This Issue

Introduction
Tech-Talk
Advisories
News and Events
From the Forum
Latest Product Releases

Introduction

The First Issue

The Software Group Limited is pleased to announce our latest news format, "The Sentinel". Every other month The Software Group will be sending out this informative newsletter with explanations of latest vulnerabilities and exploits, news and events including must-see conferences and free seminars, product releases and much more.

Every issue we will review one or two of the most interesting topics posted to our live Internet & Security Forum.

We hope you enjoy this newsletter.

Back to top

Tech-Talk

Hosting A Secure Web Site (Part 1)

How do I collect sensitive information over the Internet?

By Ragnar Paulson, Chef Technologies Officer

Sensitive information usually means credit-card numbers but any information that you wouldn't put on a postcard should be transmitted and collected using SSL. SSL (Secure Socket Layer) is the protocol that must be used between the browser and the web server when you need to collect sensitive information.

From a browser perspective you know you are in a SSL site in several ways:

• The URL on the Location bar will begin with https:// instead of just http://.
• The browser status bar (if enabled) will display a "locked" symbol.
• If alerts are turned on, you will see a pop-up box informing both when you enter a secure site and leave a secure site.

Is it possible to host a secured site through a web-hosting service?

Many web-hosting service providers, like your ISP or some other third party provider, offer this secured web-hosting. To ensure security, here are a few things you need to be aware of before you choose a web-hosting service.

SSL Certificate

An SSL site will require an authenticated and signed certificate. There are several accredited companies (Certificate Authority) that sell signed certificates. The most notable is VeriSign. These certificates start at about $350 US/year for 40 bit encryption. They are affixed to a particular web site name. This means a generic certificate provided by the web-host cannot be used. The web-host may apply for the SSL certificate on your behalf. Be sure to ask what the charge will be for this service.

Secured Storage

Now that the sensitive data has been securely collected it must be stored and retrieved just as securely. Here are two question you should be asking:

1. How is the storage location secured?

   If the server that stores the data is not password protected and in a secure, lockable location it is susceptible to direct intrusion. Think of it as allowing customers behind your company countertop and giving them access to your cash registers that are not protected by a key lockout or a password.

2. How will the data be transmitted to you?

   There is little value in securely collecting the data, then insecurely transmitting it to your location. Transmitting the data physically (e.g. by courier) may be sufficient. To transmit the data electronically it must be secured over an encrypted channel, preferably VPN or using private dial-up, which creates a single link from your computer to the server.

Can I host my own SSL web site?

In the end you may find it is better to host secured web sites at your location. The responsibility for ensuring physical security, secure data storage and retrieval and certificate management will be your own. Security will be increased when sensitive date is collected, stored and accessed from the same server. Alternately, if you intend this for credit card numbers and billing only, you may want to consider a third party billing system such as PayPal or Storm Pay. The third party billers assume all the liability of protecting credit card information, collecting payment, and maintaining secure web sites for a fixed percentage per transaction.

Services mentioned in this article are not explicitly endorsed by The Software Group Limited. The Software Group Limited takes no responsibility for how these services do business. The example services mentioned were chosen based on their general popularity.

Back to top

Advisories

Sapphire Worm Brings Internet to Halt

Summary

This incredibly small worm brought the Internet to its knees on January 25, 2003. The Sapphire worm, also called SQLSlammer worm, was able to quickly propagate itself by sending 376-byte packets from an infected machine to port 1434/UDP of randomly selected IP addresses. If a vulnerable machine was running MSSQL server, without the latest patch installed, the machine would become infected. The infected machine would, in turn, propagate the worm to another vulnerable machine, and so on. Almost seventy-five thousand machines were infected in less than half an hour.

The worm has no other function then to propagate itself causing denial of server through loss of bandwidth.

Read the entire article

Back to top

News and Events

Events

Real World Linux Conference
April 28 - April 30, 2003
Metro Toronto Convention Centre
Toronto, Ontario, Canada

Real World Linux is Canada's Linux conference and trade show. Linux offers a low cost alternative to the high costs involved in implementation and maintenance of today's IT systems. Learn the latest information about Linux products and services from Linux/Open Source and Embedded Systems suppliers.

The Software Group Limited will be exhibiting at booth 425. Come and visit us for the latest information on our Linux-based products.

For a complimentary pass to the trade show register here. When registering, please answer question 9 with the code E320. Thank you.

News

New On-line Forums - March 2003

The Software Group has created a discussion board to provide technical information on topics such as firewall technology, Virtual Private Networking, General Internet and TCP/IP related questions, industry buzzwords and acronyms, Legacy Synchronous Communications. X.25, SNA, Frame Relay, and Networking security advisories, vulnerabilities, worms and viruses.

Join a forum discussion and ask questions, make suggestions, search the topic archives or find out about products.

Free Seminar - April 2, 2003

The Software Group gave its first free seminar dealing with Internet Security called "Harnessing the Internet". Attendance was small but the feedback was encouraging. Ragnar Paulson, The Software Group's Chief Technologies Officer, talked for an hour on several topics including firewall technology, packet filtering, virtual private networking, encryption, vulnerabilities and exploits.

View this presentation

Back to top

From the Forum

DES vs 3DES Encryption

Question - What is the difference between these two standards of encryption? I have an older book that describes in great detail what DES is, but nothing about 3DES which seems to be a real selling feature for VPN technology.

Answer - DES encryption is based on a 56-bit encryption key. According to prevailing theory modern computing power can brute force crack a 56-bit encryption key in a few hours. 3DES or Triple-DES encryption is based on 3 56-bit encryption keys.

You might think this means you have effectively 168 bits of "encryption power" but no. According to the text-book experts it only doubles the "effective" number of bits. i.e. it's equivalent to one 112-bit encryption key.

As each additional bit doubles the number of possible keys, it should take on average 2 to the power of 56 (2**56) times as long to crack this key using brute force.

This is a long time. Even assuming computing power continues to increase at the current rates ... in 100 years computers a billion times faster than today's computers would take thousands of years to crack 112-bit encryption.

Join The Software Group's Discussion Board Forums

Back to top

Product Releases

SentiNet AIM (January 17, 2003)

The latest in the SentiNet product line, SentiNet Advanced Internet Mail (AIM) manager provides more corporate control over how a company's e-mail is used. Give each user different mail permissions for Internet or internal only e-mail privileges.

SentiNet Virus Scan (March 5, 2003)

The latest version of SentiNet Virus Scan integrates SentiNet IMS with a powerful anti-virus filter that cures or deletes infected mail at the SentiNet mail server. This centralized SentiNet feature reduces the amount of time spent maintaining and updating anti-virus filters since individual filters, for each client machine, are no longer required.

Back to top