Firewall – The first step of Internet security

We know that Internet is a way of quick communication, business, various types of information and entertainment. Its use increased day by day. It had bed impact like others – it spread virus, spam, spyware etc. A personal computer connected to the internet without a firewall can be hijacked and added to an internet outlaw’s botnet in just a few minutes.

What is Firewall?

A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules. A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

A firewall can block malware that could otherwise scan your computer for vulnerabilities and then try to break in at a weak point. The only way to make a home computer 100% secure is to turn it off or disconnect it from the Internet. The real issue is how to make one 99.9% secure when it is connected. At a minimum, home computers need to have personal firewall and anti-malware software installed and kept up-to-date to find and remove viruses, spyware, Trojans and other malware. A home network that uses a wired or wireless router with firewall features provides additional protection.

Personal Firewall Cooices:

Microsoft Windows Firewall — The Vista and XP Service Pack 2 operating systems have personal firewalls built in that are turned on by default to block threats from the Internet. You should leave this feature turned on until you replace it with third-party software and/or hardware.

Two-Way Third-Party Personal Firewall Software — These firewalls block both incoming and outgoing threats. A computer has outgoing threats when it becomes infected with a virus, trojan horse or spyware. A challenge for this type of firewall is to distinguish between threats and legitimate software. Three common ways to address this are by vendors including a list of safe software for the firewall to check [white list], malware to block [black list] and/or by issuing a pop up alert to the user asking for advice on what to do [better for experts]. For links to vendors and reviews of over fifty products, see our Personal Firewall Reviews page. Recommended products with links to vendors:

• Checkpoint ZoneAlarm Pro
• Sunbelt Personal Firewall
• Tall Emu Online-Armor
• Comodo Firewall Pro

nternet Security Software Suites — These products include two or more security features such as a personal firewall, anti-virus, anti-spyware and more. For links to vendors and reviews of over 20 products, see our Internet Security & Utility Suites page. Recommended retail products with links to vendors:

Norton Internet Security

ZoneAlarm Internet Security Suite

Kaspersky Internet Security

Hardware Firewalls — A hardware firewall is usually a small box that sits between a modem and a computer or network. The firewall is either based on “network address translation” (NAT) which hides your computer from the Internet or NAT plus “stateful packet inspection” (SPI) for more protection. There are three basic types of hardware devices that include firewalls for home users, Wired Routers, Wireless Routers, and Broadband Gateways. They are inexpensive enough to be used with one computer and can also be used to create a home computer network. They can be used in addition to a software firewall on each computer because they run on a separate box preventing most compatibility problems. Recommended broadband gateway retail products with links to vendors.

D-Link DIR-655 Extreme N Wireless Router

ZoneAlarm Secure Wireless Router

Important Tips — Never use two personal firewall software products at the same time. Fully uninstall one before installing another to prevent compatibility problems. After installation, be sure to test it with an online service like Security Space to make sure that it is configured correctly.

Secure Your PC From SpyWare

What is SpyWare?

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent. It’s main target is to extracting money from you. At its worst, Spyware can take control of your computer, directing you to web pages you didn’t want to go to, downloading other nasty stuff in the background, and even harvesting email address, passwords and your credit card details. Spyware programs can collect various types of personal information, such as Internet surfing habit, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party. Spyware can even change computer settings, resulting in slow connection speeds, different home pages, and loss of Internet or other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

Where does Spyware come from?

Spyware can come from different sources like email or harmless-looking popup window asking you to click a button to proceed. You’ll click it anyway, just to get rid of it. Clicking OK is what’s infected your PC! Other sources are freeware or shareware software, an operating system that is un-patched and hasn’t got the latest security software, downloading stuff from peer-to peer applications – the list is long!

