HOTMAIL-Security Website Critique

When you connect to a web site using SSLhttp://www.windowsecurity.com/articles/Secure_Socket_Layer.html,your browser asks the server to authenticate itself, or confirm its identity. The authentication process uses cryptography to verify that a trusted independent third party, or certificate authority, such as Thawte or VeriSign, has registered and identified the server. SSL can also authenticate connecting users or their computers.SSL encrypts the data that you send, and incorporates a mechanism for detecting any alteration in transit, so that eavesdropping on or tampering with web traffic is almost impossible. This is essential for safely transmitting highly confidential information such as credit card numbers

The details about the definitionhttp://kb.iu.edu/data/ahuq.html

Let us check the hotmail website

http://www.hotmail.com/

The layout of this welcoming page is quite simple and easy to use, it emphasize the user account, from my point view, the layout is much better than yahoo mail service, because yahoo's mail service ,there are a lot of unrelated information on the same webpage, it makes me quite confusing, it took me more attention to focus on our soly objective to use the mail box.Hotmail seems much clearer than yahoo mail even when I logged into the hotmail, still advitiserment is there. The layout is neat, the topology of the website is "home","My MSN","Shopping","Money".....
When I clicked "My MSN", the homepage can be personalized(it is like igoogle personalized homepage).

For "Shopping", I do not think it will attract more people because how can the people make sure what they want can be bought through only Microsoft? Maybe people put more trust on google search or other search engine.
For"MSN money", it is also not very attractive. Yahoo finance and google finance should be more reliable information resources due to the reputation.
For"msn People & Chat"

The warning shows you are about to view pages over secure connection.

Also we can connect the server use "sign in with enhanced security" or"standard security". After I typed in the account number and password.There is no advertisement on the homepage of the hotmail, which makes the design clean and neat. And it is easy to use, but the problem appears when I have tried to update to new windows live hotmail, the space has been increased to 2G, but it is not easy to use, very often, the contact list is not working, so I can not find the right contact. So I went back to the original design.
Hotmail space is 1G, it is much smaller than Yahoo's current 3.5G and unlimited in the near future.But hotmail gave me a good interface, it does not make me feel the mail box is like full of junk and advertisement, the main contents show well.
Once the Hotmail security had flaw exposed http://seclists.org/fulldisclosure/2005/Jun/0018.htmland we can not say there is no available expoilts for hotmail, but microsoft is a respectable company and you just need to make you updated with the security issues, generally it will make you safe to use the service they provide. When you sign in to MSN Hotmail, your sign-in name and password are encrypted and then sent over the Internet using an SSL connection. No one can read or access the data that is being transmitted.After you sign in and leave the encrypted connection, MSN Hotmail keeps track of who you are by using a computer-generated key rather than your Hotmail sign-in name. MSN Hotmail regularly refreshes this key to make it difficult for anyone else to pose as you. For current email users, spam is a lot of anoyance except that wastes the user's time, some spams contain virus and do some phishing work to try to solicit the user's personal information to exploit it to benefit the spam author.

The ways to deal with anti-spam:
1.Be careful about sharing your email or instant address
2.ignore spam

The details can be looked up at http://www.securityfocus.com/infocus/1763
Current anti-spam solutions fall into four primary categories: filters, reverse lookups, challenges, and cryptography. Each of these solutions offers some relief to the spam problem.

For hotmail users, you need remember the above two tips and update your hotmail security service if the updates are available and make full use of anti-spam function of the mail.By the way, I do not like the currently available windows live mail beta even the space has increased to 2G, it is not convenient for me to pick up the right contacts when I tried to send the email. Maybe wait after the version is not beta.

