9 Steps TO Run FIreFox Correctly

Follow These Steps TO Run FIreFox Correctly 

1. If you have IE installed, try it for the Web site in question. This can allow you to work around the problem if nothing else helps, as some sites will not work in Firefox no matter what you do.

2. Reboot. Restart your PC and see if the browser works after rebooting.

3. Check for malware. Update your antispyware and antivirus software and do complete antivirus and spyware checks on your PC.

4. Clear your cache. Select Clear Private Data from the Tools menu. Select Cache and Authenticated Sessions only, and then click OK.

5. Check for updates. Select Tools/ Check For Updates. The window that appears will tell you if there are updates to be downloaded. If there are, follow the instructions in the window and update your Firefox.

6. Popups. Select Tools/Options. . . Then click the Content tab. If the Block Popup Windows box is unchecked, then you are done with this step. Otherwise, click the Exceptions button immediately next to Block Pop-up Windows. In the window that appears, enter the domain of the Web site with which you are having a problem and click Allow. Click Close, and then click OK.

7. Javascript and Java. Select Tools/Options . . . , then click the Content tab. Make sure that the Enable Javascript and Enable Java boxes are checked. Click OK.

8. Accept Cookies. Click Tools/ Options . . . . Then click the Privacy tab. Make sure that the Accept Cookies From Sites box is checked, then click the Exceptions button immediately next to Accept Cookies From Sites. Check the list to see if Firefox is blocking cookies from the problem site. If it is, highlight the listing for the problem site. Click Remove Site. Click Close, then OK.

9. Remove Cookies. Click Tools/ Clear Private Data. Select Cookies only, and then click OK.

Top 7 Tips To Start Internet Explorer Correctly

1. If you have Firefox installed, try it for the Web site in question. This can allow you to work around the problem if nothing else helps, as some sites work better in Firefox than in IE.

2. Reboot. First restart your computer and see if the browser will work after rebooting.

3. Check for malware. Update your antispyware and antivirus software and do complete antivirus and spyware checks on your PC.

4. Clear all cached data. Follow the cache clearing instructions in the “Browser won’t start” section above.

5. Pop-ups. Select Internet Options from the Tools menu. Then click the Privacy tab. If the Turn On Pop-up Blocker box is unchecked, go to the next step. Otherwise, click the Settings button immediately next to Block Pop-up Windows. In the window that appears, enter the domain of the Web site that you are having a problem with in the Address Of Website To Allow box and then click Add. Click Close, then OK.

6. Reset Security. Click Tools/Internet Options. Click the Security tab. Click on Internet Zone if it’s not already selected. Set the Security Level For This Zone selector to Medium-high. If the Reset All Zones To Default Levels button is active, click it. Click the Privacy tab. If the Security slider is set to a setting higher than Medium, then set it to Medium. Click OK.

7. Upgrade. Make sure that you’re using the latest version by going to win dowsupdate.microsoft .com and downloading the latest updates.

Top 7 For Internet Explorer Security

1. Reboot. First restart your computer and see if the browser will work after rebooting.

2. Check for malware. Update your antispyware and antivirus software and do complete antivirus and spyware checks on your PC. If malware is found, remove it and then try to start IE. If it starts, the malware was probably causing the issue.

3. Try a different home page. Click the Start button and select Control Panel. (Control Panel may be in the Settings menu.) Select Internet Options. In the window that appears, under the General tab, change the Home Page box to about:blank. Click OK. Try to start IE and browse to another Web site but not your original home page; if it works, the problem is with the home page you are using. Try troubleshooting with the plug-in section below.

4. Clear all cached data. Go to Internet Options as described above. In the General tab, under Browsing History, click Delete. Click Delete Files and then confirm by clicking Yes. Click Delete Cookies and then confirm by clicking Yes. Click Delete History and then confirm by clicking Yes. Click Close and then OK in the primary window. Try to start IE; if it works, you’ve likely solved the problem.

5. Disable unused extensions. Go to Internet Options as described above. On the Programs tab, click the Manage Add-ons . . . button. Disable any add-ons that you don’t use by clicking on the add-on listing and click the Disable radio button. When you have disabled all of the add-ons you don’t use, click OK, and then click OK in the Options window. Try to start IE. If it works, one of the add-ons was the problem. Re-enable each of add-ons in turn by following the steps above, except click the Enable radio button for each. After you enable one, try to start IE. If it fails, then you know that extension was at fault.