Spyware is not considered to be a virus, so your Anti-Virus software won’t spring in to action once an infection takes place – it will stay sleeping in the background, unaware that anything malicious is going on. The best tool for the job is a dedicated Spyware Detection system. Some of the most popular Spyware scams are these products:

1. SpyAxe
2. SpySheriff
3. PSGuard
4. WorldAntiSpy
5. Spy Trooper
6. Razespyware
7. SpywareNo or SpyDemolisher
8. WinAntiVirus or WinAntiSpyware 2005
9. SlimShield tied with “Winhound Spyware Remover”
10. Spyware Bomber (shut down by the FTC)

Hopefully, you haven’t bought anything on the top ten list!

How get Rid of Spyware?

The best way to do that is with software from very reputable companies. The following are the most well-known (and free) anti-spyware solutions:

• Ad-Aware (SE Personal Edition)
• SpyBot Search and Destroy
• Microsoft Windows Defender

Ad-Aware is probably the easiest to use of the three. Once you download your chosen anti-spyware solution, you need to install it on to your PC. After you have installed it, start the software and do a full scan of your computer. For your sefty, it IS recommended that you have more than one anti-spyware solution on your PC. Because no anti-spyware can find 100 percent of threads, if anyone miss some threads others can find and destroy them.

Living With Technology: Secure yourself

Hi Pals,

How can you protecting yourself while living with technology? CNET suggest you something below:

Protecting yourself is hard in these tech times. From ID theft to data breaches, computer crimes are skyrocketing, and there are conflicting reports on the best ways to secure your own information. Get a little peace of mind with CNET’s guide to the best ways to secure yourself and your data.

• Keeping your identity safe online and offline
• Going beyond the credit report request
• Secure and simple networking

About Facebook Security

At Facebook, where people keep so much of their lives and information, they’ve built an amazing security team solely focused on making sure our users have a safe experience on the site. The security team at Facebook is dedicated to investigating and auditing their own code for holes, as well as reaching out to people in an extended community to let us know if they’ve missed anything. If they get a report of a bug or a hole from a user, a security researcher, a reporter, blogger, or anyone, they check it out and fix it as quickly as possible.

As a Facebook user you can help them protect you by doing the following things:

• Report any spam message or posting you see. The more reports they get, the easier it is for them to respond decisively.
• Never share your Facebook password with anyone. Never. No Facebook employee will ever ask for it, and no one else should know it. If you are ever prompted to log in to Facebook, make sure it’s from a legitimate Facebook web address. If something looks or feels off, go directly to www.facebook.com to log in.
• If your Windows PC or Mac is ever infected with malware or a virus, check out these helpful sites: http://www.microsoft.com/security/default.mspx or http://support.apple.com/kb/HT1222
• Finally, just as in your off line community, be aware of your surroundings in your online community. If a user doesn’t seem right, or says or posts something that you feel is threatening or inappropriate, report it to them.

More:Facebook Security: Fighting the Good Fight

Pairing your cell with Bluetooth? Buyer beware

On Wednesday, the U.S. CERT (Computer Emergency Readiness Team) decided the Bluetooth security risk was serious enough to publish a security advisory about it.

“Depending upon how it is configured, Bluetooth technology can be fairly secure,” the advisory said. “Unfortunately, many Bluetooth devices rely on short numeric PIN numbers instead of more secure passwords or passphrases.”

Basically, any device that can “discover” another Bluetooth device can send unsolicited messages or do things that could lead to extra fees, data being compromised or corrupted, data stolen in an attack called “bluesnarfing,” or the device being infected with a virus, the advisory said.

To protect against these risks, Bluetooth owners should disable the technology when it is not being used, disable unnecessary features, and switch it to “hidden” mode, CERT said. Using “hidden” mode won’t prevent me from using my headset with my phone because once the two devices have located each other, or paired, they will continue to be able to recognize each other thereafter.

Bluetooth users should also be careful where they are using the technology. For instance, using it in a public wireless “hotspot” poses a greater risk that someone else can intercept the connection than using it in your home or car, according to the advisory.

Now all I have to do is get something to protect me from the Bluetooth device’s electromagnetic frequencies (EMFs), which may or may not pose health risks.

Read more: Pairing your cell with Bluetooth? Buyer beware

Authenticatication checking in CodeIgniter

Wanna protect your website from unauthorized ppl. You can use session library to check authentication in CI.

