Secure Tech - The Internet Security Blog

Hackers crack Vista Activation Server

2007-02-07T01:49:00.000-08:00

Pirates have released another ingenious workaround to Vista's copy protection: a hacked copy of Microsoft's yet-to-be-released volume licencing activation server, running in VMware.

Volume Activation 2.0 is one of the more controversial features of Vista: it means that every copy of Vista has to be activated, even the Business/Enterprise volume licenced editions.

However, to make life easier for administrators, Microsoft worked in a more convenient system of in-house for en masse activation of PCs called KMS – Key Management Service.

The idea behind KMS is that you have a single PC running KMS which can then handle activation for all your Vista clients, so that they don’t have to connect back to Microsoft every single time.

The downside of KMS is that the activation is only good for 180 days, to discourage people bringing in their home systems, activating them and wandering off again.

Bearing in mind that KMS wasn’t scheduled to be released until next year, pirates have managed to get hold of KMS and produce a standalone, fully-activated KMS server called “Windows Vista Local Activation Server – MelindaGates”. Tongue-in-cheek of course…the first “cracked” version of Vista was called Vista BillGates.

Contextual Link Exchange Programs

2007-01-22T01:34:00.000-08:00

Stop exchanging reciprocal links!
If you maintain a blog or general websites. your inbound links are primarily coming from back end links pages you are probably noticing that this is becoming less and less effective. Even if the pages are based on a theme they are still not passing very much reputation since they are on pages with hundreds of links.

Start swapping contextual links.
It is much more effective to get links embedded within the context of an article or blog that is based on the same theme as your site. If you use appropriate anchor text this can greatly supplement your SEO efforts. Not only will your pages rank higher in the search engines you will also be building residual traffic from the content pages linking to you.
This is really common sense. If you place yourself in the shoes of the people who are visiting your contextual partners site would you be more likely to be interested in a page linked from the article you are reading or to a page within their link exchange directory? I don’t know about you but I often visit pages linked to from articles. I also stay away from back end directories like they are a pit filled with poisonous snakes.

So how do you kick the reciprocal habit?
You could simply search for related articles and contact webmasters with contextual exchange proposals. This method is a little tedious. It works but it is not always time efficient. Many webmasters prefer simple directory submission.
Another, more efficient, option is to join the V7 Contextual Link Network. Contextual Links @ V7N provides the perfect link - the ideal link - by design. The link is no longer a matter of happenstance, random haphazard or something to be left to divine intervention. The perfect link is now a commodity.

Conclusions

Websites building perpetual traffic as opposed to disposable traffic are much more likely to sustain themselves. Writing web content is an excellent way to build passive income. An article can potentially pull visitors from search engines for years. In my opinion self sustaining websites or pages are the basis for building larger and larger income streams.

Webmasters have the option to display additional ads to increase the EPM. Although this may have short term benefits it can damaging in the long term. If the end user is dissatisfied with the number of ads on the site they may not return in spite of the quality of content. This is what I call “disposable traffic“.

Afterall, you could always hit up Google and search for your site topic and look out for sites providing targeted links. ;)

$12,000 for a serious Vista or IE 7 bug

2007-01-20T13:41:00.000-08:00

Bug hunters of the world, VeriSign's iDefense has an updated bug bounty challenge for you.

For the current quarter, the company will pay $8,000 for a security vulnerability that lets an attacker remotely gain control over a computer running Microsoft's Windows Vista or Internet Explorer 7, the company said on its Web site. iDefense will pay for a maximum of six vulnerabilities, if more are reported only the first six will qualify, it said.

In addition to the $8,000 award for the submitted vulnerability, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability, the company said.

Internet Explorer 7 is the latest version of Microsoft's widely used Web browser and Vista is the newest release of its operating system. Microsoft has promoted both as its best work yet in terms of browser and operating system security.

The "quarterly hacking challenge" is part of iDefense's existing bug bounty program. The company started the challenges last year. Previous ones focused on Microsoft software in general, databases, Web browsers and instant message applications. The typical bounty has always been $10,000.

A few companies offer monetary rewards for pinpointing software vulnerabilities. These are mostly security companies that pay for flaws found in other companies' software products. The payouts are used to gain a competitive edge over rivals by having their security products recognize more vulnerabilities. The security companies typically report the issues to the applicable vendors so a patch can be produced.

Flaw finders could also sell vulnerability information to cybercrooks on underground online markets.

Microsoft doesn't agree with paying for vulnerability details, the company has said. Instead, the company works with security research and security software companies.

Posted by Joris Evers

Criminals Loved Password Stealers In 2006

2007-01-01T07:33:00.000-08:00

A lot of the spam that crawled into inboxes all over the world arrived with one mission - trick the person into dropping a password stealing program onto the system.

Criminals Loved Password Stealers In 2006

Once in place, the majority of those password stealers looked for a specific category of logins. Bank and financial institution passwords offered the criminal spammers the greatest potential for a payoff, so the programs they created looked for those.

Password stealers became much more numerous in 2006. Researcher Francois Paget at McAfee blogged how such programs increased by 240 percent for 2006.

The majority of those password stealers, about 62 percent of the group, sought out financial information. Gamers should be wary of them as well, as Paget noted 18 percent of these programs targeted logins for MMORPGs like World of Warcraft.

A smaller number, 10 percent, sought out social networking and instant messaging login information. That could indicate a belief that many people tend to use the same login information to access other, more lucrative sites, making a theft of such details key to accessing other websites.

Spam has been the vector for criminal activities like these, but as new technologies gain mainstream usage, the attacks shift as well. One password stealer dubbed PWS-JO was discovered recently traveling across Skype's VoIP network.

That password stealer also had the capability to connect to a remote site and bring in additional components. However, McAfee said in its description of the program that the particular site no longer appears to be accessible.

During 2006, McAfee observed the number of password stealers jump from 5,000 to 12,000. That can only increase over time.