6. Use Default Settings. Go to Internet Options as described above. Go to the Advanced tab. Click Restore Advanced Settings. Then click Reset. Confirm that you want to do this by clicking Reset in the window that appears. Click OK and try IE again. 7. Reinstall. If none of these steps work, then reinstall IE

7. First, download the executable at www.microsoft .com/windows/ie /downloads. (If you don’t have another browser installed, use another system to download the executable, then copy it to your primary PC.) Then, if you can, uninstall IE 7. Click the Start button and select Control Panel /Add Or Remove Programs. (Remember, Control Panel may be nested in the Settings menu. If IE 7 came installed with your PC, you may not be able to uninstall it using the Add Or Remove Programs window. If this is the case, then skip this step.) Then, click on the listing for Internet Explorer 7 and click Remove. After clicking through the removal routine, run the IE 7 executable that you downloaded.

Browser troublemaking Security Guidelines

Stagnant for years, the Web browser is seeing a new wave of excitement crest as major versions of Microsoft Internet Explorer and Mozilla Firefox have been released recently. While early browsers were limited to the display of Web pages, modern browsers are more properly thought of as frameworks for viewing and interacting with a variety of sites, including Web-based applications such as email and rich media such as video not just traditional HTML (Hypertext Markup Language) pages. Users are excited about the features and functionality that the new browsers offer, but these updates open the door to a different set of software issues and problems. Over the next few pages, we’ll show you how to fix common kinds of browser errors, as well as how to determine if the problem is really with your Web browser in the first place. We’ll focus on troubleshooting the latest versions of the most popular browsers for Microsoft Windows XP Internet Explorer 7 and Mozilla Firefox 2 two free programs that control over 90% of market share by most estimates. While we won’t explicitly consider other operating systems, Firefox has versions available for other operating systems, so some of the information presented herein may be applicable to those versions. As well, some of the general tips may be applicable to other browsers, such as Opera and Safari. Product Information Since your browser is a piece of software, you can easily obtain the version number to aid you in your troubleshooting.

To determine your browser version, follow these steps:

1. Click on the Help menu and select About Firefox . .(for Firefox) or About Internet Explorer (for IE 7).

2. In the window that appears, look for the version number immediately under the product name. Earlier versions may have slightly different selections in the Help menu; if so, look for an About option or an option that appears like it. If you don’t see anything like these, you likely don’t have a current version of your browser. Working Status Your browser depends on a stable, unimpeded connection to the Internet. If your browser does not appear to function, it may be your online connection rather than your browser that is actually at fault. If you have current versions of both Firefox and IE installed on your PC and why not, since they’re both free? when one browser isn’t working, start the other one and see if you can reach the Web. If you can’t reach the site you’re trying to reach, then try to reach another big site that will likely be up examples include www.google.com, www.yahoo .com, and www.microsoft.com. If you can reach any site through another browser, you can eliminate the possibility that your Internet connection is malfunctioning. Also, check the network connection icon in the System Tray (the area next to your computer’s clock) to make sure that the network connection is up. Another way to verify your Internet connection is through this simple test: Click the Windows Start button on your Desktop. Select Run . . . In the Run window’s “Open” text box, enter the word command, and then click OK. In the Command window that appears, enter the command ping www.google.com and then press ENTER. (If you get a security check from your firewall, give permission for the connection.)

You should get several lines of text, including a number of lines that say something along the lines of “Reply from 209.73.186.238: bytes=32 time=34ms TTL=51.” (The numbers in the response will vary.) If the number after “time” is relatively low for instance,under 100 for most modern connections the problem is not your Internet connection. If you get a response like “Ping request could not find host www.google .com. Please check the name and try again,” try entering the command ping www.yahoo.com. If you get an error with that one as well, then you likely have a bad Internet connection. If you get a set of responses that include “Request timed out” and something like “Reply from 209.73.186.238: bytes=32 time=34ms TTL=51” and/or you have a number after “time=” that’s over 200, then this means that your Internet connection may be up, but it may be slow. If this happens with only one site, it indicates a problem with the Web site you’re trying to reach. If you get that kind of result with multiple sites, then the problem is probably with your Internet connection or your Internet service provider not with your browser. To troubleshoot an Internet connection, see “What To Do When . . . You Can’t Go Online”. Problems & Solutions

