Computer Security

is a branch of technology known as information security as applied to computers. The objective of computer security varies and can include protection of information from theft or corruption, or the preservation of availability, as defined in the security policy.

Computer security imposes requirements on computers that are different from most system requirements because they often take the form of constraints on what computers are not supposed to do. This makes computer security particularly challenging because we find it hard enough just to make computer programs just do everything they are designed to do correctly. Furthermore, negative requirements are deceptively complicated to satisfy and require exhaustive testing to verify, which is impractical for most computer programs. Computer security provides a technical strategy to convert negative requirements to positive enforceable rules. For this reason, computer security is often more technical and mathematical than some computer science fields.[citation needed]

Typical approaches to computer security (in approximate order of strength) can include the following:

* Physically limit access to computers to only those who will not compromise security.
* Hardware mechanisms that impose rules on computer programs, thus avoiding depending the computer programs for computer security.
* Operating system mechanisms that impose rules on programs to avoid trusting computer programs.
* Programming strategies to make computer programs dependable and resist subversion.
Secure operating systems

One use of the term computer security refers to technology to implement a secure operating system. Much of this technology is based on science developed in the 1980s and used to produce what may be some of the most impenetrable operating systems ever. Though still valid, the technology is almost inactive today, perhaps because it is complex or not widely understood. Such ultra-strong secure operating systems are based on operating system kernel technology that can guarantee that certain security policies are absolutely enforced in an operating environment. An example of such a Computer security policy is the Bell-LaPadula model. The strategy is based on a coupling of special microprocessor hardware features, often involving the memory management unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system which, if certain critical parts are designed and implemented correctly, can ensure the absolute impossibility of penetration by hostile elements. This capability is enabled because the configuration not only imposes a security policy, but in theory completely protects itself from corruption. Ordinary operating systems, on the other hand, lack the features that assure this maximal level of security. The design methodology to produce such secure systems is precise, deterministic and logical.

Systems designed with such methodology represent the state of the art of computer security and the capability to produce them is not widely known. In sharp contrast to most kinds of software, they meet specifications with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems designed this way are used primarily to protect national security information and military secrets. These are very powerful security tools and very few secure operating systems have been certified at the highest level (Orange Book A-1) to operate over the range of "Top Secret" to "unclassified" (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing MLS LAN.) The assurance of security depends not only on the soundness of the design strategy, but also on the assurance of correctness of the implementation, and therefore there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security capability (as Protection Profile) and assurance levels (as EAL levels.) None of these ultra-high assurance secure general purpose operating systems have been produced for decades or certified under the Common Criteria.

[edit] Security architecture

Security Architecture can be defined as "The design artifacts that describe how the security controls (= security countermeasures) are positioned, and how they relate to the overall IT Architecture. These controls serve the purpose to maintain the system’s quality attributes, among them confidentiality, integrity, availability, accountability and assurance."[1]. In simpler words, a security architecture is the plan that shows where security measures need to be placed. If the plan describes a specific solution then, prior to building such a plan, one would make a risk analysis. If the plan describes a generic high level design then (reference architecture) then the plan should be based on a threat analysis.

[edit] Security by design

The technologies of computer security are based on logic. There is no universal standard notion of what secure behavior is. "Security" is a concept that is unique to each situation. Security is extraneous to the function of a computer application, rather than ancillary to it, thus security necessarily imposes restrictions on the application's behavior.

There are several approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).
2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).
3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).
4. Trust no software but enforce a security policy with trustworthy mechanisms.

Many systems have unintentionally resulted in the first possibility. Approaches one and three lead to failure. Since approach two is expensive and non-deterministic, its use is very limited. Because approach number four is often based on hardware mechanisms and avoid abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.

There are myriad strategies and techniques used to design security systems. There are few, if any, effective strategies to enhance security after design.

One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.
Early history of security by design

The early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics' security was broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has become widely known as a non-terminating process that fails to produce computer security. This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.

Health Insurance

eHealthInsurance is a licensed health insurance agency and the leading online source for individuals, self employed, and small businesses to find, compare and buy Individual Health Insurance, Family Health Insurance, Small Business Health Insurance, Self Employed Health Insurance, and Health Savings Accounts (HSA).

After providing your zip code and some basic information, you'll receive free quotes, compare plans side by side, and apply for coverage online. If you have a question or need personal assistance, you can contact one of our licensed agents for the answers and unbiased advice you need to make the most of your insurance dollars.

Computer Insurance

When buying a computer it is normal practice to be offered insurance at the point of sale to protect your new purchase. It is now well known that personal computer retailers make a considerable additional profit from customers who believe they are being offered a cheap price. On average electrical retailers are known to charge their customers three to four times more than necessary.

Why Buy Computer Insurance?

Laptops and desktop computers are becoming an increasingly important commodity. For the opportunist thief, your computer is as good as ready money and it is one of the first things to go. This is all too common in business environments, public sector buildings, and now households as well. If you are a consultant who travels with a laptop to business meetings, there is a high risk of your laptop being stolen. Currently, 70,000 computers are stolen each year in the UK, and more than 100,000 are accidentally damaged.

Traditionally, house contents insurance would cover some additional items up to an upper value limit, the items being specified by the owner of the policy. In these circumstances if you have to make a claim, you may be penalised in a number of ways.

1. Many insurance companies' upper limits are not very high and would not cover the cost of a new computer. Unfortunately computers depreciate quickly and a computer that cost £2,000 when new, might not be worth more than £500 after only a year. Your contents policy would only pay the present value of the computer.
2. If you make a claim on your contents insurance, your total renewal premium will be significantly higher. This is because the premium is based on the entire contents of your house and not just the item you claimed for.
3. Many house contents policies will not provide cover if you remove the computer from your house or the office. If you use a laptop and travel to business meetings you are taking an unnecessary risk.

Key Features of Computer Insurance:

• 'All Risks' cover worldwide.
• No excess.
• Rapid claims response, with authorisation guaranteed in ordinary circumstances, within 24 hours or less.
• No additional security arrangements required.
• Simple premium calculation based on the value of your equipment.
• All hardware including printers and scanners also covered.
• Minimal exclusions.

What is not Covered by Computer Insurance?

As with all technical equipment, computer insurance does not provide cover for items such as:

• Maintenance costs.
• Electrical or mechanical failure.
• Wear and tear.
• Fraud and dishonesty.
• Consequential loss. Loss or damage caused by sonic bangs is not covered but may be covered under any warranty/extended warranty you may have.

Insurance insulates too much

Insurance insulates too much

By creating a "security blanket" for its insureds, an insurance company may inadvertently find that its insureds may not be as risk-averse as they might otherwise be (since, by definition, the insured has transferred the risk to the insurer). This problem is known to the insurance industry as moral hazard. To reduce their own financial exposure, insurance companies have contractual clauses that mitigate their obligation to provide coverage if the insured engages in behavior that grossly magnifies their risk of loss or liability.