At first you have to create a model for login check:

<?php
class Login_model extends Model
{
function Login_model()
{
parent::Model();
$this->load->library(‘session’);
}

function checkAuth($uName,$pass){
$this->db->select(‘*’);
$this->db->where(‘user=’,$uName);
$this->db->where(‘pass=’,md5($pass));
$this->db->where(‘enabled=’,1);
$query = $this->db->get(‘your_users_table’);
//echo $this->db->last_query();
if($query->num_rows()>0){
$data = $query->row_array();
$sessionArray = array( ‘uid’=>$data['ID'],
‘role’=>$data['your_group'],
‘name’=>$data['firstname'].’ ‘.$data['surname'],
‘logged_in’=>TRUE
);

$this->session->set_userdata($sessionArray);
$log=array(‘user_id’=>$this->session->userdata(‘uid’),
‘action_type’=>’LOGIN’,
‘item_type’=>’USER’,
‘time’=>time());
//echo $this->db->last_query();
$this->log_message($log);
return TRUE;
}else{
return FALSE;
}
}

public function check_session()
{
if ($this->session->userdata(‘uid’) AND $this->session->userdata(‘logged_in’)==’TRUE’) {
return TRUE;
} else {
return FALSE;
}
}

public function logout(){

$this->session->unset_userdata(‘id’);
$this->session->unset_userdata(‘logged_in’);
session_destroy();
$log=array(‘user_id’=>$this->session->userdata(‘uid’),
‘action_type’=>’LOGOUT’,
‘item_type’=>’USER’,
‘time’=>time());
$this->log_message($log);
}

public function log_message($logArray){
if(isset($logArray)){
$this->db->insert(‘your_log’,$logArray);
}
}
}
?>

Now add following code to your login controller:

<?php
session_start();
error_reporting(0);
class Login extends Controller {

function Login()
{
parent::Controller();
$this->load->helper(‘url’);
$this->load->library(‘session’);
$this->load->model(‘login_model’,'login’,TRUE);
}

function index()
{
/* if the form is submitted – check whether the user is already logged in or not */
if($this->login->check_session()){
redirect(‘/main’);
}
$this->load->library(‘validation’);

$rules['username'] = “trim|required”;
$rules['password'] = “required”;
$this->validation->set_rules($rules);

$fields['username'] = ‘Username’;
$fields['password'] = ‘Password’;
$this->validation->set_fields($fields);

/* check all fields are validated correctly */
if($this->validation->run() == FALSE){
$this->load->view(‘/login_view’);
}else{
$userName = $this->input->post(‘username’);
$password = $this->input->post(‘password’);

$chkAuth = $this->login->checkAuth($userName,$password);
if($chkAuth){
redirect(‘/main’); //load cpanel file – authentication successful
}else{
redirect(‘/login/invalid’); //failed auth – return to the login form
}
}
}
}
?>

for each controller within constructor function write the following code for authentication check:

$this->load->library(‘session’);
$this->load->model(‘login_model’,'login’,TRUE);

/* check whether login or not */
if(!$this->login->check_session()){
redirect(‘/login’);
}

Now your CI project is capable to authentication handling. Best of luck.

Session Management in PHP – Part4

We can use session for security checking-like user permission checking on a website while login and destroy this session while the user logout from this site. Generally we use session like following way:

To start a session:
– session_start()
– Creates a session identifier
– Session identifier is passed between client and server either as
a Cookie, or in GET parameters
• Then, can create, access, and modify session variables:
– $_SESSION[session_var_name] = value;
– $_SESSION is only available once you call session_start()
– $local_variable = $_SESSION[session_var_name];
– Can check if session variable is set by using isset();
• To end a session:
– session_destroy();