Secure your wireless internet access

Keeping your wireless internet network secure from intruders will help you fully enjoy your Wi-Fi connection

Wireless internet access is provided by a wireless router that allows access via radio signals.Unfortunately, since the connection is wireless, anyone who is within range of

the signal, and has a wireless network adapter installed in their computer can pirate your signal and access internet with your router. By, default, most routers come with factory security settings. In order, to lock your wireless internet connection, you need to do the following:

I Open your? wireless router's set-up page. Refer to your owner's manual for the address of your router then enter this address into your browser. Typically, routers come with a generic user name and password. Your owner's manual will provide you the information about your router.

2. Open the wireless security page with in your router's admin area. Routers are slightly different from one another, but they all have security capability.

3.Enter a username and password of *3 your choice into the form fields provided. Safely record this information; you will need it to access your router control panel in the future.

4 Enable encryption on your router. £ You can either enter a pass phrase of your choice or have the system

5.generate one for you. A system-generated phrase is usually more secure because it is more random and less easy-to-guess. Record this information; keep it safely and save your settings. Attempt to connect to your wireless router. You will be prompted for your pass phrase. Enter the phrase, check the box to save your pass phrase and apply your settings. Your wireless connection is now I locked to any other machine except yours.

What Is WWW BROWSERS?

WWW BROWSERS

To be used as a web client, a computer needs to be loaded with a special software* tool known as WWW (or browser in shod). Browsers normally provide following navigation facilities to help users save time Internet surfing (process of navigating the Internet to search for useful information*):

1.         .Unlike FTP and Telnet, browsers do not require a user to log in to a server computer remotely,
then to logout again when the user has finished accessing information stored on server computer.

2.    Browsers enable a user to visit a server computer's site directly and access information stored on it by
specifying its URL (Uniform-Resource Locator) address, .URL is an .addressing scheme used
WWW browsers to locate sites on the Internet.

3.    Browsers enable’s  user to create and maintain a persona) hotlist of favorite URL addresses of server
computers that the user is likely to visit in future frequently. A user's hotlist is stored on his/her local
web client computer. Browsers provide hotlist commands to enable a user to add, delete, update URL
addresses in hotlist, and to select an URL address of a server computer from hotlist, when the user
wants to visit the server computer.                                      '              -

4.    Many browsers have a "history" feature. These browsers maintain a history of-server computers
visited in a surfing session. That is, they save (cache) in local computer's memory, the URL addresses
of server computers visited by a user during a surfing session, so that if the user wants to go back to
an already visited server later on (in, the same surfing session), the link is still available in local
computer's memory.

.Browsers enable a user to download (copy from a server computer to local computer's hard disk)
information in various formats (i.e., as a text file, as an HTML file, or as a PostScript file). The
downloaded information can be later (not necessarily in the same surfing session) used by the user.
For example, downloaded information saved as a PostScript file can be later printed on a. PostScript-
compatible printer, where even graphics will be reproduced properly.

World Wide Web

World Wide Web                                      .

World wide web  (called WWW or W3 in short) is the most popular and promising method of accessing the l reason for its popularity is use, of a concept called hypertext. Hypertext is a new way of information " internet that enables authors to structure ‘information in novel ways. An effectively designed can help users locate’ desired type of information rapidly from vast amount of information on tt documents enable this by using a series of links. A link is shown job screen in multiple t labeled button, high lighted text, or different color text than normal text if your computer has color r-defined graphic symbols. A link, is a special type of item in a hypertext "document connecting another document that provides more information about the linked item. The latter document can the Internet (in the same document in which the linked item is, on the same computer in which the is, or on another computer at the other end of the world)* By "connect", we mean that a user selects the linked item (using a mouse or key command) and the user sees the other document on his/her ;r terminal almost immediately.

jpg of hypertext can be best illustrated with an example. Let us *tissue that following hypertext it is currently displayed on your computer's screen:-

Hypertext document has following two links shown on screen as highlighted (bold and underlined) texts:

1.     Centre for Development of Advanced Computing (C-DAC). Let us assume that this link connects
the current document to another document giving detailed information about C-DAC, and is located
on a computer system at C-DAC information,

2.     Multimedia Systems Research Laboratory (MSRL) of Panasonic. Let us assume that this link
connects the current document to another document giving detailed information about MSRL of
Panasonic, and is located on a computer system at MSRL of Panasonic in Tokyo, Japan.

