What is Traditional Cryptography?

- Cryptography is the practice that involves study and application of the techniques for making communication secure with the adversaries or the third parties. 

To be more general, it involves construction and the analyzation of the protocols for overcoming the impact of the adversaries and other aspects concerning the information security such as the following:

Ø  Data confidentiality

Ø  Data integrity

Ø  Authentication

Ø  Non – repudiation

- The modern cryptography in contrast to the traditional cryptography intersects the computer science, mathematical and the engineering disciplines. 

There are various applications of cryptography as in the following:

Ø  ATM cards

Ø  Computer passwords

Ø  Electronic commerce

- The traditional cryptography was synonymous with the process of encryption which involves converting the information which is in readable state to such a state in which it appears like utter nonsense. 

- The one who generated the encrypted message also shared the technique for decoding the message only with the desired recipients, thus the unwanted people are precluded from doing so.

- Cryptography is in use since the World War I and the methods that were used then now have become so complex and eventually its application increased. 

- Modern cryptography’s foundation is based up on the computer science and the mathematical theory. 

- The designing of the cryptographic algorithms is done around the computational hardness assumptions. 

- In practice, this makes these algorithms quite hard to break by any third party. 

- However, theoretically it is possible to break in to such a system but for doing so any known practical means are in-feasible.

- That is why, all these schemes are considered to be computationally safe and secure. 

For the following, the continuous adaptation of these methods is required:

Ø  Improvements in the algorithms for the integer factorization.

Ø  Faster computing technology.

- Also, there are schemes that are information – theoretically secure and even with unlimited computing power, these schemes cannot be broken.

- One such scheme is one time pad. 

- Also, the implementation of these schemes is also quite difficult when compared to the schemes that are computationally secure but are theoretically breakable. 

- Traditionally cryptography referred only to the encryption which involves conversion of the ordinary info in to cipher text or unintelligible text. 

- The reverse process of this is decryption. 

- The pair of algorithms that carry out these two processes is called the cipher. - Each instance of the operation of the cipher is controlled by a key which is kept secret between the communicants. 

- The purpose of this key lies in decryption of the cipher text. 

- Earlier the encryption and the decryption process were carried out directly by the ciphers without involvement of any integrity or authentication checks. 

- Before the advent of the modern cryptography, the traditional cryptography was known to be concerned only with the message confidentiality i.e., converting the message from comprehensible text in to incomprehensible text and vice versa. 

- The message was thus unreadable for the eavesdroppers and the interceptors without key. 

- For ensuring the secrecy in the communications, the encryption process was used. 

- But now the field expands far beyond the confidentiality issues.

- It now consists of techniques for authentication and message integrity checking, secure computation techniques, interactive proofs, digital signatures and so on. 

- Earlier two types of classical ciphers were used namely substitution ciphers and the transposition ciphers. 

- The former type involved replacing the letters by some other letters.

- The transposition ciphers involved rearrangement of the letters. 

- Some examples of early ciphers are caeser cipher, atbash cipher etc. 

- The early ciphers were assisted by some other physical aids and devices. 

- Eventually more complex ciphers could be developed with the development of the digital computers. 

- Any kind of data that could be represented in binary format could be encrypted.

What is the difference between authentication and authorization?

In this article, we have taken two very important topics of the cyber world namely authentication and authorization. We shall also discuss the difference between the two terms which have a direct link to our security on the World Wide Web and other networks. 

Concept of Authentication

"Authentication involves the act of the confirmation of the truth regarding all the attributes of some entity or datum under the question". 

The authentication process is also linked up with the confirmation of the identity regarding the following aspects:

1. Confirmation of a person’s or software system’s or program’s identity.
2. Tracing of the origins of some artifacts.
3. Ensuring that what the labelling and packaging claims to be is what is that is actually in the product. 

