hidden” and gráphō, meaning “I write”. The main question now is that: What is the use of Cryptography?

Generally speaking, whatever done on the internet, cell phone, computers and any digital gadgets that need to be safe against unauthorized access use cryptography. Just to give a simple example, let’s have a brief review to what most people do in their daily life with their computer: assume Alice turns on her PC and just when her operating system loaded, she is asked to enter the login password, which she already has set to prevent others from accessing her private data, this password in fact is used to encrypt some data and secure the drives and files inside the hard disk and provide Security for Alice. The act of encryption or coding data is one of the main aspects of cryptography and the person who designs a cryptographic system is called the cryptographist which I believe in an Artist.

Then she (Alice) opens the web browser and tries logging in, into her email; there are a huge amount of cryptographic operations done to bring her the secure communication with the intended mail server. Then she wants to send an email to her friend Bob, the email is digitally signed so that Bob makes sure that the mail is sent from Alice and not anyone else pretending to be Alice. This story can go much further if Alice just wants to buy something from internet or control her bank account.

In fact cryptography involves all the efforts for providing secure communication and keeping secrets from unauthorized parties. Cryptography can be divided into three major branches

1.       Private Key Cryptography

2.       Public Key Cryptography

3.       Un-keyed Systems

In here I just give a very short and brief introduction to these branches and the coming articles I will give more detailed descriptions.

Most of the history of the cryptography is concentrated on Private Key Cryptography, in these systems the main goal is to code data in such a way that just the people who have the key can de-code the data. The data which is intended to be coded is called the Plain-text, and mostly is shown with the word P the coded data is called the cipher-text or the cipher, and is shown as C. The decoded data is shown with D in the formulations. There exists a key in all the Private Key Cryptography systems and the person who has the encryption and decryption machinery and the key can decrypt the cipher-text using it. Imagine Alice wants to send a message to Bob they both have the encryption and decryption machinery (in cryptography it’s assumed that everyone has access the encryption and decryption machinery and just the key is call the secret parameter).

Alice encrypts P using function E() and sends it through an insecure communication channel like blackboard in a class! Bob can read the cipher-text and uses the decryption machinery or the decryption function D() and decrypts the cipher-text.

Windows while is working generates a lot of temporary files that are stored in a special folder called TEMP and the files stay there for eternity sometimes. A person with no authorized access can see exactly what you've been doing with the computer. Sometimes you will find here some critical copies of important files. Sometimes the thief can even see which sex movies you were watching. That's not nice at all. The only advantage is the recovery of a deleted file just by going to the TEMP folder. This is the biggest security threat Windows has, even Vista has this threat, and since you can't make a huge password for Windows Log On, any person with a special software found on the Internet could easily recover Windows password and enjoy your TEMP folder and all the files inside. The solution is using Deleting the entire folder content. No, it's not dangerous, I do it regularly. If the hard disk was encrypted no one could ever see the content of it even bypassing Windows with crack software because they need either the password or the key of the algorithm.

Another example of how unsafe you are is when the thief has full access to your Internet Explorer history and passwords. If you don't use a master password you are at the mercy of any hacker and thief. The passwords are stored in the hard disk non encrypted and in .TXT extension! This is a critical security threat for beginners who don't really know how a computer works.

Private photos of you and your entire family as well as where you live. Can you imagine this information in the wrong hands? They could blackmail you or sell the information to people who are real professionals doing this.

Documents, credit cards and very sensitive information. Some people store a copy of all their documents in a digital file. In the wrong hand this would mean your ID, your Social number and Driving License and other documents available to the lucky thief.

As you can see leaving the computer and specially the hard disk non encrypted is insanity! PGP whole disk encryption is a good solution for people who want to spend some bucks in security. It's easy to use and you have full support. However is you don't want to spend any cash you can always use True Crypt which supports disk encryption as well. Just don't you ever leave your computer neither the disk non encrypted. I guarantee you that it's very easy to bypass Windows password.

How to make your easy to remember passwords less hackable (probably not a word)

A little news update if you haven't noticed.

1. Technology is growing faster and faster every year, so that means people are getting smarter and smarter. (Hackers are people too.).
2. As technology gets better, so do the programmers who create this technology and so the hackers.
3. Did you know that there are programs created just for the type passwords I mentioned above? Here are a few known hacks
   • Birthday Attack- named from a theory that out of a group of 23 people, there is a 50% chance 2 or more will share a birthday
   • Dictionary Attack - you guessed it, it uses words from the dictionary. It even has the option to append numbers. * I had a password of silver1979 after a coin I found.
4. Beware of those sites that ask TMI (Too Much Information). One site I created a account on asked those same questions that the bank asked (this draws a big red flag in my opinion). You know the questions I'm talking about. Whats your mothers maiden name? What was your first car? What high school did you attend? Keep in mind these are unrelated questions, but if this site and your bank site ask you the same questions; someone else knows those answers they can get your bank password as well!