Now, if you use your mouse to click anywhere on the link

Panasonic of displayed document, within a few seconds you wilt find yourself connected to the MSRL of Panasonic in Tokyo, and the document giving detailed information about MSRL of Panasonic displayed on your computer screen.

Hypertext documents on the Internet are known as Web Pages. Web Pages are created by using a special called Hypertext Markup Language (HTML in short). HTML is a subset of a more generalized language Standard Generalized Markup Language (SGML in short) that is a powerful language for linking easier electronic access and manipulation. HTML is now a de-facto industrial standard for creating Web Pages.;

The  WWW uses client-server it ideal, and an Internet Protocol called Hypertext Transport Protocol (I short) for interaction between computers on the Internet. Any computer on the Internet using the HTTP is called a Web Server, and any computer accessing that server is called a Web Client. Use of client-server and the HTTP allows different kinds of computers on the Internet to interact with each other. For example, a workstation may be a web server and a Windows PC may be a web client, if both of them use the HTTP for transmitting and  receiving information.

Chat Rooms

Chat Rooms
A chat is a real-time typed conversation that takes place on a computer. Real time means that you and the people with whom you are convers¬ing are online at the same time. A chat room is a location on an Internet server that permits users to chat with each other. Anyone in the chat room can participate in the conversation, which usually is specific to a particular topic.
As you type on your keyboard, a line of characters and symbols is displayed on the computer screen. Others connected to the same chat room server also see what you have typed.Some chat rooms support voice chats and video chats, in which people hear or see each other as they chat.
To start a chat session, you connect to a chat server through a program called a chat client. Today's browsers usually include a chat client. If yours does not, you can download a chat client from the Web. Some Web sites allow users to con¬duct chats without a chat client.
Once you have installed a chat client, you can create or join a conversation on the chat server to which you are connected. The chat room should indicate the discussion topic. The person who creates a chat room acts as the operator and has responsibility for monitoring the conversation and disconnecting anyone who becomes disrup¬tive. Operator status can be shared or transferred to someone else.

There is no full proof security.

What most people don’t tell you is that there is no full proof security.

Credit monitoring alone doesn’t stop identity theft, it just does damage control by alerting you to the fact that someone has taken out credit in your name. It is also a contradictory service for companies that previously made all their money selling your information, ie: the credit bureaus. You would be far better using a credit monitoring service like Identity Guard or Debix as the sole purpose of the company is to protect your identity, not sell your information. Besides, the credit monitoring services offered by the bureaus don’t give you anywhere near the coverage of identity protection servicesoffered by LifeLock, TrustedID and ID Watchdog and besides that the monitoring services from the credit bureaus are more expensive.

Fraud alerts, though proven to be effective for stopping new account fraud, only work when the creditor actually calls the number in your file, which isn’t always done, and there have been reports of frustration by consumers when implementing and having a fraud alert on their file. A Fraud alert is not full proof but is still recommended if you have a good faith suspicion that you either are or about to become an identity theft victim. Even if you do set this up, please remember that identity insurance is still extremely important in a full protection plan.

You see, the one thing everybody needs to have in place is identity theft insurance.

If you are like me you have worked far too hard and long to achieve your financial position and to establish your good name for some low life to step in and ruin your success.

Identity insurance is not only necessary but something you should consider purchasing immediately because once one identity thief low life makes any attempt at taking over your finances no insurance company will touch you. Thats right, they don’t tell you that either. They will insure you if your personal data has been compromised but once a thief initiates an attack on You their policies will not cover you for that case.

There is no full proof security.

What most people don’t tell you is that there is no full proof security.