Rootkit Hunter- Installation and Evaluation

"a rootkit is a set of software tools intended to conceal runing processes,files or system data from the operating system. In recent years, it has been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exists for a variety of operating systems,such as Windows,Linux and solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel models."
http://en.wikipedia.org/wiki/Rootkit. Rootkit detectors that run on live systems currently only work because the rootkits detectable have not yet been developed to hide themselves fully.
In unix "chrootkit" and "rkhuner" are two popular programs to detect rootkit, now I will ust rkhunter to check my current mandriva system.
1.Download from http://www.rootkit.nl/projects/rootkit_hunter.html , download hashupd.sh and rkhunter-1.2.9.tar.gz to /home/weizhong/Download
2. gzip -dc rkhunter-1.2.9.tar.gz |tar xf -
3. cd rkhunter-1.2.9
4, become root, sh installer.sh
5, cd ..
6.sh hashupd.sh
The result
[root@localhost Download]# sh hashupd.sh
[INFO] Found release: "Mandriva Linux release 2007.0 (Official) for x86_64"
[INFO] "Mandriva Linux release 2007.0 (Official) for x86_64" wasn't found in /usr/local/rkhunter/lib/rkhunter/db/os.dat.
[INFO] "Mandriva Linux release 2007.0 (Official) for x86_64" has local number 723.
[INFO] Found md5sum at /usr/bin/md5sum
[INFO] Found sha1sum at /usr/bin/sha1sum
[INFO] Adding distribution/release "Mandriva Linux release 2007.0 (Official) for x86_64" to "/usr/local/rkhunter/lib/rkhunter/db/os.dat"
[INFO] Looking for 65 hashes.
[WARN] Found 48 of 65 hashes, 0 errors found.
[INFO] added new hashes.
From the above information, we can know that the rootkit use MD5 algorithm to check the changes of important files, if the files are trojaned, the MD5 fingerprint should be changed.
It shows the rkhunter is easy to use and implement. And the host system is free of rootkits.
It is better for everybody to be careful to check whether the computer is hacked by the rootkit, because once the rootkit is installed, the spyware or other kind of malwares with that rootkit will be hided from the system process monitoring, and the antivirus will report the system is clean though in fact it is infected and you are lossing your important private information to the hackers. Rootkit remover try to find it and remove it, the author of rootkit is trying to evade this detection. It is a game of "cat and mouse". What we can do is to become carefully as we can when we install some softwares from the web or from CD.http://news.com.com/i/ne/sr05/rootkit/

More information about how to use rootkit detectors is in the following:
http://www.pcsupportadvisor.com/rootkits.htm

The way to protect yourself and AntiVirus tool

In the information era of current world, most of time is spent with the computer and network, it speeds up the work effeciency or the computer and network is just becoming the necessary part of our daily life. We use the computer to draw a work plan, debug a program, design a vehicle and much more. In the spare time, we also watch tv, vedio using the computer, do on-line shopping and so on.

Someday, you just accidently open an email from one of friend(hijacketed),or open a webpage ,or download a program. now the scenario has to changed, your computer is becoming slower and slower, and automatically reboot itself, black or blue screen...now, you can not access the the files in the computer, you can not do anything with the computer until you can recover the computer to the previous stage. Worse, the antivirus has stolen your private information such as your bank card number if you used your computer to go to the online bank. This information has been recorded by the spyware without your notice at all before.
Anti-virus software generally has two ways to detect the virus, one is to use the dictionary, another is to check the suspicious behavior(heruistic scanning). Once it found the infected files, the anti-virus software will try to delete or quarantine the file.

The procedure antivirus software work:
The protection by Norton

"If only the virusdictionary is used, it is important to update it at least once a day. When you bear in mind that 15 new viruses are discovered everyday, an antivirus that is left for two or three days without being updated is a serious danger"(http://www.net-security.org/article.php?id=485&p=3)

The heuristic scanning method may(in rare cases) prevent some normal software working, the user should be aware that case and do the corresponding way to solve that conflict. The related news on the web:"Mark Griffiths of Brisbane said he is "not ruling out" filing a lawsuit against McAfee even after the antivirus company released on Thursday an update to its DAT virus definition file that fixes the false positive." http://news.com.com/2100-7350_3-5361660.html

In order to reduce the your risk as possible to lost the files you want to keep.
1.Install the respectable anti-virus software and update it frequently.
2. When it is necssary, to set up a windows restore point,you when the system crashed, you can go back to that point.
3. Update windows(if you use the windows system)

Control System Cyber Security

Control systems are everywhere in the industry expecially for power plants, auto factories and so on.If there is something bad happened to the control system ,for example, some virus spreaded in the control system, you even can not imagine what kind of catastrophic damage it can bring to the factorty even the district. The value of the power plant(600MW) is about $200m dollars. The control center of system is so vital to make sure the plant run successfully and continuously for maybe 10 or 20 years. During that, update and maintainance are also important.

http://www.isa.org/InTechTemplate.cfm?Section=InTech&template=/ContentManagement/ContentDisplay.cfm&ContentID=16829 Due to the news of virus and physical attack, most people realize the importance to secure issues from the ordinary web-connected computers, however,little attention has been paid to the control system security. It is understandable, because most control systems are not connected the web, but the situation is changing fast beyond what we have expected.

"Now, deregulation, productivity enhancements, corporate desire for control system information through such tools as Enterprise Resource Planning (ERP), and other changes are mandating enormous increases in information sharing." If accidently the control system computer connected to the outside, or if some body did some intentional damage to the control system, how can the adminstrate deal with this. It needs to establish some regulation to secure the control system.