Most sites require you to create a password with 6-8 letters. If they require stronger options, they will add a required capital letter, number, andor symbol.

Here are a few tips to keep your passwords safe and easy to remember.

I will keep these very simple, but feel free to combine any or all of them.

• Use your favorite whatever (team, name, holiday etc.) but add a number.

Ex. My favorite holiday is Independence Day (I won't share the reason) so a password for me could be 4thofJuly1994 or 7-Forth. Notice it's easy to remember and complex enough to beat an attack.

• Still use your childs name John and his year of birth. Don't do it the typical way, but like this; 19john89 or joHNjuly89. That way even in small talk you can say my password is my sons birthday. Even if someone was listening, they would still have a very hard time guessing your password.
• Capitalize any letter but the first in case sensitive passwords. I was guilty of this as well. If I had to create a password with a capital, I would just make the first letter capital of the same simple word.
• Don't use words “correctly”. As you may can tell from this article, my spelling sucks. If you spell a word wrong in your password who knows? and WHO CARES? The password is yours, not to be turned in for a grade!!! ex. PeeNuts.
• Use phrases or quotes you like; ex. Takes12know1, HapE2CU, NGodweTrust, cUl@er=see you later (I just thought of that!).
• Don't use the minimum amount of characters. Some sites have minimum password minimum lengths of 6-8 characters. In that case make your password 9 lettersdigits or more.
• Make your bank passwords different from your email passwords

Here's a short list of examples. Ask your children about funny ways to spell certain words. (I know most of you have seen the V-wireless commercial) “my BFFF Jill” Remember you want it complex, but you want to remember it also.

• cyNthia21- Combines a name with a significant day of the month
• Knock4Times- part of a phrase that was on a friends door
• 4thHourof24- time of day I was born
• SnoopPee- one of my favorite dogs. Note if you spell it incorrectly, only you will know!!
• Ih0p3Ulearned2day
• pa$$w0rds?
• A few common letternumber switches
  • One instead of L
  • Zero instead of O
  • 2 instead of "to" or "too"
  • 3 instead of E
  • 8 instead of ate
  • 4 instead of for
  • @ instead of "at" combination ex. B@ = Bat, C@ = cat, F@ = fat

The first step in every security assessment and hardening process is always to conduct an environmental survey specifically tailored towards promoting a comprehensive scenario specific awareness and understanding of the prevailing functional operating climate/environment.

One all too often overlooked aspect here is physical security. One should never forget that all security starts with the physical and only then progresses to the logical if appropriate. Without further ado here are the issues and potential solutions that merit consideration with regards to all wireless networking environments and implementation scenarios.

Fixing and Camouflage

So make sure that all of your Wireless Access Points (WAPs) are physically secured. Tie downs and camouflage are great ways to do this. Both camouflaged and secreted devices (located in suspended ceilings etc) have the added security benefit of being hidden from general view.

The old adage “out of sight out of mind” immediately springs to mind. What cannot be seen is often out of mind and therefore less likely to go walk-about. WAPs can be secreted in suspended ceilings, wiring closets or fixtures such as ornaments and planter pots. This makes for an all round far more aesthetically pleasing approach.

Signal Degradation

With respect to wireless networking physical security also entails taking such factors as environmental interference from other wireless devices and cell phones etc., electromagnetic interference (EMI) from other electronic and electrical devices such as TVs, radios and public address systems, signal attenuation, degradation and for the network's wired components such as those connecting your WAPs and wireless bridges/routers to your wired network (LAN) noise and cross-talk need to be taken into consideration.

Functional Reliability

Do not overlook the need for equipment reliability and robustness along with adequate emergency situation operating functionality. It is imperative that in the event of an emergency or catastrophe that your wireless network remains fully functional unless circumstances dictate otherwise. Communication is usually the most valuable resource in times of doubt and uncertainty. Just ask the military.

Naming, Labeling and Documentation

An appropriate secure customized naming convention complete with a fully complementary secure labeling system is a must. This is generally of higher importance for a business wireless networking environment where there may be considerable numbers of roaming network member devices than is usually the case for the home wireless network.

