For IT Security folks, especially those in a large corporation, dealing with Threats Security or External Content Threats Security has a potential to take away a significant operations time. So what is External Content Threats Security?

External Content Threats Security usually involves threats through many threat agents which evolve over time. These threat agents could be across an Enterprise Office platform, a database or a website within a corporate environment’s intranet or on a public network such as the Internet. External Content threats security deals mostly with the following threat agents which include Hyperlinks, Data Connections and Web Beacons.

Hyperlinks: This threat agent is usually exploited by attackers who create websites containing malicious code or content. These might include phishing sites containing these hyperlinks enticing a user to click on a link outside their trusted domain.

Data Connections: This threat agent is exploited by attackers who create data connections to databases or other data sources and then use these connections to either extract data and use it to gain further access or manipulate the data.

Web Beacons: If you ever used Microsoft Outlook or most Desktop email clients or even web clients, you see that the email has not been fully downloaded and there might be images to be downloaded, waiting for your authorization. While saving network bandwidth is one of the reasons, it also helps in security.

If a malicious hacker wished to exploit the Web Beacons threat agent under External Content Threats Security, he would embed an invisible link as part of a remote image in an email message. This message may or may not be flagged as spam. However, if you the user opens this email message, the embedded link is activated which downloads the remote image. However, when you do this, information about you is transmitted to the attacker. This could include your email address(proof that this email exists helps email spammers greatly) and also your IP address.

Why Biometric Security CANNOT secure a Corporate Environment

Biometric Security is being billed as the next savior of personal and corporate security, a superior solution to our Identity and Access management problems. Solutions are often exotic and include voice for unlocking rooms housing servers or for reseting passwords. There are already systems in place for retinal scan for more secure access. The key to a door is always with you, and the key is YOU. Think about it, unlike passwords which can be guessed or read from that yellow sticky hanging on a monitor screen, it is hard to forge them. Someone can’t replicate your fingerprint or your iris scan. Sure some artists can mimic other people’s voices but getting past a security system is a whole different ball game.

So, if Biometrics is all this good, why it cannot secure a Corporate Environment?

Lets start of with what is the biggest strength of Biometric Security. It tells an authentication system that you are who you tell you are … because unlike usernames or passwords or even Smart cards or tokens, they cannot be lost or stolen, because your identity is unique to you and only you.

Now, Biometric security secures both your Authentication and Data privacy. Let us assume that a corporation is implementing Biometric access through a fingerprint reader on a Laptop. Typical authentication in a corporation involves verifying your credentials to those in the Active Directory or any other central “source of truth” in a corporation. Here, let us use a finger print as the biometric authentication input. A thumb is scanned on a laptop fingerprint scanner and travels over the network verifying with a master biometric on file. If everything matches, you are in or <bleep> incorrect password.

A Biometric signature is unique to you and it is the biggest strength of this form of authentication. However, while they are unique they are not secrets. You leave your fingerprints everywhere.. on the keyboard, on your car door everywhere. Now if you lose your password, your corporations help desk will issue you a new one or give you the option to set a new one. If you are using digital certificates or Smart Cards using PKI for authentication, your corporations CA can issue you a new one. What happens if someone steals your digital BioID file? This is your thumbprint signature and you have only two.

The fact is if someone steals your Biometric ID, is remains stolen for life.

Security folks are always telling people that you should have multiple passwords for different authentication systems/websites etc and you should try to change your password atleast once, every 6 months. Now, if down the line, we use our Biometric ID, the same one to unlock my Apt door, my server room, my Laptop, my Bank site etc what would happen if i lost my BioID or worse its stolen. If someone had an expensive car, would theives just cut of the owners thumb?

Why Biometric security cannot secure a Corporate Environment?
Most corporations require passwords to be atleast 7-8 characters long, include a number, a special character and/or combination of upper and lower case alphabets. However a password of say Passw0rD! is not secure but would still be accepted as a password. While users can choose weak passwords, your Biometric ID would be strong.

a. Your Biometric ID is nothing but a large mathematical number derived from your unique biological characteristics, say your fingerprint to make up as your password or authentication. This subjects it to the same kind of replay attacks as a password.

b. They are very expensive to implement. Think of all the fingerprint scanners on every machine in a corporation, the fingerprint scanners on the main doors, the cost of securing those Biometric ID’s, taking those biometric IDs in the first place, the $$$ keep adding up.

c. False positives and false negatives: No biometric ID would be 100% accurate inspite of the advances we made in Biometric technology. So for corporate security guys, are they will be deal with the problem of the occasional user disallowed entry into the building or their computer(false negative) or an invalid user ocassionally allowed(false positive)

d. Moreover, the nightware involved in losing a hard drive of Biometric ID’s of a corporation is beyond what is acceptable for most security folks. If a company loses a laptop containing sensitive information, they are required by law to report that publicly as well as to all the people who might be affected by this loss. Now, how do you tell someone that their Biometric ID has been lost and can’t be restored securely ever again.