One example for ensuring the security of control system is after Huriccan Katrina, US government establishes some regulations to make sure the operation control system work properly, the details are listed in

http://www.us-cert.gov/reading_room/KatrinaCSA.pdf

The unawareness of the security of control system will do much damage as it did to the current web site, sometimes, we even can not tolerate this kind of damage at all. Regulation and policy is so important to make the world safe, because in the near future, a lot of power plants will be put into operation,especially the nuclear power plants, to make sure the security of power plants is vital for the total safety of the world.

Evolutionary Cyber World vs. Revolutionary Attack

It is quite good to listen to the speech by Dr Huang who is invited to our class.Dr Ming-Yuh Huang (who goes by "Huang") is a Boeing Fellow leading Boeing's Information Assurance R&D Program to support the corporate enterprise as well as a wide array of large-scale commercial/military programs.

His lecture is about the current model of network security, which models medieval castle construction. 1,harden walls around the castle including some surrounding small river. 2,a few strongly fortified access points,for example, maybe some soldiers are securing the gates in the different directions of the castle. 3,Little protection inside, so if the enemy can intrude the gates fortified, it means they can have the access to almost everything in the castle. With the evolutionary development of technology, the castle may change the material of walls, enforce the security force in the gates. But this evolutionary model was no match to survive the revolutionary world. When the gun power or cannon was invented, the castle can be easily conquered, even we do not need air fighters to defeat the secure force of the castle. This example is quite excellent to make a difference between evolution and revolution. The details of Dr Huang's lecture can be found in
http://kio.pg.gda.pl/safecomp2006/download/Ming-Yuh_Huang_keynote_Safecomp2006.pdf
Compring the security of castles, the current network is a few strongly gateway firewalls, no protection once inside..., how they are similar in essence?Actually, the current network security is still evolutionary, the gateway becomes more complex, the anti-virus and operating systems becoming more and more complex, but if some dramatical virus appears, it will crash millions of systems, that kind of scenarios have happened again and again.

The virus family is listed in the following picture.



Now the question is if the current model of cyper security is so vulnerable, how can we revolutionarily change the rule of security, or change the security model to make the internet safe for the general good people?
Biometic authentication, firewall,Intrusion detection, these are all passive ways to increase the security, how can we change the secure model by technology so that no body can have the access to the information which is not permitted for him or her to access.The person who can construct this basic model is like the one who can establish the good law. Some experts have writen this report to the US congress to make the leaders in the US be aware of this important issue.
http://www.fas.org/sgp/crs/terror/RL32114.pdf

They may can figure out the policy to protect the commonweath of the people. Also they need listen to advices and suggestions from the voters and experts.

The virus of history can found in the webpagehttp://www.infoplease.com/ipa/A0872842.html ,From the big news of that day, if the public paid much attention to the virus, the coder of virus always can be caught, but the destruction has done to the affected companies and persons, who will compensate that? If we do not have revoltionary secure model to fight the online crime, we always passively patch the holes and caught the hackers, it will not completely save the money and energy involved .So, in my opion, we can make it known to the potential worm writers, we have the enough and complete law to punish them and they should regret for their time for what damage they have done to the cyber world, and by the way, encourage the person to develop the security models .

How to Crack Down the Computer Crime

In the lecture about "Components of Information Security" by Prof.Losavia. For information,confidentiality,intergrity and availablity is the three requirements for secure information. There is kind of comprise between these three. Some inforatiom may put more emphasis on confidentiality, some may put more emphasis on intergrity and some availability, it depends on the content of the information. The lecture also gave the explanation about vulenrability,threats , attack and control.
For the system administrator, vulnerabilty is the first thing to check for the system, patch every holes known, establish rules to combat the possible attacks, develop procedures to recover from the real attacks ,catch and punish the attackers. To combat the computer or information crime, the most important thing is not to patch the holes, because I do not think it is an efficient way to deal with that, because no system can be perfect without any flaws, the patches for the holes will never end. We can not avoid the crimes by only doing some repairing stuff. The good way to deal with the computer crimes should be based on education and policy and punnishment. Educate the potential hackers to devote and put their intelligence to the development of the society. They can earn the money or become famous to do some constructive work not destructive work such as sending out virus to crash millions of computers to become a famous guy.
We can check the following website to familize ourselves with the on-going computer crimes.
http://www.cybercrime.gov/
One of news which is interesting and meaningful is
Phisher" Sentenced to Nearly Six Years in Prison After Nation's First Can-Spam Act Jury Trial Conviction .
It is a real good news, maybe we should broadcast this news, and if every country in the world can establish this kind of statue, how can we everyday receive hundreds of spams phishing us to give out our bank account or some other private information. But I am just wondering why the euro countries do not have such kind of law( if they have, why there are a lot of spams or lottery phishsing from UK ?). Why the government can not collect the phishing email's information and establish a database to catch these guys and punish them according to the law?
The problem now is that maybe no single unit or dept in the government to deal with the online or computer crime. It is a heaven for the hackers and hell for the victims. Except the commited computer crime is large or the loss is large enough, no government or administration action will perform to prevent this crimes. Can this situation be changed soon?
Actually, the total cost for computer crimes is already large enough for business units according to
http://news.com.com/Computer+crime+costs+67+billion,+FBI+says/2100-7349_3-6028946.html