There are three types of authentication methods which we have discussed below:

1. The first type: It involves accepting of identity proof given by some credible person who can provide evidence of the identity or the originator and the object under assessment in question.
2. The second type: It involves a comparison between the attributes of the object itself and what is known about the objects of same origin. But authentication of this type is quite vulnerable to forgery and calls for expert knowledge
3. The third type: It involves authentication on the basis of the external affirmations like documentation. 

Three factors need to be verified in authentication are:

1. Owner ship factors
2. Knowledge factors
3. Inherence factors

Concept of Authorization

- The process of authorization involves the act of the specification of the access rights to the resources.

- These are the resources that are involved with the computer security or information security in general.

- In particular these resources are used to access control to the security system and other desired information.

- To say it simply, authorization is the process of providing a definition for the access policy. 

- While the system is in operation, it makes use of the access control rules for making decisions regarding the rejection or approval of the access requests from the authenticated users or consumers. 

- Resources can be anything like:

1. Individual files
2. Items data
3. Computer devices
4. Computer programs
5. Functionality of the computer applications and so on.

- Consumers may be either computer users or computer programs or other devices on the system. 

- The access control process that is performed during the authorization involves two main phases as mentioned below:

1. Phase 1: This phase is known as the policy definition phase and involves authorization of the access.
2. Phase 2: This phase is known as the policy enforcement phase and involves acceptation or rejection of the access requests.

Differences between Authentication and Authorization

1. Verification of your identity: It means verifying who you are is called authentication whereas the verification of what you are authorized to do is called authorization. This is the simplest difference between the two similar sounding processes. Both of these processes are carried whenever some connection attempt is made and whether the attempt has to be allowed or rejected is decided based up on these two factors only.
2. The basic goal of the authentication process is to verify whether you are who you claim to be or not? On the other hand the goal of the authorization is to set the access scope of the user who has been authenticated in the previous process. 

What are the types of web testing security problems?

Web testing is much in demand these days since the use of web sites and web applications are increasing by huge margins day by day. As the cyber crimes are increasing, web sites and web applications call for more security settings which in turn plunge in to the web testing schedule as the web testing security problems.

"Web testing is a kind of software testing that focuses on web sites and web applications. The security issues of the web sites and web applications are addressed by another type of web testing called web security testing". 

The testing of the web sites and web applications for security vulnerabilities is quite and exciting concept. Though the matter is quite exciting, it needs to be taken seriously. The best method to combat with the known web testing security problems can be to be prepared in advance and having knowledge of what is to be checked for.

In this article we are going to take up some of the most common security aspects that can pose problems in web testing. They are mentioned below:

1. Server problems: These are the most common security problem. It happens many a times that the server is down for maintenance or some other reason.
2. Hardware problems
3. Data base problems: Any problems in the data base of the web site or web application gives rise to many of the security problems. Any problem and uncertainty in the data base can prove to be a danger to the overall security of the web site or web application.
4. Navigation from one page to another: Too much of navigation from one page to another endangers the security of the web site or web application which in turn acts as a hindrance in the web testing of that particular web site or web application.
5. Server security: A server houses a web site or web application data base; therefore it is obvious that the security of the web site or the application relates a lot to the security of the server. Maintaining the security of the web server is quite an important point which otherwise could introduce many of the security problems during the web testing.
6. Authentication issue
7. Data encryption
8. User privileges leaks
9. SQL injection
10. Cross side scripting
11. Cookie testing
12. The content on a web site that proves to be inaccessible or incorrect can also pose security problems during web testing.
13. Improper validation of the input can disturb the working mechanism of the web site or web application.
14. Link testing is an important aspect of web testing. Broken links can hamper the security of the web site or application and thus poses problems in web testing security.
15. Incorrect copyright information.
16. Incorrect EULA or end user license agreement.
17. Un-optimized images that do not meet the specifications.
18. Improper storage of the data obtained through the web pages.
19. Time taken by the pages to render.
20. Lag in performance with many simultaneous users.
21. Concurrency issues like when a user is working on multiple windows of the same page or there are multiple users on the same page.
22. Improper and inefficient tracking of the transactions by the server log.
23. Improper usage of SSL by the web site or web application.
24. Inefficient working of the feeds.
25. Inefficient working of the cookies.