For example, life insurance companies may require higher premiums or deny coverage altogether to people who work in hazardous occupations or engage in dangerous sports. Liability insurance providers do not provide coverage for liability arising from intentional torts committed by the insured. Even if a provider were so irrational as to desire to provide such coverage, it is against the public policy of most countries to allow such insurance to exist, and thus it is usually illegal.

Closed community self-insurance

Some communities prefer to create virtual insurance amongst themselves by other means than contractual risk transfer, which assigns explicit numerical values to risk. A number of religious groups, including the Amish and some Muslim groups, depend on support provided by their communities when disasters strike. The risk presented by any given person is assumed collectively by the community who all bear the cost of rebuilding lost property and supporting people whose needs are suddenly greater after a loss of some kind. In supportive communities where others can be trusted to follow community leaders, this tacit form of insurance can work. In this manner the community can even out the extreme differences in insurability that exist among its members. Some further justification is also provided by invoking the moral hazard of explicit insurance contracts.

In the United Kingdom The Crown (which, for practical purposes, meant the Civil service) did not insure property such as government buildings. If a government building was damaged, the cost of repair would be met from public funds because, in the long run, this was cheaper than paying insurance premiums. Since many UK government buildings have been sold to property companies, and rented back, this arrangement is now less common and may have disappeared altogether.

Life insurance

Certain life insurance contracts accumulate cash values, which may be taken by the insured if the policy is surrendered or which may be borrowed against. Some policies, such as annuities and endowment policies, are financial instruments to accumulate or liquidate wealth when it is needed.

Further information: Life insurance

In many countries, such as the U.S. and the UK, the tax law provides that the interest on this cash value is not taxable under certain circumstances. This leads to widespread use of life insurance as a tax-efficient method of saving as well as protection in the event of early death.

In U.S., the tax on interest income on life insurance policies and annuities is generally deferred. However, in some cases the benefit derived from tax deferral may be offset by a low return. This depends upon the insuring company, the type of policy and other variables (mortality, market return, etc.). Moreover, other income tax saving vehicles (e.g., IRAs, 401(k) plans, Roth IRAs) may be better alternatives for value accumulation. A combination of low-cost term life insurance and a higher-return tax-efficient retirement account may achieve better investment return.

Health Insurance

The term health insurance is generally used to describe a form of insurance that pays for medical expenses. It is sometimes used more broadly to include insurance covering disability or long-term nursing or custodial care needs. It may be provided through a government-sponsored social insurance program, or from private insurance companies. It may be purchased on a group basis (e.g., by a firm to cover its employees) or purchased by individual consumers. In each case, the covered groups or individuals pay premiums or taxes to help protect themselves from high or unexpected healthcare expenses. Similar benefits paying for medical expenses may also be provided through social welfare programs funded by the government.

Health insurance works by estimating the overall risk of healthcare expenses and developing a routine finance structure (such as a monthly premium or annual tax) that will ensure that money is available to pay for the healthcare benefits specified in the insurance agreement. The benefit is administered by a central organization, most often either a government agency or a private or not-for-profit entity operating a health plan.[1]

The concept of health insurance was proposed in 1694 by Hugh the Elder Chamberlen from the Peter Chamberlen family. In the late 19th century, "accident insurance" began to be available, which operated much like modern disability insurance.[2].This payment model continued until the start of the 20th century in some jurisdictions (like California), where all laws regulating health insurance actually referred to disability insurance.[3]

Accident insurance was first offered in the United States by the Franklin Health Assurance Company of Massachusetts. This firm, founded in 1850, offered insurance against injuries arising from railroad and steamboat accidents. Sixty organizations were offering accident insurance in the US by 1866, but the industry consolidated rapidly soon thereafter. While there were earlier experiments, the origins of sickness coverage in the US effectively date from 1890. The first employer-sponsored group disability policy was issued in 1911.[4]

Before the development of medical expense insurance, patients were expected to pay all other health care costs out of their own pockets, under what is known as the fee-for-service business model. During the middle to late 20th century, traditional disability insurance evolved into modern health insurance programs. Today, most comprehensive private health insurance programs cover the cost of routine, preventive, and emergency health care procedures, and also most prescription drugs, but this was not always the case.

Hospital and medical expense policies were introduced during the first half of the 20th century. During the 1920s, individual hospitals began offering services to individuals on a pre-paid basis, eventually leading to the development of Blue Cross organizations.[4] The predecessors of today's Health Maintenance Organizations (HMOs) originated beginning in 1929, through the 1930s and on during World War II.[5][6]

Welcome to Insure and Go Computer and Laptop Insurance Cover

Insure & Go will ensure that you are not left without computing power for long if your machine should be stolen or damaged. Our computer and laptop insurance cover provides efficient claims handling which enables swift repair or replacement of equipment. Within two hours of receipt of your claim form at our claims office an experienced claims handler will attempt to contact you. The premium is a simple calculation based on the value of your equipment.

Instant laptop and computer insurance quote and cover online insured with leading UK insurance companies

Make Money From Internet

If you would observe the company that delivers the daily paper to your doorstep for a business case study, you will come to learn that the newspaper publisher hires reporters, writers and other important staff to create the contents and deliver the papers to their readers.

In addition to the above mention, the publisher has to invest regularly in heavy duty machineries and tons of papers in printing tons of newspapers on a daily basis.

And in order to ensure that the newspapers are delivered on time, the publisher appoints agents at every part of the covered territory.

So, how does the newspaper company make money? It is obvious that selling a copy of the papers at less than a dollar would not even be able to even fund the operations.

The answer? Selling advertising spaces! You have definitely seen lots of advertisements in the newspaper. The publisher simply sells advertising space in the papers to advertisers who want to leverage their advertising efforts on the paper’s high readership.

On the same analogy, you can make money the exact way from your newsletter: simply by selling advertising space to prospective advertisers!

If your mailing list size exceeds 1,000 (5,000 is recommended) subscribers and beyond, you can start selling advertising space for say, $10.00 per sponsor ad.

In this manner, you turn every issue you send out to your subscribers into a profit-pulling device. And since there is virtually no end to the stream of advertisers as products, services and businesses are cropping every single day in every industry imaginable, so are your money making opportunities.

Making Money Online buying secrets about adsense of other schemes.

One aspect of online money making schemes that never fails to amuse me is the ability for people to make money selling "secrets" and "techniques" about specific aspects of making money online.

A few web searches for something like "adsense" will quickly reveal a whole slew of websites offering to sell you secret and never before told tricks about increasing your adsense earnings by extreme amounts.