So at first while loging we register the session variable in login.php:

session_register(‘user_id’);
session_register(‘user_name’);
if($query_data= mysql_fetch_array($result))
{
$_SESSION['user_id'] = $query_data['user_id'];
$_SESSION['user_name'] = $query_data['user_name'];
$user_type = $query_data['user_type'];
}
if($user_type == “admin”){
header(‘Location:Administrator.php’);
}
else($user_type == “customer”){
header(‘Location:customer.php’);
}

Now from Administrator.php we set following code to check authentication:

session_start( );
if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
/* Prompt for password */
/* exit;*/
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
echo ‘user is: ‘ . $_SESSION['user_name'] . ‘
‘;
?>
if (!isset($_SESSION['user_name'])){
?>

}else{

$uid = $_SESSION['user_id']; echo ‘uid is=’.$uid;
//include(“include/db_con.php”);
}
?>

for logout we enter code:

<a href=”logout.php”>Logout</a>

And here is logout.php code:
<?
//start the session
session_start();

//check to make sure the session variable is registered
if(session_is_registered(‘user_name’)){

//session variable is registered, the user is ready to logout
session_unset();
session_destroy();
}
else{

//the session variable isn’t registered, the user shouldn’t even be on this page
header( “Location: http://localhost/yourappfoldername/login.php&#8221; );
}
?>

Now look how fine it works to protect your web from any unauthorized user as well as keep all user track.

Session Management in PHP – Part2

control garbage collection:

PHP session management has a built-in garbage collection mechanism that ensures unused session files are eventually cleaned up. This is important for two reasons: it prevents the directory from filling up with session files that can cause performance to degrade and, more importantly, it reduces the risk of someone guessing session IDs and hijacking an old unused session.

There are two parameters that control garbage collection: session.gc_maxlifetime and session.gc_probability, both defined in the php.ini file. A garbage collection process is run when a session is initialized, for example, when session_start( ) is called. Each session is examined by the garbage collection process, and any sessions that have not been accessed for a specified period of time are removed. This period is specified as seconds of inactivity in the gc_maxlifetime parameter-the default value being 1,440 seconds. The file-based session management uses the update time of the file to determine the last access. To prevent the garbage collection process from removing active session files, PHP must modify the update time of the file when session variables are read, not just when they are written.

Security

Sessions can provide a way for a hacker to break into a system. Sessions can be open to hijacking; a hacker can take over after a legitimate user has logged into an application. Most session fixation attacks simply use a link or a protocol-level redirect to send a user to a remote site with a session identifier appended to the URL. The user likely won’t notice, since the site will behave exactly the same. Because the attacker chose the session identifier, it is already known, and this can be used to launch impersonation attacks such as session hijacking.

A simplistic attack such as this is quite easy to prevent. If there isn’t an active session associated with a session identifier that the user is presenting, then regenerate it just to be sure:

<?php

session_start();

if (!isset($_SESSION['initiated']))
{
    session_regenerate_id();
    $_SESSION['initiated'] = true;
}

?>

The problem with such a simplistic defense is that an attacker can simply initialize a session for a particular session identifier, and then use that identifier to launch the attack.

Let’s modify the session mechanism to perform an extra check:

<?php

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        /* Prompt for password */
        exit;
    }
}
else
{
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

?>

Now an attacker must not only present a valid session identifier, but also the correct User-Agent header that is associated with the session. This complicates things slightly, and it is therefore a bit more secure.

Imagine if we required the user to pass the MD5 of the User-Agent in each request. An attacker could no longer just recreate the headers that the victim’s requests contain, but it would also be necessary to pass this extra bit of information. While guessing the construction of this particular token isn’t too difficult, we can complicate such guesswork by simply adding an extra bit of randomness to the way we construct the token:

<?php $string = $_SERVER['HTTP_USER_AGENT'];

$string .= ‘SHIFLETT’;

/* Add any other data that is consistent */

$fingerprint = md5($string); ?>

Keeping in mind that we’re passing the session identifier in a cookie, and this already requires that an attack be used to compromise this cookie (and likely all HTTP headers as well), we should pass this fingerprint as a URL variable. This must be in all URLs as if it were the session identifier, because both should be required in order for a session to be automatically continued (in addition to all checks passing).