Web testing is absolutely essential if you want make sure that your web site or web application has enough browser support and the HTML is valid. 

What are the values involved with scrum?

Since the invention of the scrum software development process, it gradually became popular among the programmers and developers because of its values. 

In this article we are going to discuss about the values that made the scrum development process quite popular in the field of the software engineering. 

Values associated with Scrum Methodology

The scrum is known to support the values of:

  i) Commitment

 ii) Focus

iii) Respect

iv) Openness and

 v) Courage

The scrum is said to be powered by the above mentioned values. It may seem like following so many of the values might be so difficult! But to be honest there is nothing like that in scrum and this is what makes the scrum as one of the best agile software development methodology. You just have to follow these values to the maximum extent you can and later on it is taken care of by the development process itself.

1. Commitment

- Commitment as we know is an art in itself i.e., it is the art of binding oneself with the task at hand. 

- According to the philosophy behind the scrum software development process,  a person can only act if he/ she can commit himself/ herself to the task or work whatever the case may be. 

- Normally, it happens that we work in a state of inaction, which means we work quite unwillingly. 

- Scrum helps you to commit to the tasks. 

- For a genuine scrum process usually high levels of commitment have been observed. 

- The authenticity of a scrum process is maintained by the level of commitment of the members of the development team towards the whole development process.

2. Respect

- Respect is a value that is considered to inculcate a feeling of self esteem in a person for others as well as for oneself and also towards the work that is being done.

- There is no doubt regarding whether the scrum supports this value or not! Of course it does. 

- According to the philosophy of the scrum, no positive communication can be developed without a feeling of respect towards one’s and towards all.

- Due to a lack of respect there are possibilities of misunderstandings developing among the team members which in turn may hurt the sentiments of the people. 

- This is another value that plays an important role in maintaining the authenticity of the scrum process. 

- Respectful iterations are needed.

3. Focus

- By focusing on a particular task you concentrate all your attention on a task. 

- This value is encouraged by the scrum since according to its philosophy without focus, you cannot pay attention to any task in any meaningful way. 

- Without focusing, learning cannot be done in a meaningful way either.

- For a scrum process to be quite genuine and authentic, high levels of effective focus are required.

4. Openness

- Openness is a value of the character or behaviour of an individual defining one’s attitude of ready accessibility.

- It means one’s actions do not speck of secrecy and concealment. 

- Scrum has a habit of dealing only with openness. 

- Scrum involves extensive sharing of information among the team members. 

- This value increases the transparency of the whole development process. 

- In a genuine and authentic manner, everyone knows everything about the process and the project.

5. Courage

- Courage is strongly supported by the scrum because the truth about the reality becomes obscured when nobody speaks out regarding it. 

- Often it happens that many of the team members feel very insecure while describing the reality, they fear they might get fired. 

How is password cracking done?

Password as we all know is some secret string of some characters that is typically used for the authentication purpose and as a means of identity proof.

WHAT IS PASSWORD?

- Password is way through which you access your some accounts and resources.
- A password is not meant for the other except the account holder.
- Passwords have been in use since ancient history and of course the password theft or cracking also!
- Nowadays passwords are more known for their use in the log in process to various systems like an operated system, ATMs, cell phones, email accounts and so on.
- It is not necessary that a password should be some meaningful word; rather it can be anything silly that is probably difficult to be guessed by the others.
- There are many types of passwords like passphrase (password formed by more than one word), PIN (personal identification number, numerical password).
- Passwords are again very much vulnerable since they are not as secure as their cryptographic counterparts i.e., protocols.
- These days password theft, password spoofing etc is quite common.

FACTORS AFFECTING THE SECURITY OF PASSWORD

Before we explain to how a password is cracked, you should know what all the factors affect the security of a password.