Now, how on earth can they be secret? If some bloke is out there flogging this PDF file of secret methods for enhancing your adsense earnings, surely this PDF file must be in common circulation on the file-sharing networks? I don't think any serious online money maker is going to have many qualms about pinching somebody else's PDF file.

Additionally, the facts contain within these offers must also be common knowledge on forums and non-fee charging websites. It remains a mystery to be how websites offering these secrets about things like adsense and adwords stay in business.

I suspect part of the reason is good, old-fashioned retail therapy. People are lulled by the fantastic marketing effort made on this sort of website, and, by the time they read to the end of the page, are falling over themselves to find the "buy now" button. They don't stop to think for a moment, and realise that most of the information about enhancing their online money making experience which they are about to part with cash for is probably already available for free in one form or other on the internet.

And these documents don't really contain any top-secret money making information. You are not going to increase your adsense earnings overnight by a factor of ten, because, simply, everybody else is probably doing the same thing!

Like all internet money making ideas, peddling secrets about existing systems like adsense is a lucrative sideline, but, the best techniques for utilizing things like adsense change very fast. I'd imagine the best way of keeping up is to stay in close touch with the forums etc. Any revolutionary information that has found its way into an ebook or whatever, is probably already out of date.

I would very much doubt it is possible to dramatically increase your online money making via adsense simply by buying the book from one of these websites. Surely, if this was possible, the sellers would be busy making money online themselves using these magic secrets?

Well, I think part of the reason is sheer lazyness. It is easy to create one meaningless ebook and keep selling it over and over again. It is much more difficult to build a strong content-rich useful website and earn adwords income from it.

Perhaps if all the people trying to make money out of selling useless adsense facts redirected their efforts into creating useful content rich websites, the internet would be a far better place.

If you would observe the company that delivers the daily paper to your doorstep for a business case study, you will come to learn that the newspaper p

If you would observe the company that delivers the daily paper to your doorstep for a business case study, you will come to learn that the newspaper publisher hires reporters, writers and other important staff to create the contents and deliver the papers to their readers.

In addition to the above mention, the publisher has to invest regularly in heavy duty machineries and tons of papers in printing tons of newspapers on a daily basis.

And in order to ensure that the newspapers are delivered on time, the publisher appoints agents at every part of the covered territory.

So, how does the newspaper company make money? It is obvious that selling a copy of the papers at less than a dollar would not even be able to even fund the operations.

The answer? Selling advertising spaces! You have definitely seen lots of advertisements in the newspaper. The publisher simply sells advertising space in the papers to advertisers who want to leverage their advertising efforts on the paper’s high readership.

On the same analogy, you can make money the exact way from your newsletter: simply by selling advertising space to prospective advertisers!

If your mailing list size exceeds 1,000 (5,000 is recommended) subscribers and beyond, you can start selling advertising space for say, $10.00 per sponsor ad.

In this manner, you turn every issue you send out to your subscribers into a profit-pulling device. And since there is virtually no end to the stream of advertisers as products, services and businesses are cropping every single day in every industry imaginable, so are your money making opportunities.

Money From Internet

Maybe you've heard people say that you can get rich on the Internet. But, if you are serious about making money on the Internet, remember, it's not a get rich overnight business. Internet success takes time, effort and knowledge. There's no easy "get rich quick" method, so you need to spend the time for building income stream from your Web site.

You can find many kinds of Web sites that have the aim, directly or indirectly, to make money. Apart from the online retailers who are using their sites to directly make money, you can find many Web sites with various moneymaking features.

Here's an excellent page describing realistic ways of making money on the Internet from your personal Web site - Work From Home. No "get rich quick" schemes. Just proven, reliable ways to to build an online business or use a Web site to expand your offline one.

The basis for building serious income is the high traffic. If your site only gets a few hundred visitors per month, as most of personal Web sites, you'll unlikely make more than pocket change.

---

Here are some ways of making money on the Internet from your personal Web site...

Banners
They were one of the first ways of making money from hobby Web sites, however they are not so popular now since most surfers don't even look at them. In fact, the click-through rate (the percentage of visitors who actually click on a banner) has steadily dropped, from around 5% 4 years ago to less than 0.5% now.

In the Traffic-Building volume of Make Your Site SELL! 2002 (the free ebook describing all possible ways of making money on the Internet), banners are called #1 "Time and Money Wasters." Save yourself months of poorly spent time. Read this essential manual first.

If you have highly relevant, cleverly designed banners, you can beat the odds. However, you need relatively high traffic to actually make more than pocket change. In fact, most banner advertising companies prefer to only pay for actual sales (even click throughs are no longer attractive, since many people click through because they are paid to, and not because they intend to buy anything).

Freebies
Under this category are things such as free lotto tickets and various games where you can win prizes. Often, these are implemented as pop-ups and are much more annoying than banners.

Affiliate programs
They pay you a percentage of the sales you generate for them, or for each visitor you send. This is one of the best ways of making money on the Internet. You don't have to spend time and energy creating your own product. And some of them pay 50% commission. See Affiliate programs for more information on building income from affiliate programs.

Google AdSense
This is one of the easiest ways of making money on the Internet for small and medium sites by displaying relevant, text-based ads from Google AdWords (Google's own advertising program) and receiving a share of the pay-per-click payment. Sign up for AdSense.

Other tools
There are many tools that can help you make some pretty big commissions without your visitors even realizing that you're building income from their visits.

For example, several search engines will pay you a few cents per search made from your Web site. If a few hundred people use your search box, you'll earn a few dollars a day - not bad for a few minutes of cut & paste a small line of code within the HTML of your Web page.

Selling a Product or Service
This is an obvious way of making money on the Internet. To succeed in it, you have to succeed at three points...

1. Develop a great product that is of interest to others on the Web.
2. Write a professional Web site designed to sell.
3. Attract targeted customers to the site.

Ken Evoy's Make Your Knowledge Sell! is a very useful ebook for those who want to get a piece of the e-commerce pie but don't know how to come up with a product. MYKS! shows you that your knowledge, life experience, specialized interest or hobby can be packaged into an information product ("infoproduct") that other people want and are surfing to find.

An infoproduct offers the best entry point into the world of making money on the Internet for most people. Absolutely everything is in MYKS!... from brainstorming to automating your order-processing. You need absolutely nothing else to succeed at selling what's in your brain.

For additional information on how to start selling online, see Selling on the Internet and Free Merchant Accounts. You'll also find there a list of 3rd party credit card processing companies - processing fees, extra costs and other details.

Money From Internet

Maybe you've heard people say that you can get rich on the Internet. But, if you are serious about making money on the Internet, remember, it's not a get rich overnight business. Internet success takes time, effort and knowledge. There's no easy "get rich quick" method, so you need to spend the time for building income stream from your Web site.