Credit monitoring alone doesn’t stop identity theft, it just does damage control by alerting you to the fact that someone has taken out credit in your name. It is also a contradictory service for companies that previously made all their money selling your information, ie: the credit bureaus. You would be far better using a credit monitoring service like Identity Guard or Debix as the sole purpose of the company is to protect your identity, not sell your information. Besides, the credit monitoring services offered by the bureaus don’t give you anywhere near the coverage of identity protection servicesoffered by LifeLock, TrustedID and ID Watchdog and besides that the monitoring services from the credit bureaus are more expensive.

Fraud alerts, though proven to be effective for stopping new account fraud, only work when the creditor actually calls the number in your file, which isn’t always done, and there have been reports of frustration by consumers when implementing and having a fraud alert on their file. A Fraud alert is not full proof but is still recommended if you have a good faith suspicion that you either are or about to become an identity theft victim. Even if you do set this up, please remember that identity insurance is still extremely important in a full protection plan.

You see, the one thing everybody needs to have in place is identity theft insurance.

If you are like me you have worked far too hard and long to achieve your financial position and to establish your good name for some low life to step in and ruin your success.

Identity insurance is not only necessary but something you should consider purchasing immediately because once one identity thief low life makes any attempt at taking over your finances no insurance company will touch you. Thats right, they don’t tell you that either. They will insure you if your personal data has been compromised but once a thief initiates an attack on You their policies will not cover you for that case.

What Are My Options?

Everyone has options, and I will present your options so you can make an informed decision for you and your family.

1. Option 1: Do the protection part yourself and look for identity insurance elsewhere. This works if your the type who can set a schedule and stick to it without missing crucial deadlines such as the renewal every 90 days of your fraud alert or the request of your credit report every four months. The problem is that all your extra work does not really save you any money. The insurance will cost you the same as the full identity protection services offered by LifeLock, TrustedID or ID Watchdog.
2. Option 2: Enroll with an identity theft protection service that includes identity theft insurance and/or guarantees of 1 million dollars. The best protection for the best price means this is the right choice for most people.

I often get asked – Are they worth it?

My answer is absolutely. Think of all the services you currently have others perform and the prices they charge. Really, take a second and think about it. Isn’t your identity and finances far more important to protect and thus a far better investment the items you just thought about?

You can get a very high level of identity protection for under $100 and the peace of mind alone, knowing you won’t have fight through stressful red tape restoring your identity and finances all by yourself, makes this well worth it. Of course, your identity is far better protected than you could have done on your own.

What Are My Options?

Everyone has options, and I will present your options so you can make an informed decision for you and your family.

1. Option 1: Do the protection part yourself and look for identity insurance elsewhere. This works if your the type who can set a schedule and stick to it without missing crucial deadlines such as the renewal every 90 days of your fraud alert or the request of your credit report every four months. The problem is that all your extra work does not really save you any money. The insurance will cost you the same as the full identity protection services offered by LifeLock, TrustedID or ID Watchdog.
2. Option 2: Enroll with an identity theft protection service that includes identity theft insurance and/or guarantees of 1 million dollars. The best protection for the best price means this is the right choice for most people.

I often get asked – Are they worth it?

My answer is absolutely. Think of all the services you currently have others perform and the prices they charge. Really, take a second and think about it. Isn’t your identity and finances far more important to protect and thus a far better investment the items you just thought about?

You can get a very high level of identity protection for under $100 and the peace of mind alone, knowing you won’t have fight through stressful red tape restoring your identity and finances all by yourself, makes this well worth it. Of course, your identity is far better protected than you could have done on your own.

What’s Really Scary is when a thief gets a hold of your Social Security number?

What’s really scary is when a thief gets a hold of your Social Security number, or bank account numbers, or starts combining information on you from multiple sources. This is when you are at great risk. The SSN alone is considered by thieves to be the Golden Key to the Palace.

Governments, Universities, Fortune 500 companies are all losing our private information at alarming rates.

Criminals have learned that identity theft can be prosperous and that the risks of getting caught are low, though in recent years the legal system is charging and convicting more people. Thieves are stealing laptops and hard drives, hacking computers and doing anything they can to get your personal information because they know how valuable it is on the black market.

I don’t mean to scare you.

I am just trying to inform you that your personal and private information is likely already out there. Exposed like most American’s personal details.