- Any password protected system is provided protection against the viruses, Trojans etc.
- Physical security measures like shoulder surfing are also implemented.
- Many a times less extreme measures are also used like:
1. Side channel attack
2. Extortion and
3. Rubber hose cryptanalysis

HOW SECURITY OF PASSWORD PROTECTED SYSTEM IS DETERMINED?

- The security of a password protected system is often determined by the rate at which the attacker or hacker can guess the password.

- To overcome this threat a “time out” of a few seconds can be implemented or a fixed number of chances should be given to type in the correct password.

- Many of the computer systems are now implementing these techniques.

- In some systems the cryptographic hash of the password gets stored which makes the password accessible to an attacker.

- The attacker can obtain the actual password from this hash password value.
- Passwords with high guessing rates are commonly used for cryptographic keys generation process.

HOW PASSWORD CRACKING IS DONE?

- Password cracking is recovering of the passwords from the stored or transmitted data in a computer system.
- There are many approaches developed to crack a password:

1. Guessing
This is perhaps the most common approach and does not require any special skills.

2. Changing the password
This method is second on the list of password cracking methodologies. When a user forgets his/ her password, the system allows the changing of the password following an authentication process.

3. Brute force cracking
This type of cracking involves trying every possible password till the right one is achieved.

4. Dictionary attacks
This method is also very much common and involves trying of the candidate passwords using a cracking dictionary.

5. Pattern checking
6. Word list substitution

PURPOSE FOR PASSWORD CRACKING

- The purpose for the cracking of password can be a positive one, for example, the user of a particular account might have forgotten his password and could not access his account.
- The purpose for the cracking of password can be negative one i.e., for gaining unauthorized access to a computer system, mischief purposes etc.

Time taken to crack a password is directly proportional to the strength of its character set or bits.
- The complex a password, the longer it will take to crack it.
- In some password cracking processes, the system is made to generate the similar types of passwords.
- Such passwords are called candidate passwords.
- Password cracking rate depends on the availability of the hash and the limitations of the software authentication.

What are different aspects of Compounded SQL injection attack?

Till now so many types of SQL injection attacks have been identified. But, there is one type of SQL injection type which results in to different kinds of combinations of the other SQL injection attacks. This type of SQL injection attacks are commonly known as the compound SQL injection attacks.

This type of SQL injection attack has been derived from rigorous research and experimenting with the different SQL injection attack vectors putting them in different combinations with the various other web application attacks.

Some of the most commonly employed combinations are:

1. SQL injection + XSS cross site scripting
2. SQL injection + DDos attacks
3. SQL injection + insufficient authentication
4. SQL injection + DNS hijacking

Compounded SQL Injection Attack

- SQL is a language developed for interacting with the data base of the applications and web sites.

- The functions are mainly defined to retrieve the data from the data bases or to update the contents of the existing data bases.

- It uses compound conditions basically that make use of AND or OR.

- A compound statement is used to group all the other statements so as to constitute an executable block.

- SQL variables can be declared in an atomic compound statement that has been dynamically developed.

- A compound statement can be easily embedded in to SQL functions, SQL methods, trigger etc.

- To invoke a dynamic compound statement no privileges are required, although the authorization ID of the compound statement needs to include all the privileges required invoking the other SQL statements that form a part of that particular compound statement.

- Most of the compilers compile the compound statements as one single statement since this technique proves effective for the short scripts that do not require little control flow logic though a great data flow.

- For larger scripts or constructs, it’s better to use the SQL procedures.

- The “discretize” function is quite a simple one and is often used for the classification and modification of the data and gives back a NULL value for the malicious data.

- Later this malicious data is cleansed up by the compound statement.

- Most of the mechanisms can be elaborated using the technique of multi stage cleansing.

- The advantage of the compound statement is that here the FOR loop neither does open up a cursor nor the single row inserts are treated so.

- Here the underlying logic is of a multi table insert that has been selected previously.

- This advantage is reaped by compiling the dynamic statement as a single one.