You can find many kinds of Web sites that have the aim, directly or indirectly, to make money. Apart from the online retailers who are using their sites to directly make money, you can find many Web sites with various moneymaking features.

Here's an excellent page describing realistic ways of making money on the Internet from your personal Web site - Work From Home. No "get rich quick" schemes. Just proven, reliable ways to to build an online business or use a Web site to expand your offline one.

The basis for building serious income is the high traffic. If your site only gets a few hundred visitors per month, as most of personal Web sites, you'll unlikely make more than pocket change.

---

Here are some ways of making money on the Internet from your personal Web site...

Banners
They were one of the first ways of making money from hobby Web sites, however they are not so popular now since most surfers don't even look at them. In fact, the click-through rate (the percentage of visitors who actually click on a banner) has steadily dropped, from around 5% 4 years ago to less than 0.5% now.

In the Traffic-Building volume of Make Your Site SELL! 2002 (the free ebook describing all possible ways of making money on the Internet), banners are called #1 "Time and Money Wasters." Save yourself months of poorly spent time. Read this essential manual first.

If you have highly relevant, cleverly designed banners, you can beat the odds. However, you need relatively high traffic to actually make more than pocket change. In fact, most banner advertising companies prefer to only pay for actual sales (even click throughs are no longer attractive, since many people click through because they are paid to, and not because they intend to buy anything).

Freebies
Under this category are things such as free lotto tickets and various games where you can win prizes. Often, these are implemented as pop-ups and are much more annoying than banners.

Affiliate programs
They pay you a percentage of the sales you generate for them, or for each visitor you send. This is one of the best ways of making money on the Internet. You don't have to spend time and energy creating your own product. And some of them pay 50% commission. See Affiliate programs for more information on building income from affiliate programs.

Google AdSense
This is one of the easiest ways of making money on the Internet for small and medium sites by displaying relevant, text-based ads from Google AdWords (Google's own advertising program) and receiving a share of the pay-per-click payment. Sign up for AdSense.

Other tools
There are many tools that can help you make some pretty big commissions without your visitors even realizing that you're building income from their visits.

For example, several search engines will pay you a few cents per search made from your Web site. If a few hundred people use your search box, you'll earn a few dollars a day - not bad for a few minutes of cut & paste a small line of code within the HTML of your Web page.

Selling a Product or Service
This is an obvious way of making money on the Internet. To succeed in it, you have to succeed at three points...

1. Develop a great product that is of interest to others on the Web.
2. Write a professional Web site designed to sell.
3. Attract targeted customers to the site.

Ken Evoy's Make Your Knowledge Sell! is a very useful ebook for those who want to get a piece of the e-commerce pie but don't know how to come up with a product. MYKS! shows you that your knowledge, life experience, specialized interest or hobby can be packaged into an information product ("infoproduct") that other people want and are surfing to find.

An infoproduct offers the best entry point into the world of making money on the Internet for most people. Absolutely everything is in MYKS!... from brainstorming to automating your order-processing. You need absolutely nothing else to succeed at selling what's in your brain.

For additional information on how to start selling online, see Selling on the Internet and Free Merchant Accounts. You'll also find there a list of 3rd party credit card processing companies - processing fees, extra costs and other details.

---

See also...

Passive Cashflow Secrets
It's a series of videos in which Neil Shearing shows you examples of how he does work once and then is paid for it over and over again. Each movie comes with a PDF transcript and a set of action steps for you to take.

Internet Success Blueprint
It's a complete guide on how to start making money on the Internet, written specifically for beginners.

Auto Income Secrets
This ebook shows step-by-step how to build websites focused on making money from adverts - gather keywords, build pages around them, place ads and promote the website.

SiteSell Free Downloads
From within this page, you can download several very helpful ebooks, which are highly recommended to those who start making money on the Internet. There's no charge - you're not even asked for your email address

The Difference Between a Virus, Worm and Trojan Horse ?

The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects.

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely. Key Terms To Understanding Computer Viruses:

virus
A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.

Trojan Horse
A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves

worm
A program or algorithm that replicates itself over a computer network and usually performs malicious actions

blended threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities .

antivirus program
A utility that searches a hard disk for viruses and removes any that are found.


A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.

To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.

Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.

Combating Viruses, Worms and Trojan Horses

The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from even reaching your computer. You should also install a firewall as well.

A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network.

It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network.

Rontokbro aka Brontok Worm

A mass-mailing email worm that also spreads via USB and thumb drives, the Rontokbro worm - also know as Brontok - takes a multifaceted approach to defy detection and removal. Rontokbro / Brontok modifies the HOSTS file to prevent access to antivirus vendor sites, thereby preventing access to signature updates and online scanners. It may also disable antivirus and other security software running on the system, as well as blocking access to Registry Editor and other system tools needed to attempt manual removal of the worm.

First discovered in late September 2005, as of October 2006 over 20 variants of the Rontokbro / Brontok worm had been discovered. The worm executables often adopt either the Microsoft Word icon or the folder icon. Copies of the worm also often adopt the same name as the folder in which it was dropped. For example, if Rontokbro / Brontok copied itself to a folder named "New Folder", it would do so using the filename "New Folder". Because Windows disables executable file extensions by default, and the worm may use a folder icon, this may make it appear as if the infected file were merely a nested new folder. In addition, the worm typically modifies the Registry to cause the Folder Options menu item to disappear from the Windows Explorer Tools menu.

Some variants of the Rontokbro / Brontok worm cause the system to reboot when certain strings appear in task windows. For example, if "EXE" appears in the title of a window, the worm will cause the system to shutdown and restart. On some occasions, the worm will pause the system during bootup and display a message in a similar fashion to much older DOS viruses. F-Secure includes a screenshot in their Brontok.N write-up.

Rontokbro / Brontok may also launch Ping attacks which, depending on the number of infected systems at any given time, could result in form of a Distributed Denial of Service (DDoS) attack.

Because the worm prevents access to the Registry Editor and other diagnostic tools, and prevents access to antivirus software, removing a Rontokbro / Brontok infection can be tricky. To do so will require access to a second, non-infected PC. Here's how:

1. From a non-infected PC, follow the first 8 steps outlined in How to Make an F-Prot CD.
2. Take the F-Prot CD to the infected computer. Boot the infected computer into Safe Mode (see How to Boot into Safe Mode), then follow the 7 remaining steps outlined in the How to Make an F-Prot CD article to scan the system and remove any instances of Rontokbro / Brontok found.
3. Before rebooting the PC, while still in Safe Mode, disable system restore. You can re-enable the system restore feature later, after you've booted normally, to create a new, clean system restore point.

After cleaning the system, be sure to remove any worm-created entries in the HOSTS file. Then update your antivirus software, test it with the EICAR test file to ensure it's working properly, and rescan your entire system - including any mapped and removable drives.