PHP security under scrutiny

2007-01-01T07:31:00.000-08:00

PHP = pretty hard to protect?

A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based web applications.

A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that web applications written in PHP likely account for 43 per cent of the security issues found so far in 2006, up from 29 per cent in 2005. While flaws in the language itself account for a very small percentage the total, the problems with PHP underscore the difficulty that developers - many of them amateurs - have in locking down applications written in the language, said Peter Mell, senior computer scientist for the NIST and the program manager for the National Vulnerability Database.

"In the dynamic programming language (and) scripting realm, we certainly have a problem," Mell said. "Any time a third or more of the vulnerabilities in a given year are attributed to a single language, you know you have a problem."

The concerns come as attackers and security researchers have increasingly focused on finding flaws in web applications. Earlier this year, one researcher highlighted the upward trend in web flaws in general, and PHP in particular, when data for the first nine months of 2006 showed that vulnerabilities in web applications had taken the top three spots in a list of most common flaws. The researcher, Steven Christey, found that about 45 per cent of the vulnerabilities found as of September were either cross-site scripting flaws, database injection bugs, or PHP file inclusion vulnerabilities.

At the heart of the debate is the popular language, PHP - an acronym that originally stood for Personal Home Page tools when it was a small project created by Rasmus Lerdorf in 1994. Two Israeli developers, Zeev Suraski and Andi Gutmans, rewrote the language parser in 1997 and changed the name to PHP: Hypertext Preprocessor, adopting the recursive naming convention historically used by some Unix programs. The language is now used by websites hosted on nearly 20 million domains and 1.3 million IP addresses, according to data collected by Internet monitoring service Netcraft for its October 2006 survey.

The popular dynamic web programming language came under scrutiny last week after a longtime developer, Stefan Esser, left the PHP Group's internal security team, criticising its members for not responding quickly to security issues. Members of the PHP Group fired back at Esser, stating his reasons for leaving were less about security and more about not working together with the team.

Esser quit the PHP security team on 9 December, after a rocky relationship with the group, but claimed that security issues constituted his main reason for leaving.

"The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile," Esser wrote in his blog. "The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user, but the moment you criticise the security of PHP itself you become persona non grata."

Esser promised to publicly release more advisories on the security holes he finds in PHP and will not hold back, even if there is not a patch available for the problem, he said. Esser did not respond to requests for comment from SecurityFocus.

The PHP Group and Zend, the company founded by the two original Israeli developers that rewrote PHP in the mid-1990s, have disputed Esser's version of events.

"I do not believe the main reason for his disengagement has to do with the way we deal with security issues, but the way he interacted with other people on the team," said Zeev Suraski, co-chief technology officer for Zend. Suraski also stressed that the PHP Group has looked for ways of making web applications written in the language more secure, in spite of less security-savvy developers. The move away from making a set of global variables accessible by PHP scripts, for example, attempted to make the language more foolproof, he said. It also took more effort to develop than to create version 5.0 of the language, Suraski said.

"We have shown in the past that we are willing to change defaults and sometimes to remove features, just to make it more difficult for developers to make security mistakes," Suraski said.

Yet, mistakes are still being made and in record numbers.

A search of the National Vulnerability Database revealed that, as of 15 December, out of the 6,198 vulnerabilities recorded in 2006, as many as 2,690 - or 43 per cent - had the word "PHP" in the description. A random sampling of the flagged flaws showed that the search appeared to only reveal issues in PHP applications. A search of the database using "PHP" as a vendor flagged some 84 vulnerabilities for 2006 (including in optional components of the language, such as PEAR), while a search using "PHP" as the product returned 33 bug, ostensibly in the core functions.

The vast numbers of bugs attributed to PHP applications is not surprising given that many amateur developers create their websites using the language, said NIST's Mell.

"I think it is tough for the general public to write secure dynamic web applications," he said. "As much as possible scripting languages for Web sites should be dummy proof. In many incidences, I, a security professional, wondered how to code some bit securely. I wanted to, but how to do it was not immediately obvious."

Flaws in PHP applications have caused headaches for many webmasters. A year ago, the Lupper worm spread among vulnerable applications that used the PHP extensions for extensible markup language (XML), or RPC-XML. Other worms have utilised flaws in popular PHP bulletin board programs as well.

Continuing to educate PHP developers on the latest techniques to secure their applications is extremely important, said Chris Shiflett, a manager in the web application security practice at OmniTI and author of O'Reilly's Essential PHP Security.

"To say PHP has a security problem suggests that it's impossible to develop a secure PHP application, but to say PHP doesn't have a security problem suggests that everything is perfect - neither is true," Shiflett said. "Web application security is a rapidly evolving discipline, and it's difficult for the average developer to keep up with the pace."

Developers need to start thinking about security as soon as start designing their applications, he said. Moreover, the focus on securing code needs to continue throughout the life of the website, he added.

"Over time, web application security should start to mature just as other security disciplines have, but that only means the pace of evolution will slow down, not stop," Shiflett said. This article originally appeared in Security Focus.

Bots, breaches and bugs plague 2006

2007-01-01T07:27:00.000-08:00

Online fraudsters, big-time spammers and computer intruders had little problem finding security holes to exploit in 2006.

“ Cybercrime and the criminals behind malware are getting more and more organized. They can afford to hire professionals, and it is becoming a business for many people. ”
Karel Obluk, chief technology officer, Grisoft

Whether the openings came from user ignorance or poor judgment, a software maker's error or misconfiguration, the profiteers of the Internet had a banner year turning the security mistakes of others into money.

Signs of the trend are obvious. The number of phishing sites used by online fraudsters jumped more than eight-fold year over year, according to the Antiphishing Working Group. The number of denial-of-service attacks doubled between January and June, according to Symantec, the owner of SecurityFocus. And, mail service provider MessageLabs intercepted, on average, one targeted Trojan horse attack every day in 2006, up from one a week in 2005.

If there is a lesson in 2006, it's that cybercrime is a booming business.