- In contrast to this dynamic compound statement, there’s another type called Compounded SQL embedded statement.

- These statements can only be embedded in to the applications.

- In contrast to the dynamic statements, these cannot be prepared dynamically.

- These statements do not required any special privileges for invocation.

What is meant by email spoofing in detail?

What is meant by Email or Electronic Mail?

- Email or electronic mail is the most popular and convenient means for exchange of digital messages and information in the modern world.

- E- Mail facility is harnessed through a computer network probably over an internet connection.

- Earlier the email can be used for sending messages only when both the sender and the recipient were online and such messages were called instant messages.

- But, today the email system is somewhat changed and is entirely based up on a store and forward model.

- When an email is sent, it is stored by the server and later is delivered accordingly.

- The sender and recipient do not require being online though they need to connect to the particular email server in order to send and receive the emails.

- The whole email system is today governed by the simple mail transfer protocol or SMTP rather than FTP or file transfer protocol that was used earlier.

Problems faced by Email Systems
These email system like any other system has too got many problems like:

1. Attachment size limitation
2. Overloading of information
3. Spamming
4. Computer viruses
5. Email spoofing
6. Email bombing
7. Tracking of sent and received emails
8. Privacy concerns

This article is dedicated to the worst problem being faced by the email today i.e., “email spoofing”.

Introduction to Email Spoofing

Most of us are aware about the content spoofing; the email spoofing is also somewhat same only with the only difference being that it affects emails rather than web sites or web applications.

"An email is said to have been spoofed when its sender’s address as well as its header part have been altered to make it seem as though it has been originated from a source different from the actual source."

What makes these emails so vulnerable to email spoofing?

- More and more emails fall victims to email spoofing since the simple mail transfer protocol (SMTP) does not provide any techniques or methodologies for the authentication of these emails.

- It becomes comparatively easy for the attackers to forging and impersonating the emails.

- In some cases there might be legitimate causes for forging an email but in other cases the cause can be quite mischievous like phishing and spamming in order to hide the origination of the email.

- The attacker can easily change the email properties like its return path, reply to and from fields etc and make it appear as though somebody else had sent the email hiding the identity of the actual email sender.

- The recipient comes in to believing that the email has been received from the address as altered and stated in the “from” field when it is actually form a different source.

- Such emails are said to be spammed and bear the address of the spam email in the “reply to” field.

- Most of the spam emails are malicious in nature and may be infected with a Trojan, virus or worm and so on.

- Some might be just for the sake of advertisement of some cause.

- Earlier before the advent of the spam, the legitimately spoofed emails were used as a viable business model.

- Consequently the spam emails came to be recognized as an annoying problem. This problem called for the need of anti spam methodologies.

- Spoofing the IP address is somewhat difficult as compared to spoofing of the email content.

- This is so because of the great bit size of the IP address.

- To overcome such spoofing problems techniques such as following are used:
1. PGP cryptographic signatures technique
2. Using SSL or TLS in mail transfer software
3. Other encryption techniques.

Proper authentication is the only solution for preventing spoofing and bombing of emails.

What are different HTML errors?

HTML or hyper text mark up language is perhaps one of the most used mark up languages for the web pages, sites and applications with which most of us are familiar. This language is written using the HTML elements which mainly constitute of the tags enclosed in the angle brackets like:

These elements are housed in the web page or site. Most of the HTML tags are implemented in pairs of two.