What about the costs of the personal victims? I think almost every person who has the access to the internet will have the frustating experience being attacked by the virus. The cost is certain to be huge.
The reason for the people to suffering from this virus is that the way to catch and punish the evil hackers is not efficient enough. Almost everybody knows that"rob or steal" is a crime, but not everybody realizes that coding a virus and spread it will cost much more to the society than simple theft or robbery. The government should take the immediate action to fight this , let the potential hackers realize the result of their actions.
Combing the technologies to track and control the hackers with the policy and statue, the computer crime can be reduced or extinguished in the near future. So the destructive force will become the constructive force for the society.

Technology with law can crack down the computer crimes finally, I think.

Is your PRIVATE message protected by cryptography?

Dr Ahmed Desoky gave a lecture about Cryptography. The contents incude the history ,concepts, algorithm, the mathematic basis of cryptography.
But the question for me is how realistic the crptography is to us, where this cryptography is used in the real world? I still do not have a clear time table for the development of the cryptography.
Before,the generaly idea about cryptography is that it is used in the commerical, government or other sensitive communication. The price for leaking the message will be a huge cost for the parties who are trying to communicate with each other secretly. So they need to use cryptography to protect this information. After this lecture, I checked the website, find
http://www.garykessler.net/library/crypto.html,
this webpage gave me more information about cryptography, the first documented use of cryptography in writing dates back to circa 1900 B.C

In those days, crptography is far away from the routine life of the ordinary people, it is generally used between the countries or between the leaders of two tribes, they need to exchange the information to unite to fight for the intrusion or something urgent.The algorithm used those days is so simple from today's view, for example caesar cypher

The action of a Caesar cipher is to replace each plaintext letter with one a fixed number of places down the alphabet. This example is with a shift of three, so that a B in the plaintext becomes E in the ciphertext. Interested reader can try this algorithm byhttp://www.secretcodebreaker.com/caesar.html .
It was active for a long period of time during those ancient days.
Today, with the application of computers, this kind of crypher algorithm can be cracked in less than a fraction of second.And with the development of technology and living standards, ordinary people are actually closely related with the cryptography, for example, you usually buy the products with your credit card, you just slide the card in the supermarket terminal, the transcation is completed in a few seconds. In this short period of time, the communication between the terminal which accepted your card and the bank's data processing center is cyphered. So generally this information is unintellgibel to another third party. But remember when some smart guy or powerful enough guy who want to know this information, he may crack this communication, if the benefits to get this information are much larger than the cost. For ordinary people, the information is not important that much, and the cost to crack the crptography utilized by the banks is so high for some evil person. So generally, ordinary people are safe in the eletronic transaction.
Now let us check what kind of cryptography are we using daily, VISA encouraged Any merchant who accepts credit cards must meet PCI DSS, a set of a dozen rules to protect consumer data from hackers.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1251180,00.html

The good news for us is that if we can keep our private information such as credit card number private enough, even if the crptography is cracked by some hackers, it is responsiblity of the VISA or other unit. And We should be cautious to protect ourselves.

Educate the people to protect their information

Today ,Mr Bruce gave a good speech about our university's information security policy. But for me, it seems a little away from my ordinary life if I did not have the opportunity to listen to this speech. For the almost total past education experience, I never received the formal education to teach us how to prevent the information loss which may be due to our own uncareful behavior or some other person's malicious tendentcy.I did not receive any kind of formal orientation about how to protect my personal information, how to conduct our behavior to comply with the regulation. The result is that sometimes we wil download some virus and we did not back up our useful files in the computer, it cost us a lot of energy and time to recover all the work which has been done. It is kind of frustrating process.
No systematic information education workshop or something like that to give us the basic informatio to deal with the security issues. Maybe ,most people will not lose much due to the neglience of that issue, but sometimes, bad things happened, it is always hard to go back at that point.
I hope our university can encourage the this effort to educate the general public about this issue. The information security education should be implemented in the university's policy, it should make every student have the opportunity to receive the information about how to protect themselves in this peaceful but complex world.