"Cybercrime and the criminals behind malware are getting more and more organized," Karel Obluk, chief technology officer for antivirus firm Grisoft, told SecurityFocus. "They can afford to hire professionals, and it is becoming a business for many people."

The trend is quickly making the defacto term for such code--malicious software or malware--a misnomer. The virus writers and spyware coders are not creating the code for malicious reasons but to make money illegally, making the term coined by antivirus firms--crimeware--more appropriate.

For example, spammers are using bot nets--large numbers of compromised computers controlled by a single person--to help them send a greater volume of messages. The development has increased the global volume of spam by at least a third in the last six months, according to Symantec, though other firms put the increase as high as 450 percent.

When one firm, Blue Security, claimed to have impacted the operations of major spammers, one bulk e-mailer decided to take on the Israeli company. A sustained denial-of-service attack took down the company's Web site, domain registrar and blog site. The company eventually capitulated and closed its doors.

"This is their primary form of employment now--it's a 9-to-5 job," Oliver Friedrichs, senior director for Symantec Security Response, said in a recent interview. "They are not doing it on weekends, and they are not doing it during the summer months."

Other cybercriminals are taking a more personal approach: Hijacking people's stock accounts and using the access to drive up the price of certain thinly-traded penny stocks has also become popular. Details of one scheme appeared in the court papers filed by the U.S. Securities and Exchange Commission (SEC) in support of a civil action against one apparent stock scammers. A Russian national allegedly used a company registered in Belize and based in Estonia to execute trades in stock whose prices had been manipulated by compromised accounts.

Such attacks are not isolated incidents. Account intrusion has resulted in $22 million in losses in the third quarter alone for two U.S. financial firms. TD Ameritrade posted $4 million in losses in their third quarter to account for replacing the funds customers lost due to account hijacking. E*Trade Financial reported that online identity theft by hackers cost them $18 million in the same period.

Identity theft, of course, continued to be a major worry in 2006. Because of data breach disclosure laws that have passed in the majority of states, companies, government agencies and schools regularly released details of significant data leaks.

In May, the Department of Veterans Affairs revealed that the names, social security numbers and birth dates of nearly 26.5 million veterans had been stored on a laptop and external hard drive that were stolen from an employee's home. The laptop and hard drive were later recovered, but the incident resulted in the federal government tightening data handling and laptop security rules.

Both the University of California, Los Angeles and the University of Texas at Austin reported major breaches this year affecting hundreds of thousands of students.

In total, more than 48 million personal records were exposed in 2006, according to the Data Loss Archive and Database maintained by Attrition.org

Firefox update guards against critical flaws

2007-01-01T07:26:00.000-08:00

Patch issued, calamity averted

By John Leyden

Firefox users need to upgrade their browsers following the discovery of multiple security vulnerabilities.

The flaws affect both Firefox 1.x and the latest Firefox 2.0.x releases. Surfers need to upgrade to version 1.5.0.9 or 2.0.0.1 of the browser, respectively. Users also need to upgrade to a new version of the Mozilla email client, Thunderbird 1.5.0.9, for similar reasons.

The nine security bugs (reported by various security researchers) create a means for hackers to swipe sensitive information, run cross-site scripting attacks, or gain control of vulnerable systems, security notification firm Secunia reports.

The bugs involve flaws in Firefox's JavaScript engine, the feed preview feature of Firefox 2.0, Scalable Vector Graphics (SVG) processing code, and various buffer overflow flaws in other components of the browser software, as explained in greater detail here. ®

Locking Down Ubuntu - Firewalls

2007-01-01T07:19:00.000-08:00

The best way to protect yourself from attackers on the Internet is to disconnect yourself from the Internet. The next best way is to install a firewall, which is like a lock on a door to a room inside of a building. It allows only authorized programs and protocols to open the door between your computer and the Internet. It also locks the door from the outside, keeping people and programs from opening the "door", walking in, and harming your computer. A firewall uses filters that either allow or prevent programs from sending or receiving data. If there is protocol with a security hole in your computer, you can configure the firewall to block all incoming connections to that protocol until the hole is fixed.

Although both Ubuntu and Kubuntu are fairly secure--they do not leave any ports open by default--it is always a good idea to install a firewall. Since firewalls are important to making a computer more secure, two firewalls are evaluated in this article: Firestarter and Guarddog. Each has strengths and weaknesses, both in the GUIs(Graphical User Interface) and the way they run, so it is a matter of personal preference. Both of them work on any official Ubuntu distribution or other popular Linux distributions (such as SUSE or Fedora Core). The following instructions will show you how to set up Firestarter for Ubuntu and Guard dog for Kubuntu, but they work just fine vice versa. Even though the firewalls are different, there are some firewall security principles that apply to any firewall and operating system. All firewalls either white-list or blacklist IP addresses (Internet Protocol address) and protocols. A white-list isan explicit list of protocols and IP addresses that the firewall lets pass through. A blacklist is the exact opposite of a white-list: it is an explicit list of protocols and IP addresses that the firewall will block.

There are some common protocols that you will either want to white-list not want to blacklist. They are:

Http/Https(Common web site protocol)

Ftp, (A file transfer protocol. Many web sites use this to upload and download files)

Smpt(An email sending protocol)

Pop3(An email receiving protocol)

(A list of more ports can be found at:http://www.chebucto.ns.ca/~rakerman/port-table.html)

Allow the firewall to permit only the few protocols and/or IP addresses that you will be using. If you don't recognize a protocol, block it. You can unblock any protocol later when you have a need for it.

Firestarter(For Ubuntu)

Firestarter(based on the GTK GUI toolkit) focuses on simplicity. Firestarter allows the white-listing of good connections; it blocks all connections from the start, both incoming and outgoing. After you have installed Firestarter, go to Applications -- System Tools-- Firestarter to start it. You should see a blue icon appearing your system tray. The first time you run Firestarter, a wizard is automatically launched. If you need to return to the wizard later,you can access it from the Firewall menu. All of the choices that you make in the wizard can be changed by going to Edit --Preferences.