HTML ELEMENTS AND CONTENT
- Some tags are even empty and are commonly known as empty elements.
- These are usually unpaired unlike the filled elements which are paired.
- In the paired tags, the first tag is called the start tag and the second one is then called the end tag.
- Between these two tags, any text, comments, tags etc can be added by the designer of the web sites.
- The content that is to be added should only be of textual type.
- Due to some wrong designing principles often some errors are introduced in to the html of the web site or the page.
- One of the most common errors is the insertion of the graphical content in to the html.
- Such content is neither displayed nor is it interpreted.
- It simply causes the malfunctioning of the web site.
- Other elements of the html allow the addition of the graphical content and only these should be used whenever some graphics are to be inserted in to the page.
- Html elements provide a means for the creation of the structured documents that denote the structural semantics for textual content like:

1. Lists
2. Links
3. Paragraphs
4. Headings
5. Quotes and so on.

DIFFERENT HTML ERRORS AND THEIR IMPACT

- Html can also be embedded in to the scripts like javascript which also some times leads to errors when inserted incorrectly.
- Such errors affect the behaviour of the web sites and cause them to behave abnormally.
- Whenever the site is affected by an error or a bug is encountered, a set of error messages is generated by the business logic component which is then stored as a string in any of the available scopes.
- For using such functions, you need to define an application scope with the name of default attribute, because if such a scope is not found, then nothing is to be rendered by the business logic.
- Some designers forget to define such scopes and therefore end up with unnecessary errors in their web sites.
- Many more errors occur whenever a requested is generated by the client to the web server.
- In such cases the server responds with some status messages, few of which have been mentioned below along with the possible errors:

1. 400:
Bad syntax of the request is preventing the server to process it.

2. 401:
The request though being cannot be processed because of unavailability of the authentication processes.

3. 404 not found:
The page requested by the client is found to be unavailable at that moment.

4. 405 method not allowed:
The client made request in such a way that is not supported by that site.

5. 407 proxy authentication required:
The client has not authenticated its proxy.

6. 408 request time out:
The server’s request time expired while waiting for the client to generate one.

7. 409 conflict:
The server is not able to process the request because of the presence of some conflict in it.

8. 410 gone:
The page that was requested is no longer available on the web.

What are different characteristics of security testing?

Security testing as its name suggests can be defined as a process to determine that whether a software or information system or application is capable of protecting data and keeping it secure.
It also determines that the software or the information system keeps the functionality of the system intact and as intended.

Security testing needs to cover up six important concepts. They have been discussed below in detail:
1. Confidentiality
- It can be defined as a measure of security which seeks to provide protection against the disclosure information or data to the third parties or any unauthorized parties other than the authorized parties or individuals.
- This is not the only way of ensuring security of the information.

2. Integrity
- This is a security measure intended to inform the information or data receiver about whether the information or data which is being provided is correct and fully legal.
- Most often, same underlying techniques are used for both confidentially and integrity aspects of security.
- There is a basic difference between integrity and confidentiality and that is: for integral security, additional information is also provided.
- This additional information usually forms the basis of not only encoding of the whole communication data but also forms the basis for an algorithmic check.

3. Authentication
- This security measure involves the confirmation of the identity of a particular person.
- It ensures that a packed product contains exactly what its packaging and labeling claims to be.
- The process of authentication is also used to trace the origins of a software system, application or an artifact.
- The process of authentication plays a big role in determining that a computer software system or application is a trusted one or not.

4. Authorization
- The process of authorization is an important security measure.
- It verifies the identity of the receiver of that particular service.
- It can be defined as a process for determining that a person who has requested for some service is allowed and is eligible to receive that service or to carry out some operation.
- The best example of authorization security measure is given by access control.

5. Availability
- Availability security measure assures that that the communication services and information will be always ready for use whenever they are needed.
- This security measure ensures that the required information is always available to the authorized people when they are in need of it.

6. Non- Repudiation
- It basically falls under the category of digital security measures.
- Non- repudiation security measure confirms that the data, information and messages are transferred and received by the people or parties claiming to have sent the data, information or messages.
- The security measure like non- repudiation offers a way to guarantee that the person or the party who had sent the message, later cannot deny sending the message and the recipient also cannot deny having received the message if any issue is raised.

Security testing as a term has a number of different meanings and cannot be explained in just one way. Security taxonomy provides a better way to under stand all these concepts.

- Discovery
- Vulnerability scan
- Vulnerability assessment
- Security assessment
- Penetration test
- Security audit
- Security review