To prevent reinfection from Rontokbro / Brontok, avoid opening email attachments received unexpectedly - even from someone you know - unless you are certain of the intent. Don't share your USB and thumb drives with others unless you are certain their system is clean and avoid downloading files from anonymous P2P filesharing networks.

Science and Technology Resources on the Internet

The term computer security is used frequently, but the content of a computer is vulnerable to few risks unless the computer is connected to other computers on a network. As the use of computer networks, especially the Internet, has become pervasive, the concept of computer security has expanded to denote issues pertaining to the networked use of computers and their resources.

The major technical areas of computer security are usually represented by the initials CIA: confidentiality, integrity, and authentication or availability. Confidentiality means that information cannot be access by unauthorized parties. Confidentiality is also known as secrecy or privacy; breaches of confidentiality range from the embarrassing to the disastrous. Integrity means that information is protected against unauthorized changes that are not detectable to authorized users; many incidents of hacking compromise the integrity of databases and other resources. Authentication means that users are who they claim to be. Availability means that resources are accessible by authorized parties; "denial of service" attacks, which are sometimes the topic of national news, are attacks against availability. Other important concerns of computer security professionals are access control and nonrepudiation. Maintaining access control means not only that users can access only those resources and services to which they are entitled, but also that they are not denied resources that they legitimately can expect to access. Nonrepudiation implies that a person who sends a message cannot deny that he sent it and, conversely, that a person who has received a message cannot deny that he received it. In addition to these technical aspects, the conceptual reach of computer security is broad and multifaceted. Computer security touches draws from disciplines as ethics and risk analysis, and is concerned with topics such as computer crime; the prevention, detection, and remediation of attacks; and identity and anonymity in cyberspace.

While confidentiality, integrity, and authenticity are the most important concerns of a computer security manager, privacy is perhaps the most important aspect of computer security for everyday Internet users. Although users may feel that they have nothing to hide when they are registering with an Internet site or service, privacy on the Internet is about protecting one's personal information, even if the information does not seem sensitive. Because of the ease with which information in electronic format can be shared among companies, and because small pieces of related information from different sources can be easily linked together to form a composite of, for example, a person's information seeking habits, it is now very important that individuals are able to maintain control over what information is collected about them, how it is used, who may use it, and what purpose it is used for.

Scope of this Guide

This guide is intended to present a selected list of sites that cover the basic issues of computer security and which provide useful information for the non-expert (librarian, undergraduate student, office manager, etc.) who wants to learn more about this increasingly important subject. The categories are intended to offer points of departure for some of the many aspects of computer security. For the sake of brevity, this guide stops short of entering the vast realm of commercial software products, consulting firms, and the like. The individual who is in the market for security products or services should have no trouble finding descriptions, reviews, and comparisons on the web and through other media.

Methods

The web sites in this list were collected through various methods, including searches of Internet directories such as Google and Yahoo, the Librarian's Index to the Internet, the {Scout Report}, and the World Cat database (userid and password are required); burrowing through information security portals such as InfoSysSec and Packet Storm Security; and exploring links from within quality sites as they were encountered. Emphasis has been placed on sites that provide practical information rather than merely advertise products; accordingly, most of the sites selected are hosted in .edu, .gov, and .org domains. However, commercial sites were not discounted if they provided substantive information in addition to product information.

General Sources

Center for Education and Research in Information Assurance and Security
http://www.cerias.purdue.edu/

CERIAS's mission is to be recognized as the leader in information security and assurance research, education, and community service. To these ends, CERIAS offers a free security seminar on diverse security topics on Wednesday afternoons during the fall and spring semesters; attendees may show up in person or through a live internet stream. The CERIAS web site also includes extensive computer security resources for K-12 teachers, including background information, lesson plans, and links to other web resources.

TECS: The Encyclopedia of Computer Security
http://www.itsecurity.com/

TECS provide a forum for visitors to seek the opinions of one or several security experts on a broad scope of security questions. Users range from individuals asking about their home computers to students working on projects to IT professionals; TECS's panel of volunteer security experts tend to work for computer or security consulting companies. Questions are sent via listserv to the experts, whose answers are then published, along with the question, on the web site. The site owners request that the experts try to provide balanced answers that do not gratuitously advertise specific products; vendors are free to list full product descriptions in the TECS Security Product Database.

CYBERCRIME
http://www.cybercrime.gov/

This site is maintained by the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the U.S. Department of Justice; the information available at this site is presented from a legal, rather than technical, perspective. It provides a plethora of information about the various ways computers can be used to commit crimes, how and to whom to report computer crimes, and what to do if you are the victim of computer crime. It includes links to cases, laws, legal issues, and policy issues surrounding hacking, intellectual property infringements, and other online offenses.

Common Vulnerabilities and Exposures
http://www.cve.mitre.org/

MITRE, a not-for-profit national resource that provides systems engineering, research and development, and information technology support to the government, has created CVE in an attempt to standardize the names of vulnerabilities and other information security exposures. MITRE's goal is to increase data communication across network tools by encouraging software companies and developers to use the common names found at the CVE web site; according to CERIAS, "CVE is the key to vulnerability database compatibility." To date, over 60 major organizations have agreed to make their products and services CVE compliant.

Stay Safe Online
http://www.staysafeonline.info/

The National Cyber Security Alliance, comprised of corporate and government organization members, sponsors Stay Safe Online to educate home and small business computer users in basic computer security practices, thereby helping to protect the nation's internet infrastructure. The site offers a personal computer security self-test, beginner's guides on various security topics, and a one-hour online course on security fundamentals.

Security Statistics
http://www.securitystats.com/

Because online banks, retailers, and other businesses may wish to protect their reputations by not reporting problems associated with online attacks, statistics about such can be difficult to find. The Security Statistics site is a portal to data on computer security incidents. Statistics are pooled from a wide range of sources, and includes information about security spending, known vulnerabilities, numbers of reported security breaches, economic impact of incidents, arrests and convictions, and more. The site does not guarantee the accuracy of reported statistics, but the sources of each statistic are included.

Ethics

Computer and Information Ethics on WWW
http://www.ethics.ubc.ca/resources/computer/

This site is a subdivision of a website on ethics resources which is maintained by the University of British Columbia's Centre for Applied Ethics. The site provides lists of web sites, as well as lists of electronic and print publications, pertaining to various ethical issues in computing. There is a section on courses in computer ethics, which provides links to online syllabi to classes taught at other institutions, and a list of links to relevant organizations. The breadth of this site is limited, but it's a good place to begin exploring the ethical issues of network computing.