Click on the Policy tab to get started. You will see a drop down menu next to the word Editing. Click on it and select the Outbound traffic policy. Now make sure the radio button that saysRestrictive by default, causing the firewall to block all traffic that is not white-listed. This will make your computer very secure by only allowing a few programs to open the "door".

The next step is to tell Firestarter what protocols you don't want to lock down. Right click on the Allow Service Portand For tables. Click on Add Rule, select a name from the drop down menu, or enter your own protocol name and port. You have the option to allow any computer on the Internet or network, the firewall host (your computer), or IP address (a specific computer Internet Protocol address on the Internet or your network).Select the appropriate source and click Add. Do this for any protocol you want to use (such as email, web, etc). You can use this same process to allow incoming connections (click on Incoming traffic policy next to the word Editing instead ofOutgoing traffic policy).

(Insert firestarter.jpg here)

When Firestarter blocks a connection, the icon in the system tray turns red. If you are having trouble with either connecting to another computer or browsing the web, click on the red icon and then click onthe Events tab. This will show you what protocol(s)Firestarter has blocked and you can now white-list the protocol if you need to use it.

If you notice that Firestarter blocks a particular computer's IP and you recognize it (as it may be a family member or colleague's computer),add the IP to the Allow connections from host table under the appropriate outgoing or incoming policies.

Guarddog(For Kubuntu)

Guarddog(which uses Qt for it GUI toolkit) differs from Firestarter because it lets you configure a firewall for numerous networks such as the Internet, your local computer, and your Local Area Network. The advantage of using Guarddog is that you can configure a firewall for as many different networks as you want. To configure Guarddog, go to Kmenu -- System -- Guarddog.Enter your password to continue. After you enter your password, click on the Protocol tab and select on the the "zone"(what Guarddog calls the configurations for different networks) that you would like to configure. On the right you will notice the Zone Properties tree. Click on the tree category that you would like to configure (such as Chat)and it will expand, revealing several common protocols. Guarddog automatically blocks every protocol by default so you will have to white-list the protocols you'd like the firewall to accept, and blacklist the protocols you'd like the firewall to outright reject.You should click on the Network tree and enable DNS andICMP Redirect if you can not browse the web.

To to add a protocol that is not in any of the trees, click on the Advancedtab and add a new protocol under User Defined Protocols to be able to enable or disable it in the Protocol tab. To block a certain IP address or domain, create a new zone and leave all the check boxes blank (to block all protocols).

If you use a router to connect to the Internet and/or are behind a NAT you should create a new zone for the Local Area Network that you belong to. You should d enable the Internet and Localzones so that you will be able to connect to the Internet and the Local zones. Now click on the Protocol tab and check to see if the new zone you have created is selected under Protocols Served from Zone. Configure the firewall to allow the protocols you need to pass through it for the Local and Internet column. By selecting the check boxes in both columns you allow your computer to use the checked protocols on your local area network (which goes to your router which is connected to the Internet).

Now move over to the Protocol tab and make sure that Protocols Served from Zone is set to your newly created zone. Check the protocols you need to enable. By turning these on for the LocalorInternetzones, you allow your computer to use the checked protocols in the new zone you created.

(Insert guarddog.png here)

When you are finished with configuring your changes, click Apply to change the settings. If your firewall keeps you from browsing theweb, or starting certain system services you can temporarily disable it until you find out what it's blocking; click on the Advancedtab, check Disable Firewall and click Apply.

Testing your firewall

To see if your firewall is doing what you want it to do you can test it athttp://www.grc.com at the Gibson Research Center. Go toShields Up or Leak Test to try out your firewall.

Summing it up

You now have a fairly secure system. It will be hard for a cracker to break into your computer, or for some other user on your computer to read sensitive data (you may want to encrypt that data to be even safer).Always remember that your computer will remain secure if you are careful and do not accidentally enable a protocol that you don't use,or copy sensitive data to a folder that anyone can read.

Locking Down Ubuntu - Getting ready

2007-01-01T07:16:00.000-08:00

Security is an important issue in computing. Unfortunately, many computers allow a cracker to gain access to them and retrieve sensitive information, or just make life hard. This article will review the basics in general security and explain how to apply it to two Linux distributions--Ubuntu and Kubuntu.

Preliminaries

This article assumes that you know how to install programs on either Ubuntu or Kubuntu. It also assumes that you have some knowledge of basic computer networking principles. If you do not know how to install programs on Ubuntu, go to https://help.ubuntu.com/community/InstallingSoftware. If you do not know much about networking, go to http://www.faqs.org/docs/linux_network/x-087-2-intro.html. This article also assumes that you are using Ubuntu or Kubuntu 6.06(Dapper Drake), but the Firewall section can be adapted for any recent Linux distribution.

Downloading Security Updates

A program is only secure if it has no vulnerabilities. Even the most popular software can have a hidden one. When someone fixes the vulnerability,a new version of the program is usually released. Both Ubuntu and Kubuntu have software repositories dedicated to security updates.When a vulnerability is fixed, a package of the program is released so that you can download it. Ubuntu and Kubuntu usually enable some of their security update repositories by default, but it is always a good idea to check to see if all of them are enabled. You may also want to specify how often you want your computer to look for security updates--and even install them--while you're at it (for Ubuntu 6.06only).

If you are using Ubuntu, click on System -- Administration --Software Properties and click on the Installation Mediatab. Now scroll down until you see a repository with the wordSecurity in it. Make sure that it is checked. If it is not,click on the check box to enable it.

On Kubuntu, click on Kmenu -- System -- Adept (PackageManager). Enter your password and then click on Adept and then on Manage Repositories. Find a line that contains the words deb http://security.ubuntu.com/ubuntu. Those are security repositories. If it is grayed out, right click on the entry,select Enable, and click Apply. It is important to enable every grayed-out security repository that you can find.