On top of this, wireless network physical security requires the appropriate planning to ensure ready location and identification of network devices in the event of malfunctions, failures or hacking (successful or not) especially when physical access of the equipment in question becomes necessary. Of course this will include the proper documentation detailing all physical aspects of the wireless network including device location and identification markers.

Wireless Traffic Control

Another crucial principal element of physical security for all wireless networks that rates special mention here is that of traffic control. Just as one regulates the physical ebb and flow of people on any given site through orchestrated control of transport facilities and mechanisms, the same holds true for the regulation of traffic flow and control for wireless networks.

Consider this to be very much akin to a perimeter-based site/facility security strategy that deploys multiple layers of defenses for physical site access. In networking applications firewalls can do an admirable job of regulating authenticated access; very much as a fence and guard-house does for facility perimeter security. So install one and ensure that it is correctly configured.

Physical Traffic Control Mechanisms

With regards to physical traffic control for wireless networks the majority of options will be partially implemented in hardware and partially logically. The exact mix will be situation specific. Planning and due care with device placement, the selection of transmission frequency bands and power ratings will all have a role to play.

Consider that some frequencies have better physical penetration attributes than others, while more powerful signals (higher wattage) will be propagated further and will also penetrate fixtures better. There have been documented instances of wireless network signals being detectable and of service level quality at up to 125 miles from the transmission source (the official world record distance as recorded by http://www.wifi-shootout.com).

For these reasons in a high security zone one might need to deploy more specialized WAPs set to a lower transmission power rating than usual in combination with unidirectional antennae rather than omnidirectional antennae. The additional costs of these types of units are readily justifiable in terms of the additional security levels attained.

From a fiscal standpoint it is worthy of note that this small additional cost is a onetime up front encumbrance and the financial department will love the fact that these devises are far more sturdy, reliable and in general have a longer expected mean operating life thereby reducing running costs and failure induced troubleshooting and replacement rates.

Logical Traffic Control Mechanisms

Having implemented perimeter-based access verification and validation security initiatives we may well need to implement additional logical controls and network subdivisions such as Demilitarized Zones (DMZs). DMZs for instance allow for additional network traffic control, regulation, isolation and compartmentalization.

Limiting wireless devices to specific areas/zones of a network also delivers additional benefits such as greater economy and efficiency of bandwidth usage patterns and superior levels of granular administrative capabilities and ease of use.

Wireless-Free Zones

There are also many instances where wireless networking devices along with mobile communications or entertainment devices functionality are undesirable or unwelcome. The most sensitive of these areas will be related to sensitive electronic equipment such as that found in hospital trauma, intensive care, surgical units, coronary care units and life support systems. Areas where flammable materials are handled, stored or used also qualify as wireless-free zones.

In these cases and others like them we need to monitor to ensure that within a specific perimeter wireless devices are not functional and that signal leakage from wireless enabled sectors does not leak in. Perimeter threshold detection is generally considered to be the most effective solution here.

By this I mean that metaphorically speaking a line is drawn beyond which none of the above devices will pass while still turned on. Hospitals generally paint a red line on the floor, walls and ceiling to clearly mark this threshold.

Collateral Damage

When designing and planning a wireless network remember to incorporate provisions that address physical security from the health perspective by ensuring that no possible harm, collateral damage or interference can be caused by the network, its devices and its signals. Cables for example, should be secured and out of harm's way as should WAPs.

We don't, for instance want a WAP falling onto somebody from a humane perspective as well as from a litigation avoidance perspective. Nor do we want our wireless network to cause the cardiac pacemaker of a passer-by to malfunction. Here is a case where clear, readily noticeable and unambiguous notifications (signage) are our main preventative and compliance option. I guess this is more or less a disclaimer approach really.

Not only do we need to protect and guard humans from harm caused directly or indirectly by our wireless network and its components but we need to protect our wireless network from physical harm caused by humans and/or the environment as well. It is up to us to provide for our networks physical well-being as it cannot do this for itself.

Regulatory Compliance

Regulatory compliance issues also need to be addressed at all levels and all stages of a wireless network's life cycle. Local and regional standards and regulations need to be researched and fully compliant measures implemented. Policies also need to be developed, made appropriately available to those concerned and of course implemented.

Pass-Through Point Security

Just as a physical site's physical access controls may see the implementation and installation of fences and stationing of security guards at primary access points the same can often be done with wireless networks. For example there may be the opportunity to implement search mechanisms such as the pass-through points seen at airports etc. This is one way of ensuring that unknown devices do not enter within the coverage area of your wireless network.