Algorithms keep getting better and maybe down the line, your Biometric ID would be scrambled or additional hash added so that even if your BioID is decrypted, it would not reflect yours. This combination could then be part of a three factor authentication which could be your say a Smart card/userID (something you have) and a pin/password(something you know) and finally a scrambled Biometric ID(something you have).

Technology is the Biometric arena is getting better and maybe one day it will become affordable for corporations on a tight budget to implement this kind of a three factor authentication.

A lot of us who use Linux at work/school or have always grown up using unix commands for years and more often than not, there might have been instances where a ls command comes more naturally than the dir command at the command prompt in Windows. For the most part, a lot of us work around this drawback using the excellent tool: Cygwin. Cygwin is available for windows users here.The Cygwin tools are ports of the popular GNU development tools for Microsoft Windows. They run thanks to the Cygwin library which provides the UNIX system calls and environment these programs expect.

With these tools installed, it is possible to write Win32 console or GUI applications that make use of the standard Microsoft Win32 API and/or the Cygwin API. As a result, it is possible to easily port many significant Unix programs without the need for extensive changes to the source code. This includes configuring and building most of the available GNU software . Even if the development tools are of little to no use to you, you may have interest in the many standard Unix utilities provided with the package. They can be used both from the bash shell (provided) or from the standard Windows command shell.

While Cygwin would be an obvious choice for many Unix/Linux power users, there is an excellent and a much simpler alternative to using Cygwin. In this article, we will show you how to run your Unix commands right in the windows command prompt.

For this, we will be using CoreUtils. CoreUtils is available through Sourceforge and is available for download here. If you look in here, there are a number of GNUWin32 packages available, the one we would be using is the CoreUtils package. CoreUtils is a collection of basic file, shell and text manipulation utilities of the GNU operating system. These are the core utilities which are expected to exist on every OS. And when I talk about File utilities, they include chgrp, chmod, cp, dd, du, ln, ls, mkdir, mv, rm, touch, vdir among others. A sample of the text utilities include cat, cksum, cut, join, md5sum, shasum, sort, split etc. The shell root commands include echo, chroot, hostname, nice, pathchk, tty, who, whoami and yes su. So it is pretty much the whole nine yards here… The direct link for download of the CoreUtils package available through SourceForge is available here.

Once installed, you will need to add the path to the utilities to your PATH environment variable. Follow the steps below to achieve this

1. Click on Start –> Run and enter sysdm.cpl to bring up the system properties Dialog

2. Click on the Advanced tab –> Environment variables button

3. In the System Variables pane, scroll down to Path and then click on edit.

4. Under Edit System Variable, in the variable value, at the end of the line , type the following including the semicolon which separates the individual elements in the path variable. ;C:\Program Files\GnuWin32\bin

Congratulations !! You have now added the GNUWin directory to your path and Unix commands can now be executed directly from the command line and run natively on the Win32 command prompt without the need for any emulation layer as shown below using the example of dir vs ls

Downloads and Sources

1. Download CYGWIN

2. Download CoreUtils

CNN writes that more than 70 million web domain names have been purchased, and most – if not all – dictionary-word domain names (i.e. house.com, furniture.com) have already been taken. That should not disappoint you since millions of good web domain names are still available, all that’s required is a bit of creative thinking, some permutation-combinations and a good tool for searching free domain names that have never been registered before or the owner failed to renew the expired domain name. 3rdeye, a UK based company, has launched a very useful AJAX based Internet domain search tool called DomJax that instantly check availability of a name across a wide variety of domains. Just type in any word and DomJax would instantly tell you if a .com extension is available or not. It even searches availability across the boutique extensions such as .co.uk, .net, .edu and .info. The most impressive part of DomJax is the whois report that it generates in real time – even if a domain name is not available, you can hover the mouse over the domain name (no click required) and DomJax pops up a neat “thought bubble” which has all the information about that domain like who owns it, when it will expire and how to contact the owner.