Now you can configure how often you want your computer to check for new updates. With Ubuntu, click on System -- Administration --Software Properties and click on the Internet Updates tab.Check the box that is marked Check for updates automaticallyand from the drop down menu select how often you want your computer to look for updates. You can even configure Ubuntu to automatically download updates and install security updates. When there are new updates available, Ubuntu will alert you by starting Update-Manager.The Update-Manager's notification icon will appear in the system tray. Click on it to install new updates.

Kubuntu uses a program called adept_updater which appears in your system tray when new updates are available. You can click on the iconto install new updates. As of this writing, you can not configureadept_updater to install security updates automatically.

Securing the /home directories

There may be times when you want to protect your data from malicious users, but you don't want the hassle of encrypting that data. As long as no one else on your computer can log in as root, (the super administrator account) your data will be hidden from other users' eyes. To make your data safer, go to Applications -- Accessories --Terminal (on Ubuntu) or Kmenu -- System -- Konsole (onKubuntu) and type: chmod 0700 /home/your-user-name (where your-user-name is the name you use to login to your computer). You can also use this command for individual files and folders if you want to keep other users fromviewing any of your files. (For more information on securing your home directory, go to https://wiki.ubuntu.com/SecureHome).

Microsoft promises Vista security

2007-01-01T06:58:00.000-08:00

Microsoft says Vista will contain a raft of new security features

A senior Microsoft executive has promised that its new operating system will be more secure than ever.

Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista.

Microsoft has been criticised for flaws in previous systems that left users vulnerable to attacks by hackers.

Mr Courtois said Microsoft had done "tons of work to make Vista a fantastic experience when it comes to security".

The firm had originally aimed to launch Vista - the first major update since Windows XP was introduced five years ago - in the second half of 2006.

The new operating system will now be released to business customers "within the next few weeks" and to consumers early next year, he said.

Secure steps

Speaking in Barcelona at the European Technology Round Table Mr Courtois, the most senior Microsoft executive outside of the US, said that Windows Vista was the continuation of an ongoing effort by Microsoft to improve security across its software line-up.

"In the last 18 months, the number of vulnerabilities [in Windows' software] has been much lower," he said.

The launch of Windows Vista is certainly one of the defining moments of the company
Jean-Philippe Courtois
Microsoft

"Microsoft has raised its game in a big way on security and Windows Vista is the next big step. The company has learnt to design software which is secure by default."

Mr Courtois outlined features of Windows Vista that are designed to make it easier for users to protect themselves.

At the heart of the system will be the new Windows Security Centre which will show consumers any holes in their defences.

Vista will also feature new encryption technology designed to protect the data on a computer.

"Even if your laptop is stolen, nobody will be able to use it because it will be fully encrypted," he said.

But Jean-Philippe Courtois said users had to play their part in making computers more secure.

"You've got to make sure that your firewall is on, that you've got anti-virus protection on your PC, you've got to understand what not to do on the internet," he said. "It's just like protecting your own home."

This week the BBC set up a so-called "honeypot" computer running Windows XP without protection. The PC came under attack every 15 minutes.

But not everybody in the security software world is happy about Microsoft's plans for Vista.

Symantec, which makes Norton anti-virus software, is among many security firms warning that Vista appears designed to shut out security products made by outside firms.

However, what is clear is that the long-awaited arrival of the new operating system will be a crucial weapon in Microsoft's battle to retain its dominant position at a time when firms like Google are mounting a serious challenge.

"The launch of Windows Vista is certainly one of the defining moments of the company," admitted Jean-Philippe Courtois.

Google and child porn?

2006-05-28T00:30:00.001-07:00

Now heres a person seeking instant fame by sueing Google for distributing Child Porn . He claims that Google has profited many million dollars from child pornography. Jeffrey Toback, a member of the Nassau County Legislature said that Google had put up many paid links on its search result pages which linked to sites which distributed pornography including of minors. He also said that Google has the technology to filter out porn results from search results as it was demonstrated in China (Good point, he has).

A Google spokesman denied the allegations and said the Mountain View, Calif.-based company takes numerous steps to prevent access to child pornography.

“When we find or are made aware of any child pornography, we remove it from our products, including our search engine,” spokesman Steve Langdon said in an e-mail statement to The Associated Press. “We also report it to the appropriate law enforcement officials and fully cooperate with the law enforcement community to combat child pornography.”

Somebody please mention to Mr. Toback that if he wants he can filter out those ‘nasty’ results from the settings in Google. And I don’t get it why its just Google. What about Yahoo, MSN and millions of other search engines.

A worm that gives you headache!

2006-05-28T00:30:00.000-07:00

A new kind of worm has been creating a hell in the cyber world recently. Named as Yhoo32.explr, it transmits itself through Yahoo Instant Messenger (Yikes must be careful). After successfully installing itself it downloads its own browser without users permission. The new downloaded browser is a IE look alike. They say there is no difference except a start-up tune. To make things worse it takes users to weird sites and cannot be uninstalled the ‘normal’ way.

Thats all? Not at all. You have not seen the last of this worm. According to Information Week, it blares out some kind of guitar music played by some idiot who has never seen a guitar in his life. Information Week says that the music has chances to create headaches!

What a time. First Computer viruses just used to infect out computer. Now it directly affects us!. Heavens there is no difference between computer virus and real virus now. I am sure this is the first kind of worm that gives humans headache.

What do you think fellas? Comment you thoughts about this nuisance..

Protect the protector

2006-05-28T00:01:00.000-07:00

How could they do this to us?! Symantec’s Norton Antivirus may betray us all soon. A gigantic security hole has been found in it. Using this ‘hole’, a hacker can take control of our PC and access all the sensitive datas (if there are any in first place).

Researchers from eEye Digital Security of Aliso Viejo, Calif., discovered the vulnerability and provided evidence to Symantec engineers this week, said eEye’s chief hacking officer, Marc Maiffret. He demonstrated the attack for The Associated Press.