Ethics in Computing
{http://ethics.csc.ncsu.edu//}

This site is administered by Dr. Edward F. Gehringer, an NCSU professor in Electrical & Computer Engineering and Computer Science who teaches several undergraduate and graduate classes in computer science and computer ethics. The site organizes computer ethics into a simple hierarchy of topics, starting with basic information on ethics. The articles are not necessarily recent, although many concepts pertaining to ethics may remain constant over time. An interesting feature is the site map, which looks like a real map, which offers a graphical representation of how the concepts are related.

Privacy

EFF Privacy Now! Campaign
{http://www.eff.org/Privacy/}

The Electronic Frontier Foundation was founded in 1990 to confront civil liberties issues raised by new technologies. EFF's interest in privacy issues runs the gamut from Internet anonymity and pseudonymity to medical privacy to the privacy risks posed by the nation's post-9/11 increased interest in surveillance, biometrics, and a national identification system. This site goes beyond mere tips and offers a thoughtful analysis of the privacy (and social) consequences of our increasingly automated society. Look for Carabella-an interactive adventure game that illustrates some of the privacy and fair use issues associated with online music shopping.

Privacy Rights Clearinghouse
http://www.privacyrights.org/

The Privacy Rights Clearinghouse is a nonprofit consumer advocacy organization. Their web site is full of information on privacy rights in an online environment. The main issues addressed on this site include personal privacy, financial privacy, and identity theft. Information sources include fact sheets covering specific privacy issues, news items and articles about privacy, and transcripts of PRC speeches and testimony from conferences and legislative hearings.

The Privacy Foundation
http://www.privacyfoundation.org/

The Privacy Foundation's main privacy concerns are data that is collected surreptitiously by companies about web surfers and their browsing habits, and employer surveillance of computer activity in the workplace. Users can sign up for free email delivery of the Foundation's TipSheets and Privacy Watch advisories and commentaries. An interesting free download available at this site is Bugnosis, software which alerts Internet Explorer users to web bugs, tiny or invisible web page graphics that have been encoded to collect information about who is browsing the web page.

Platform for Privacy Preferences (P3P) Project
http://www.w3.org/P3P/

The Worldwide Web Consortium, an organization promoting greater interoperability for web technologies, has developed P3P, a proposed standard that allows web sites to state their privacy policies using special keywords so that other P3P-enabled utilities (e.g., web browsers) can interpret them and compare them to a user's privacy preferences. P3P offers users greater control over how their personal information might be used on the Internet by giving them more opportunities to avoid offending sites.

Consumer Information

Better Business Bureau Online
http://www.bbbonline.org/

The Better Business Bureau system, which extends over most of the United States and Canada, has for many years mediated consumer problems by advocating voluntary self-regulation for businesses combined with increased education for consumers. The BBB now extends its services to the e-commerce arena, offering a BBB seal of reliability for qualified businesses to place on their web sites. For consumers, BBBOnline offers a "safe shopping list" of companies which merit the BBB's seal, as well as information on web safety and privacy, and online forms for lodging complaints.

Shopping Safely Online
http://www.cnlnet.org/shoppingonline/index.htm

The National Consumer League offers Shopping Safely Online as part of its larger web site of general consumer information. In addition to online shopping tips, this site provides "e-ssentials" of online privacy and security for the consumer, and advice for using online auctions. Shopping Safely Online provides a link to the NCL's National Fraud Information Center, where users can report suspected fraud and access a wealth of other sources about the risks of doing business online.

Internet Fraud Complaint Center
{http://www.ic3.gov/}

The IFCC, a partnership between the FBI and the National White Collar Crime Center, offers this web site as a place for consumers to learn about Internet fraud, which is largely comprised of incidents relating to online auctions, credit card misuse, and other consumer-related activity. The site provides an easy-to-complete form for reporting Internet fraud. Of special interest is the IFCC's annual report on the numbers, types, and economic impacts of crimes reported through the site.

Kids

NetzSmartz Workshop
http://www.netsmartz.org/

This site is published by the National Center for Missing and Exploited Children. Through games and other online activities, it introduces kids to some of the "outlaws of Webville," and instructs kids on how to respond to inappropriate behavior they might encounter online. The Netsmartz site for parents and educators provides suggestions for online and offline activities and is designed to increase communication between parents and children about Internet safety.

CyberSmart!
{http://www.cybersmart.org/home/}

The CyberSmart! School Program is a non profit corporation that advocates Internet education by empowering children rather than simply monitoring them. The CyberSmart web site provides brief lessons for teens, printable color posters for parents to hang near the family computer, and a curriculum of 65 standards-based lesson plans for K-8 teachers. The curriculum is centered around the SMART model, focusing on safety, manners, advertising, research, and technology. Lessons plans have been designed to stand alone, can be taught in any order, and can be taught by a technology teacher, librarian or media specialist, or science or social studies teacher as appropriate for the subject matter.

Antivirus

Virus Bulletin
http://www.virusbtn.com/

Virus Bulletin is a fee-based, monthly magazine that provides information, reviews, and comparisons of antivirus products. The Virus Bulletin website offers the latest virus-related news, description of recent viruses, and monthly prevalence tables of known virus activity. Consumers can see which antivirus products have earned the VB100% award, which is awarded to products that detect all In The Wild Viruses (see WildList Organization, below) in test scans. Of particular practical use are four step-by-step DOS tutorials for recovering from some of the more common problems of virus infection.

The WildList Organization International
http://www.wildlist.org/

The WildList Organization's mission is "to provide accurate, timely and comprehensive information about 'In the Wild' computer viruses to both users and product developers." "In the wild" viruses are viruses that have been cited by two or more of the organization's panel of computer experts as spreading in the real world and therefore pose a real threat to computers and networks. The WildList is made available free of charge by the organization and is considered a standard against which the effectiveness of antivirus programs is measured. The WildList Organization has retained its independence from any one antivirus developer and encourages all users to find an antivirus vendor and develop a relationship with its customer support service.

Hoax Busters
http://hoaxbusters.ciac.org/

Hoax Busters is a public service of the Department of Energy's Computer Incident Advisory Capability (CIAC). Hoax Busters posits that dealing with hoax emails is annoying and time-consuming at best, and costly at worst. The Hoax Busters web is a clearinghouse of information about various types of Internet hoaxes, and strives to debunk dire warnings about various fake viruses and other malicious code that have no basis in fact. The site also confronts chain letters, urban myths, sympathy letters, and other cons, and offers suggestions for how to recognize hoaxes and what to do about them.

F-Secure: Security Information Center
http://www.f-secure.com/virus-info/

The self described "industry standard source for up-to-date information on new viruses and hoax alerts," this site provides long, easily readable descriptions and screen shots of known viruses, including their variations, and information on how to recover if you're hit. While F-Secure naturally promote the sale of their commercial products, they also offers a few dozen free downloads to fix specific virus problems. Also of interest are a six-minute video entitled "Virus Summary 2001," an account of the most notable (i.e., destructive) virus attacks of 2001, and a list of tips to avoid those pesky, and increasingly popular, email worms.