Unfortunately, for most businesses it is often impractical to implement this type of measure as the cost and negative customer reactions may preclude it as being overly draconian. Larger chain retailers do however, employ pass-through scanning devices but they are more attuned to the detection of theft of merchandise rather than the prevention of unauthorized wireless access.

Note however, that for areas not publicly accessible and/or where sensitive materials are stored pass-through inspection security is a viable option. Espionage is a reality that must be addressed. If not the stealing of properties then the sabotage aspect may be of appropriate weight to implement pass-through surveillance mechanisms.

Much damage has been done in the past by persons posing as service or utility personal that many facilities, especially an organization's research and development and marketing divisions as well as their datacenter have seen fit to implement the pass-through security approach.

Wireless Network Presence Detection

Although a wireless network uses an invisible to the human eye medium with the right tools it becomes very observable. Tools such as Kismet for example, have very little difficulty in detecting the presence of a wireless network. Furthermore, there is very little you can do to prevent this type of detection. After all, wireless signals are transmitted over the public domain. Fortunately however, there is a lot you can do to prevent exploitation of a wireless network after detection.

The implementation of full conversation encryption including that of authentication mechanisms and connection establishment is, as far as most would-be intruders/hackers are concerned, just too much hard work considering that there are untold numbers of easier targets to be had.

Quality of Service (QoS) Geographical Access Parameters

One should always consider geographical access and connectivity requirements and parameters in conjunction with the desired timely delivery of Quality of Service (QoS) metrics. The wireless network's ideal is to provide adequate connectivity and accessibility throughout the entire area of intended coverage (no drop-out zones) and with a specified level of Quality of Service (QoS) for said area but no more.

The Quality of Service (QoS) factor may be defined by either meeting or failing to meet specific performance metrics such as transfer rates or strength of encryption.

The geographical network confinement parameters are generally characterized and measured by the degree of signal leakage beyond a specified intended perimeter of coverage. The distance, signal strength, signal quality and degree of availability both within and beyond the designated network perimeter are the parameters that define and delineate that point at which signal leakage becomes unacceptable.

Network Monitoring and Site Surveys

In monitoring the attributes of a wireless network, tools such as Airsnort, WireShark (formerly Ethereal), NetStumbler and Kismet are your friends. Use them to conduct regular site surveys to assess signal leakage. If need be take the appropriate remedial measures to ensure compliance at all times and locations.

Some organizations even go to the extent of using signal jamming technologies to ensure that any leakage is rendered useless and piggy-backing cannot take place.

Line of Sight

Line of sight requirements need to be assessed carefully from the perspectives of both the current scenario and extrapolated into making predictions of the most likely conditions that will be prevalent at various predefined times in the future. Trees for example have a habit of growing.

So where a clear line of sight exists today the possibility that this will not be so in the future must be evaluated. In the case of trees one solution might entail lopping every other year in order to preserve said clear line of sight. No matter the terms or conditions, the establishment and implementation of a documented schedule or regime that addresses these types of issues needs to be set forth.

Conclusions

Wind, vibration, the environment in general and other factors including human interference of one form or another will all conspire to throw the most carefully designed and implemented wireless network out of alignment. Persistent cognizant vigilance must be your motto and creed.

Over the course of the next few days I will be presenting a series of articles dealing with the many and varied aspects, concerns, issues, strategies, policies, threats and countermeasures that constitute password security.

Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.

Honesty - Being True to Yourself

If you are not going to assess your current password security status honestly then do not even bother. You will probably just waste a whole pile of blood sweat and tears on useless ineffective time consuming misdirected and most definitely misguided pies in the sky.

The type of honesty that I refer to is the kind of honesty that is so necessary to a realistic and accurate assessment of your current password security status. Assess yourself honestly. You do not have to let anyone else know the details of your dirty laundry.

So please, do yourself a favor and do this right. For, only after appraising your current password security status will you be able to identify areas of weakness that need prompt attention.

Hard Password Copies (Paper)

Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know how.

An envelope opener and a matter of five to ten seconds tops is usually all that it takes to open the majority of desk drawers. Failing to lockup your desk compounds the crime. It may save damage to your desks lock but will do nothing to save your password hard copy.

Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor. It is a very bad idea. Leaving a hard copy of your logon and password details in open public view is worse. Then again, the practice of writing your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor is probably the worst of all.

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is no secret that over the years, post-it-notes along with other password hard copies have provided a profitable source of information to would be password attackers.

Recommended countermeasures concerning practices relating to hard copies of passwords and other authentication credentials should not be necessary since the best advice of all is that you should never maintain a hard copy of authentication details period.