Maiffret’s company — which has discovered hundreds of similar flaws in other software products — also produces intrusion-protection software, called “Blink,” that he said already blocks such attacks and can operate alongside Symantec’s anti-virus products.

To those who use Norton Antivirus: Just hope that Norton release a patch to cover things up.

Linux Security Quick Reference Guide

2006-05-21T00:34:00.000-07:00

This Quick Reference Guide is intended to provide a starting point for improving the security of your system. Contained within include references to security resources around the net, tips on securing your Linux box, and general security information :-)

Download

Ten tips for managing passwords

2006-05-21T00:31:00.000-07:00

Passwords are fatally flawed, it's true, but for now they are the best option for many companies. But almost everybody could be managing them more effectively.

In all likelihood passwords will remain a problem until the very day they are replaced by technologies such as biometrics, which is the direction the industry appears to be heading. However, until that day comes, below are some tips for fostering a culture of secure and more effective password management.

1. Passwords must not be written down
If it seems incredible that we are still talking about password management at all, then it is unimaginable that we have to make this first point.

If staff are writing down their passwords, having been told why they must not do so, then the system is too complex and too much is being asked of them. Companies must strike a balance between security and usability because a failure to understand the latter can easily undermine the former.

So consider whether employees have been properly educated about the need to keep passwords secure and then consult the measures below if you need to update your password policy.

2. Passwords must be set
And you thought the first tip seemed obvious? It's staggering to hear instances where systems have been compromised because the password was still set as a default 'password' or 'changeme' or similar.

3. Require as few passwords as possible
Balance how much password protection you need with how many passwords can reasonably be managed. Identify which networks, systems and applications have the highest priority. If staff have to remember 10 passwords -- from ones guarding highly sensitive data to ones that really serve little or no purpose - they may be unable to manage all of them.

What's to say the one they write down and lose isn't the most sensitive?

4. Staff must change their passwords regularly
This limits the likelihood of old passwords, shared between colleagues in less-secure times, coming back to haunt you. It also limits the window of opportunity if passwords subsequently fall into the wrong hands.

How often they are changed must again be a balance between security and usability. If staff are required to come up with a new password every week, they will likely become confused and start writing them down. In fact longer periods between changes -- 90 days rather than 30 days for example -- can actually prove beneficial as knowing a password will have a longer lifespan makes a more complex password far more manageable and may encourage staff to give it more careful consideration.

5. Make new passwords new
When passwords are changed users must not distinguish them from a previous password by just one character. RandomW0RD1, RandomW0RD2, RandomW0RD3 becomes a pattern that is pretty easy to figure out.

6. Avoid obvious words
Passwords must be more complex than a single word which can be hacked with a dictionary attack (using software to automatically enter all the words in the dictionary as well as proper nouns). Names, addresses and other words which are easily linked back to the individual should also be blocked from use. It's alarming how many instances there are of staff using their name, their partner's name or their pet's name.

7. Think long -- but not too long
A password which consists of at least eight characters with a mix of upper case, lower case and numbers is a good start. If the minimum requirement is too long staff may be encouraged to be lazy and use repeat characters or obvious strings: ABCDEFG123456789.

However, a minimum with a reasonably high upper limit would allow staff to be creative. One suggestion is to use phrases rather than words. Certainly 'mYd0g1sCALLEDf1d0' is less likely to be guessed that 'Fido'. Again, it's a step in the right direction towards creating more secure passwords.

8. Automate password changes
The process of making staff reset and choose secure passwords must also be automated. Do not rely on staff to remember how long it has been since they last reset it, what passwords they have used in the past year or what types of words are off-policy. It's not a question of trust. It's a question of history showing us that policies are never adhered to by choice.

9. Educate staff
Ensure password policy is written into employment contracts and that all staff understand why and what that entails. Hopefully, if all other measures work, the most serious human piece of the jigsaw will be the requirement for staff not to share their password and not to write it down. Such wording should also prohibit repetition of passwords between services -- particularly between those outside and inside the enterprise. A corporate login is likely to be more sensitive than a newspaper subscription login which may be shared with friends and family.

10. Look to the future
Finally, look at long-term solutions which will eventually replace passwords -- such as biometrics and two-factor authentication. Passwords are flawed and the above tips are recommendations for how they can be more secure -- for now.

'Useful Firefox Security Extensions' by CERIAS

2006-05-16T00:08:00.000-07:00

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.

Add n’ Edit Cookies
This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
Dr. Web Anti-Virus Link Checker
This is an interesting idea — scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
FormFox
This extension doesn’t do a whole lot, but what it does is important — showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
FlashBlock
Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
LiveHTTPHeaders & Header Monitor
LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar. They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
JavaScript Option
This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
NoScript
This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code.
The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces. Also read Pascal Meunier’s take on NoScript.
QuickJava
Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
ShowIP
This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
SpoofStick
The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
Tamper Data
Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions? Leave a comment and I’ll collect them in an upcoming post.

Microsoft Windows Defender beta: One easy interface

2006-05-13T03:52:00.000-07:00

Microsoft will soon be putting pressure on anti-spyware vendors to provide better performance and more valuable features. Once Microsoft releases its anti-spyware program for Windows, other vendors will have a harder sell. The software is free to legitimate owners of the Windows operating system.

We took a look at the beta version of the program, which is currently called Windows Defender and available for download here. And we were generally impressed.

The program’s interface is one of the easiest to use. Automatic scans are simple to configure, and if you have a constant Internet connection, you can also specify that the program check for updates before scanning.

The program also monitors your wireless network and alerts you if someone else is using it. It tracks and notifies you to changes in many Windows configuration settings, including TCP/IP settings, the Hosts file, Winsock Layered Service Providers and the Messenger service. In addition to scanning for spyware signatures, Windows Defender monitors more than 50 Windows and Web browser components that spyware often targets. The program also gives a detailed profile of all programs and services running on your computer.