Security Policies

Security Policy Issues
{http://www.sans.org/rr/whitepapers/policyissues/}

The Systems Administration, Networking, and Security Institute (SANS) is an organization comprised of computer security practitioners from government agencies, corporations, and universities. The SANS reading room provides access to over 1300 research articles across the spectrum of computer security; the Security Policy Issues section features over 60 articles, many of which were written by IT professionals to fulfill part of the requirements for the Global Information Assurance Certification. This site also contains an information security policy primer and policy examples and templates. Access to the SANS reading room is free, but users must register to receive a password.

EDUCAUSE/Cornell Institute for Computer Policy and Law
http://www.educause.edu/icpl/

The ICPL is a collaboration between Cornell, which began its Computer Policy and Law program in 1996, and EDUCAUSE, which promotes intelligent use of information technology in higher education. The Library Resources section provides access to hundreds of computer policies collected from educational institutions of all sorts, companies and corporations, networks, and municipalities. The policies pertain to virtually every aspect of campus technology use, from acceptable/responsible use to library policies to security and privacy policies. Users are invited to submit their own policies to the collection.

Cryptography

Cryptology ePrint Archive
http://eprint.iacr.org/

The International Association for Cryptologic Research (IACR) is a non-profit scientific organization whose purpose is to further research in cryptology and related fields. IACR's Cryptology ePrint Archive accepts clear and readable submissions from authors which "look somewhat new and interesting," and "contain proofs or convincing arguments for any claims." The archive begins in 1996, and as of this writing, there are 136 articles posted for 2002. While many of the newer articles are available as .pdf files, many files are available in postscript format only.

The International PGP Home Page
http://www.pgpi.org/

Pretty Good Privacy (PGP) is a cryptographic device for protecting digital information, including the contents of email messages, developed by Phil Zimmerman in 1991 and distributed as freeware for non-commercial use. The purpose of this web site is to promote the use of PGP worldwide by providing downloads, documentation, FAQs, lists of known bugs, links to web sites, and the latest news and other information about PGP in English and other languages.

Intrusion Detection

DShield-Distributed Intrusion Detection System
http://www.dshield.org/

Dshield.org collects information about cracking, or penetration of computer systems by unauthorized parties, from all over the Internet. Systems administrators are encouraged to share their firewall logs so that patterns of intrusion activity can be analyzed; Dshield will contact an Internet service provider if it appears to be the origin of suspicious activity. Dshield provides a geographic distribution of reported attack sources from the past five days, as well as the IP addresses of the 10 most probed ports and the top 10 offending ports. The site also provides an "Are you cracked?" utility, which compares the user's IP address with a list of known attackers; if an IP address is matched, it is possible that the user's computer has been used by crackers to attack other machines.

Operating System Security

Network Security Library
{http://www.windowsecurity.com/whitepaper/}

This is a site providing articles on general network and system security, and no emphasis is placed on any one OS. Due to the large number of articles available on Unix and Windows, these systems have their own links; articles on other operating systems, such as Macintosh or Linux, can be found through keyword searches. Articles come from a variety of sources, including individual submissions as well as published book chapters. Readers are invited to rate articles on a scale of one to ten, and the average score and number of votes are listed with each article title.

Windows Security Guide
http://www.winguides.com/security/

This site lists security vulnerabilities and fixes for all Microsoft operating systems, as well as for network-related utilities such as MS Internet Explorer and Internet Information Server. Other services include a free newsletter of alerts and updates, and "support forums" for discussion of security topics. There are two levels of membership: the basic free membership allows access to the forums and newsletters, while a fee-based premium subscription option allows access to help files, free downloads, and the ability to turn off advertisements.

Macintosh Security Site
http://www.securemac.com/

The Macintosh Security Site contains several informative articles on Macintosh security, and reviews of many security products for Macs and Mac servers. While the site is supported through paid advertisements, the ads are rather unobtrusive. Of interest is the fact the Macintosh Security Site is maintained as the "white side" of Freak's Macintosh Archive, a "hacking" site devoted to announcing and exploiting security vulnerabilities in Macintosh software & utilities.

Linux Security
http://www.linuxsecurity.com/

This site is sponsored by Guardian Digital, Inc., an Open Source security company which produces EnGarde Linux products. The site is not used solely to advertise EnGarde products, and other vendors and products are represented through their sponsorship of the site as well as in articles and advisories posted at the site. The News section of the site provides full-text articles, reprinted from a variety of external sources, on a wide range of general and Linux-specific security topics; the Documentation section features numerous practical "how-to" articles. Users can subscribe to free weekly Linux security newsletters and advisories and participate in an online mailing list.

Certification

CISSP and SSCP Open Study Guides
http://www.cccure.org/

The International Information Systems Security Certification Consortium, Inc (http://www.isc2.org) offers two security certifications, the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (SSCP). This site offers study guides, tips for taking the certification tests, newsletters, chat rooms, book reviews, and more, all written by volunteers who are preparing for or have passed the exams. Study guides address particular sections included in the exams. Free registration is required to access the full content of this site.

Information Warfare

Information Warfare Site
http://www.iwar.org.uk/

Because of the increasing interconnectedness of critical systems such as telecommunications, banking and finance, energy, and transportation, national infrastructures have become increasingly vulnerable to online terrorist threats. The Information Warfare Site "aims to stimulate debate about a range of subjects from information security to information operations and e-commerce." While the site's domain name denotes United Kingdom, much of the content is derived from government and news sources of the United States and other countries. Online discussion forums cover topics such as e-commerce, terrorism, critical infrastructure protection, and others.

Biometrics

Biometrics Research
http://biometrics.cse.msu.edu/

This site, run by Michigan State University's Department of Computer Science and Engineering, is a good beginning point for learning more about biometrics. It includes a brief but informative overview of biometrics, and descriptions of various biometric technologies, such as fingerprint matching, hand geometry, voice recognition, and so on. The "Projects" and "Publications" lists are limited to work by MSU people, but there is also a short list of external web links leading to biometric companies, consulting firms, and research centers.

International Biometric Group
http://www.ibgweb.com/index.html

International Biometric Group LLC is a biometrics consulting firm which considers itself to be "vendor-independent and technology-neutral, allowing it to objectively and independently assess companies, technologies, products, and projects." Of special interest at IBG's web site is the "Research and Reports" section, where IBG provides information on biometrics basics, specific biometric technologies and their applications, accuracy and performance, as well as vendor and industry information. Users must register with the site to gain access to the full reports, but registration is free and is activated immediately.