Electronic, Magnetic and Optical Password Copies

While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of this information. You should always encrypt authentication data when storing it in an electronic, magnetic or optical format.

As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC to big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.

Recommendations to help protect the electronic, magnetic and optical physical copies of your data will always begin with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies. Password locking files is also important.

Security-In-Depth

Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build defenses based around password authentication to open a channel after which you use additional passwords to gain additional access privileges.

Here is an example to illustrate the security-in-depth approach using password authentication systems. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources.

If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based but immeasurably more secure than just a one password accesses all system provides.

Now suppose you wish to gain access to sensitive information held within that database. In which case, you will need to supply another different user name and password. A third layer of password protection access has now taken place.

Your level of security has increased yet again and the best bit is that it is not going to cost you anything. Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

A classic example of this would be your email account. Your operating system will supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.

WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure.

To overcome this you can configure more secure communications channels of use multifactor authentication systems, which I do recommend. They will be the topic of my next article.

Conclusions

NEVER disclose account information such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to your security, administration and support personal and then only on a need to know basis.

NEVER keep hard copies of passwords and other authentication details. It is a practice wrought with danger.

ALWAYS store data in an encrypted format

ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network

ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.

Until next time when I will discuss multifactor authentication systems, enjoy!

In addition, one can become involved in the Ubuntu community. There are multiple levels to become an Ubuntero. Each of these levels confers certain rights and responsibilities. The first level is the Ubuntero (Ubuntu Activists); it does not require testimonials, recommendation, nomination, etc. One simply needs to sign the Ubuntu Code of Conduct. The Ubuntu Code of Conduct can be signed using GPG.

Here are the instructions to use GPG for emails in Gmail and becoming an Ubuntero:

1. Start Firefox
2. Go to Launchpad.
3. Register for a Launchpad Account (Use your good Gmail account (it'll make your life easier later in a few steps)- and don't use an account you would normally use for spam or online registrations- Ubuntu won't send you spam).
4. Login
5. In the top right corner it should say Logged in as [someone]. Click the [someone].
6. On the Left Column under actions click Update OpenPGP keys.
7. Now minimize Firefox and go to console.
8. In console, type gpg --gen-key (Note: You may use any good password that you wish, that should be secure)
9. Type 1 for DSA and Elgamal (default)
10. Keysize, whatever you want (1024 is fine, though the higher your number, the longer it will take to generate and it will be more secure)
11. Type 0 for key does not expire (default)
12. Type y for yes
13. Type the same name you used for your Launchpad account under Real Name
14. Type the email address you registered Launchpad with No comment (press enter key)
15. Type O for okay
16. Key will now be generated. You may want to continue using your computer and do stuff, as this will be used by GPG for random information to create your key.
17. In console, type gpg --list-keys
18. Look for the line that says something like the below: pub 1024D/ 2007-04-11
19. The key ID will be some alphanumeric characters which you will use for the next steps.
20. In console, type gpg --send-key --keyserver keyserver.ubuntu.com
21. In console, type gpg --fingerprint
22. Look for the line that says something like the blow:
23. Key fingerprint =
24. Your fingerprint will be some alphanumeric characters which you will use for the next step.
25. Select your fingerprint, right-click, copy.
26. Go back to Firefox.
27. Paste your fingerprint in the filed that says Fingerprint:
28. Press the button Import Key
29. Now you will be emailed, but the text will be encrypted to so will need to use the Firefox extension for GPG in Gmail (now you see why I said Gmail before).
30. Go to http://firegpg.tuxfamily.org/stable/firegpg.xpi in Firefox. You may need to let firegpg.tuxfamily.org install software.
31. Click the button Install Now.
32. Restart Firefox.
33. Login into Gmail and open the email.
34. In the bottom right part of the email (to the right of Reply), click the Decrypt this Email link. You will need to enter the password you chose for GPG.
35. Click the button OK.
36. Voila.
37. Now go to the link in the email and activate the key.
38. Now go back to your Launchpad account.
39. Under the left column under actions click Code of Conduct.
40. Save the file on your desktop.
41. Read the file and if you agree with what it says then proceed.
42. In terminal, type cd Desktop.
43. In terminal, type gpg --clearsign UbuntuCodeofConduct-1.0.1.txt.
44. Open the created file in a text editor and copy and paste the entire contents into the box provided on the Launchpad Code of Conducts page in Firefox.
45. Click the submit button.

If all is successful, then you are now an Ubuntero (Ubuntu Activist).