One major limitation of Windows Defender — at least in this beta version — is that it doesn’t integrate with browsers other than Internet Explorer. If you use a different browser, you’ll still have general protection against spyware, but you won’t have nice features such as monitoring of changes to your browser. Also, note that the program’s protection against malicious ActiveX controls only works through Internet Explorer.

Also, the beta version of the software does not monitor cookies.

Finally, although Windows Defender did a great job of alerting us to suspicious behavior, the beta program failed to catch two of the key loggers we had installed on our test system. Hopefully, Microsoft will fix that weakness before releasing the program to the public.

Steps to protect yourself:

In addition to installing an anti-spyware solution, you should take several steps to protect your computer against spyware.

Be cautious about visiting Web sites and downloading software. Most spyware arrives on computers from Web sites that offer downloadable freeware or shareware. Don’t download anything from a site unless you trust it. Close any windows that pop up by using the “X” in the corner of the window instead of clicking on any buttons in the window.

Use a firewall. Firewalls can prevent hackers from directly planting spyware on your computer.

Check security settings in your Web browser. Most Web browsers allow you to prevent scripts and ActiveX applets from downloading. Browsers also let you control whether your computer stores cookies.

Update your operating system software. Spyware often exploits vulnerabilities in your operating system, so keep current with system patches to provide significant protection.

Symptoms of spyware infection:

Pop-up advertisements. If you have advertisements pop up when your browser is not running, you may have inadvertently installed adware. These pop ups cannot be prevented by pop-up blockers, which only block advertisements triggered by visiting a Web site.

Configuration changes. If your home page has been changed and you can’t change it back, you are probably the victim of a piece of hijacker spyware. Spyware may also change other configuration settings on your computer and may install toolbars to your browser or other applications.

Sluggish performance or system crashes. Spyware designers don’t put much effort into making sure their programs work efficiently. If you notice a sudden drop in performance during routine tasks or an increase in system crashes, you may have recently been infected with spyware.

Site of the moment, FirewallGuide.com

2006-05-13T03:43:00.000-07:00

FirewallGuide.com provides easy access to basic information about, and independent, third-party reviews of Internet security and privacy products for home, telecommuter, and SOHO (small office, home office) end-users. For current security news, reviews and alerts, see their Internet Security News page.

The Wild West? A personal computer connected to the Internet without a firewall can be hijacked in just a few minutes by automated hacker ''Bots''. The only way to make your computer 100% secure is to turn it off or disconnect it from the Internet. The real issue is how to make your computer 99% secure when it is connected. Not having protection is like leaving your car running with the doors unlocked and the keys in it which a thief might interpret as "please steal me". Stated another way, when was the last time you handed a stranger your wallet and encouraged them to take your social security card, drivers license, cash and credit cards? Locking a car, using a "club" or installing a security system makes stealing a car more difficult. Internet security and privacy products provide adequate protection by making it difficult for "outlaws" to take control of your computer and rip you off.

Bottom Line -- At minimum, any computer connected to the Internet needs to have all current patches to its operating system and browser installed as well as personal firewall, antivirus and anti-spyware software. A more complete solution is taking a layered approach to protect your security and privacy as follows:

First line of defense -- Choose an Internet service provider and/or an email service that offers online (server side) virus and spam email filters.
Second line of defense -- Install a wired or wireless hardware router with a built in firewall between your modem and your computer or network. Also consider using a broadband gateway offering a combination of hardware and security software.
Third line of defense -- Use a security software suite or a collection of individual software products including, at a minimum, personal firewall, anti-spyware, and anti-virus products. Also consider using anti-Trojan, anti-spam, anti-phishing, and privacy software. Please note that cost is not an issue since there is good security freeware available.

Fake MSN Feedback Request emails

2006-05-12T17:28:00.000-07:00

Shailendra Rai (v-srai@microsoft.com), more probably a fake name sent out a fake email in masses. Here's a copy of what I got yesterday:

Shailendra Rai (v-srai@microsoft.com)

To:

******@hotmail.com

Subject:

Give Feedback about the Windows Live Messenger Beta

Just give it a try, it's not getting out any secret information from you but illegally representing themselves from microsoft. Give the try, Click here.

For the first question: Are you a Microsoft employee?; Choose: Yes

This is what I got:

If you feel insecure giving out information like what you use as alternative to MSN Live, your observations, suggestions, and other information, please dont follow the survey link. It is rather suggested no one should follow the survey unless being aware of what you are doing. Oh, did I forgot? Forgot what? this -> LOL

Good Luck!

Hacker's Challenge 3 - Review at Amazon

2006-05-11T08:31:00.000-07:00

Book Description

The ultimate test of hacking skills for IT security professionals

This unique volume helps you determine if you have what it takes to keep hackers out of your network. Twenty brand-new, real-life security incidents test computer forensics and response skills--all in an entertaining and informative style. The latest security topics are covered, including phishing and pharming scams, internal corporate hacking, Cisco IOS hacks, wireless hacks,VoIP hacks,Windows, Mac OS X, UNIX/Linux, and much more!

Each challenge unfolds like a chapter from a novel and includes details of the incident—how the break-in was detected, evidence, and background such as log files and network diagrams--and is followed by a series of questions for you to solve. Detailed solutions for all the challenges are included in the second part of the book.

From the Back Cover

The stories about phishing attacks against banks are so true-to-life, it’s chilling.” --Joel Dubin, CISSP, Microsoft MVP in Security

Every day, hackers are devising new ways to break into your network. Do you have what it takes to stop them? Find out in Hacker’s Challenge 3. Inside, top-tier security experts offer 20 brand-new, real-world network security incidents to test your computer forensics and response skills. All the latest hot-button topics are covered, including phishing and pharming scams, internal corporate hacking, Cisco IOS, wireless, iSCSI storage, VoIP, Windows, Mac OS X, and UNIX/Linux hacks, and much more. Each challenge includes a detailed explanation of the incident--how the break-in was detected, evidence and clues, technical background such as log files and network maps, and a series of questions for you to solve. In Part II, you’ll get a detailed analysis of how the experts solved each incident.