Biometrics Catalog
http://www.biometricscatalog.org/

This is a database of biometric technologies maintained by the U.S. Department of Justice. Users can search for information about biometric products by biometric type, keyword, and date, as well as vendor category (commercially available products, products in government testing, products in non-government testing, etc.). Vendors can add information about their products, but forms that do not contain complete contact information will not be posted to the site.

Computer Security

Computer security is a branch of information security applied to both theoretical and actual computer systems. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers. The definition of 'secure' varies by application, and is typically defined implicitly or explicitly by a security policy that addresses confidentiality, integrity and availability of electronic information that is processed by or stored on computer systems.

The traditional approach is to create a trusted security kernel that exploits special-purpose hardware mechanisms in the microprocessor to constrain the operating system and the application programs to conform to the security policy. These systems can isolate processes and data to specifier domains and restrict access and privileges of users. This approach avoids trusting most of the operating system and applications.

In addition to restricting actions to a secure subset, a secure system should still permit authorized users to carry out legitimate and useful tasks. It might be possible to secure a computer against misuse using extreme measures:
“ The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. ”
Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security. [1]

It is important to distinguish the techniques used to increase a system's security from the issue of that system's security status. In particular, systems which contain fundamental flaws[1] in their security designs cannot be made secure without compromising their usability.[citation needed] Most computer systems cannot be made secure even after the application of extensive "computer security" measures. Furthermore, if they are made secure, functionality and ease of use often decreases.

Computer security can also be seen as a subfield of security engineering, which looks at broader security issues in addition to computer security.
Contents
[hide]

* 1 Secure operating systems
* 2 Security by design
o 2.1 Early history of security by design
* 3 Secure coding
* 4 Terms
* 5 Capabilities vs. ACLs
* 6 See also
* 7 Notes
* 8 References
* 9 Further reading
* 10 External links

[edit] Secure operating systems

One use of the term computer security refers to technology to implement a secure operating system. Much of this technology is based on science developed in the 1980s and used to produce what may be some of the most impenetrable operating systems ever. Though still valid, the technology is almost inactive today, perhaps because it is complex or not widely understood. Such ultra-strong secure operating systems are based on operating system kernel technology that can guarantee that certain security policies are absolutely enforced in an operating environment. An example of such a Computer security policy is the Bell-LaPadula model. The strategy is based on a coupling of special microprocessor hardware features, often involving the memory management unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system which, if certain critical parts are designed and implemented correctly, can ensure the absolute impossibility of penetration by hostile elements. This capability is enabled because the configuration not only imposes a security policy, but in theory completely protects itself from corruption. Ordinary operating systems, on the other hand, lack the features that assure this maximal level of security. The design methodology to produce such secure systems is precise, deterministic and logical.

Systems designed with such methodology represent the state of the art of computer security and the capability to produce them is not widely known. In sharp contrast to most kinds of software, they meet specifications with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems designed this way are used primarily to protect national security information and military secrets. These are very powerful security tools and very few secure operating systems have been certified at the highest level (Orange Book A-1) to operate over the range of "Top Secret" to "unclassified" (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing MLS LAN.) The assurance of security depends not only on the soundness of the design strategy, but also on the assurance of correctness of the implementation, and therefore there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security capability (as Protection Profile) and assurance levels (as EAL levels.) None of these ultra-high assurance secure general purpose operating systems have been produced for decades or certified under the Common Criteria.

[edit] Security by design

The technologies of computer security are based on logic. There is no universal standard notion of what secure behavior is. "Security" is a concept that is unique to each situation. Security is extraneous to the function of a computer application, rather than ancillary to it, thus security necessarily imposes restrictions on the application's behavior.

There are several approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).
2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).
3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).
4. Trust no software but enforce a security policy with trustworthy mechanisms.

Many systems unintentionally result in the first possibility. Approaches one and three lead to failure. Since approach two is expensive and non-deterministic, its use is very limited. Because approach number four is often based on hardware mechanisms and avoid abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.

There are myriad strategies and techniques used to design security systems. There are few, if any, effective strategies to enhance security after design.

One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.

[edit] Early history of security by design

The early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics' security was broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has become widely known as a non-terminating process that fails to produce computer security. This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.

[edit] Secure coding

If the operating environment is not based on a secure operating system capable of maintaining a domain for its own execution, and capable of protecting application code from malicious subversion, and capable of protecting the system from subverted code, then high degrees of security are understandably not possible. While such secure operating systems are possible and have been implemented, most commercial systems fall in a 'low security' category because they rely on features not supported by secure operating systems (like portability, et al.). In low security operating environments, applications must be relied on to participate in their own protection. There are 'best effort' secure coding practices that can be followed to make an application more resistant to malicious subversion.

In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection.

Some common languages such as C and C++ are vulnerable to all of these defects (see Seacord, "Secure Coding in C and C++"). Other languages, such as Java, are more resistant to some of these defects, but are still prone to code/command injection and other software defects which facilitate subversion.

Recently another bad coding practise has come under scrutiny; dangling pointers. The first known exploit for this particular problem was presented in July 2007. Before this publication the problem was known but considered to be academic and not practically exploitable. [2]

In summary, 'secure coding' can provide significant payback in low security operating environments, and therefore worth the effort. Still there is no known way to provide a reliable degree of subversion resistance with any degree or combination of 'secure coding.'

[edit] Terms

The following terms used in engineering secure systems are explained below.

* Firewall Firewalls can either be hardware devices or software programs. They provide some protection from online intrusion, but since they allow some applications (e.g. web browsers) to connect to the Internet, they don't protect against some unpatched vulnerabilities in these applications (e.g. lists of known unpatched holes from Secunia and SecurityFocus).

* Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
* Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.

A bigger OS, capable of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: e.g. Hurd.

* Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
* Strong authentication techniques can be used to ensure that communication end-points are who they say they are.

Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.

* Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
* Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
* Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.

Some of the following items may belong to the computer insecurity article:

* Do not run an application with known security flaws. Either leave it turned off until it can be patched or otherwise fixed, or delete it and replace it with some other application. Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products.

Cryptographic techniques involve transforming information, scrambling it so it becomes unreadable during transmission. The intended recipient can unscramble the message, but eavesdroppers cannot.
Cryptographic techniques involve transforming information, scrambling it so it becomes unreadable during transmission. The intended recipient can unscramble the message, but eavesdroppers cannot.

* Backups are a way of securing information; they are another copy of all the important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Suggested locations for backups are a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside bank vaults. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals.
o Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.
* Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).
* Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules.
* Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.
* Encryption is used to protect the message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.
* Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.
* Pinging The ping application can be used by potential hackers to find if an IP address is reachable. If a hacker finds a computer they can try a port scan to detect and attack services on that computer.
* Social engineering awareness - Keeping employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers.
* Honey pots are computers that are either intentionally or unintentionally left vulnerable to attack by hackers. They can be used to catch hackers or fix vulnerabilities.