Exerpt from “Big Bait, Big Phish”:

The Challenge: “Could you find out what’s going on with the gobi web server? Customer order e-mails aren’t being sent out, and the thing’s chugging under a big load…” Rob e-mailed the development team reminding them not to send marketing e-mails from the gobi web server…. “Customer service is worried about some issue with tons of disputed false orders….” Rob noticed a suspicious pattern with the “false” orders: they were all being delivered to the same P.O. box…He decided to investigate the access logs. An external JavaScript file being referenced seemed especially strange, so he tested to see if he could access it himself…. The attacker was manipulating the link parameter of the login.pl application. Rob needed to see the server side script that generated the login.pl page to determine the purpose….

The Solution: After reviewing the log files included in the challenge, propose your assessment: What is the significance of the attacker’s JavaScript file? What was an early clue that Rob missed that might have alerted him to something being amiss? What are some different ways the attacker could have delivered the payload? Who is this attack ultimately targeted against? Then, turn to the experts' answers to find out what really happened.

About the Author

David Pollino leads research focusing on wireless and security technologies.

Mike Schiffman, CISSP, holds a research role at Cisco Systems, Inc., and serves on the advisory boards of Qualys, IMG Universal,Vigilant, and Sensory Networks.

Bill Pennington, CISSP, CCNA, manages research and development at WhiteHat Security, Inc.

Tony Bradley, CISSP-ISSAP, is a Fortune 100 security architect and consultant who has written for several computer security–related magazines and websites.

Microsoft Issues Three Security Updates

2006-05-11T08:18:00.000-07:00

Microsoft today issued three software patches to fix a security flaw in Windows, another in iits Exchange Server e-mail product, and two "critical" vulnerabilities in older versions of Adobe's Macromedia Flash Player that comes bundled with Windows.

The Flash patch being distributed by Redmond fixes two serious vulnerabilities present in versions 6.0.79 or earlier installed on either Windows 98, Windows 98SE, Windows ME or Windows XP (Flash is installed by default on all of those). To see what version you have installed, check out this link.

This patch also includes the security fixes for Flash versions 7.x and 8.x that Adobe released in March. If you applied those patches, you shouldn't have to update, but just check your Flash version anyway to be sure. The most recent safe version of Flash is 8.0.24.0.

The second update fixes a couple of security flaws in Windows that Microsoft said could be used by attackers to cause systems to seize up. This flaw exists in XP, Windows 2000, and Windows Server 2003. If you are using one of these operating systems, visit Microsoft Update and install this patch.

The final patch fixes a critical problem in Exchange Server, which many businesses use to manage their incoming and outgoing e-mail.

For businesses using Exchange, this is a very important update to install. The problem is, even Microsoft admits it may cause problems for some third-party applications that work hand-in-hand with Exchange. For instance, Reseach in Motion, the company that makes the popular BlackBerry mobile phone/organizer, said applying this patch will break some functionality required by its software. Microsoft has published some workarounds for businesses that have trouble after installing this update.

Operating System Sucks-Rules-O-Meter

2006-05-10T13:54:00.000-07:00

Sucks-Rules-O-Meter? Hah, this time for Operating Systems.

Here's the results. Linux rules according to those whoo know what it is. It sucks according to those who can't install it. Heh!, my point of view. :D MacOS is sweet, whoever used has voted rules. MacOS sucks less because of lower approach to everyone. Wishlist, adsense will buy me the MacBookPro, fingers crossed. Lastly, Windows! Sucks!! :D

This operating system quality and approval metric is based on a periodic AltaVista search for each of several operating systems, directly followed by "sucks", "rules", or "rocks".

Read more, as said by the original sucks-rules-o-meter site [http://srom.zgp.org] :

We search for all operating system names exactly as shown above, with the exceptions of
Mac OS, Mac OS X, and VMS. For Mac OS, we add the search results for the incorrect but common spelling "MacOS". Because Mac OS X is sometimes abbreviated to simply "OS X", the Mac OS X search is just for "OS X" -- we have not found other instances of this term on the web, so we can use it without confusion. For VMS, we add the results for "OpenVMS". We do not search for any derogatory slang misspellings of any operating system name.

Well, right I reached that page from Google too, searching linux rules. Pretty Techy? :D

Today's Website - SecureRoot.com

2006-05-10T13:22:00.000-07:00

Today I dont have time to write much longer, but here's a recommendation.
SecureRoot is one of the most popular computer security sites on the web. Over thousands of sites listed in the security directory, security news, tools, forums, newsletter, etc.

Hacker Sentenced to Five Years in Jail

2006-05-10T06:23:00.000-07:00

Jeanson James Ancheta was sentenced to 57 months in federal prison on Monday for creating and spreading viruses from which he earned profits. Jeanson, a 20-year old Downey, CA, pleaded guilty in January to federal criminal charges. His sentence is currently the longest prison term handed down for a computer virus related crime.

After he is released from prison, Jeanson will spend three more years on supervised release, during which time he will have limited access to computers or the Internet.

Ancheta created and sold botnets to spammers and hackers. These botnets were capable of taking over thousands of computers and launching Internet-based attacks.

Although Ancheta avoided a possible sentence of 25 years, $60,000 worth of assests were seized from him. Additionally, Ancheta will be responsible for repaying $15,000 to the US military for networks he damaged.

LinuxSecurity.com 's Security Dictionary

2006-05-04T20:00:00.000-07:00

LinuxSecurity.com 's Security Dictionary!!!

http://www.linuxsecurity.com/content/view/117309/

Key
	I	Recommended Terms with an Internet Basis
	N	Recommended Terms with a Non-Internet Basis
	D	Deprecated Terms, Definitions, and Uses
	C	Commentary and Additional Guidance
	O	Other Definitions