The Washington Post just did a study and found that personal information including the SSN of Colin Powell and Troy Aikmen were in easily accessible public government records on the internet. They also reference another website where an identity theft activist in Virginia provides the links to government websites that have the SSN’s of numerous congressman, judges, and district attorneys posted for all to see. Why are their SSN’s posted online, because they bought a house – its on the land deed. Now they probably have protection but if their information is public knowledge on the internet then yours and mine probably is too.

Need Proof: Ask residents of Connecticut, Ohio, Wisconsin or the City of Nashville. Numerous Universities, Fortune 500 companies, Large Retailers, Hospitals, Financial Companies, Peace Officers in Texas, National Defence Contractors, Our Veterans … the list goes on, and on, and on. There are 100’s of reported data breaches each year and over the last few years over 100 Million Private American Records, that included SSN’s and/or Financial Information, were compromised…and the real problem is that this is going to continue.

I have made this point in other articles and I cannot stress enough how true it is – Your private information is not safe, never will be, and there is a good chance that it hasalready been compromised.

What’s Really Scary is when a thief gets a hold of your Social Security number?

What’s really scary is when a thief gets a hold of your Social Security number, or bank account numbers, or starts combining information on you from multiple sources. This is when you are at great risk. The SSN alone is considered by thieves to be the Golden Key to the Palace.

Governments, Universities, Fortune 500 companies are all losing our private information at alarming rates.

Criminals have learned that identity theft can be prosperous and that the risks of getting caught are low, though in recent years the legal system is charging and convicting more people. Thieves are stealing laptops and hard drives, hacking computers and doing anything they can to get your personal information because they know how valuable it is on the black market.

I don’t mean to scare you.

I am just trying to inform you that your personal and private information is likely already out there. Exposed like most American’s personal details.

The Washington Post just did a study and found that personal information including the SSN of Colin Powell and Troy Aikmen were in easily accessible public government records on the internet. They also reference another website where an identity theft activist in Virginia provides the links to government websites that have the SSN’s of numerous congressman, judges, and district attorneys posted for all to see. Why are their SSN’s posted online, because they bought a house – its on the land deed. Now they probably have protection but if their information is public knowledge on the internet then yours and mine probably is too.

Need Proof: Ask residents of Connecticut, Ohio, Wisconsin or the City of Nashville. Numerous Universities, Fortune 500 companies, Large Retailers, Hospitals, Financial Companies, Peace Officers in Texas, National Defence Contractors, Our Veterans … the list goes on, and on, and on. There are 100’s of reported data breaches each year and over the last few years over 100 Million Private American Records, that included SSN’s and/or Financial Information, were compromised…and the real problem is that this is going to continue.

I have made this point in other articles and I cannot stress enough how true it is – Your private information is not safe, never will be, and there is a good chance that it hasalready been compromised.

What Is FIN Scan & Inverse Mapping?

 FIN Scan

I have never detected a FIN scan in the wild and chose not to simulate one. In the case of a FIN scan, one would detect a large number of packets with the FIN flag set where there was no three-way handshake ever established. We have already discussed using a database to find ftp-bounce. A good intrusion analysis system should provide the capability to look for spurious traffic, such as FINs, to connections that were never established. HD Moore, the author of nlog, has been developing perl scripts to accomplish these sorts of tasks based on a 24-hour data window.

Inverse Mapping

Inverse mapping techniques can compile a list of networks or hosts that are not reachable and then use the converse of that map to determine where things probably are. These techniques are a bit harder to detect; I had to write a quick hack for the Shadow system to track RESET scans. Bill Ralph rewrote and improved the module look4scans.pl. Likewise, the following DNS example eludes all intrusion detection systems that I have worked with.

What Is FIN Scan & Inverse Mapping?

 FIN Scan

I have never detected a FIN scan in the wild and chose not to simulate one. In the case of a FIN scan, one would detect a large number of packets with the FIN flag set where there was no three-way handshake ever established. We have already discussed using a database to find ftp-bounce. A good intrusion analysis system should provide the capability to look for spurious traffic, such as FINs, to connections that were never established. HD Moore, the author of nlog, has been developing perl scripts to accomplish these sorts of tasks based on a 24-hour data window.

Inverse Mapping

Inverse mapping techniques can compile a list of networks or hosts that are not reachable and then use the converse of that map to determine where things probably are. These techniques are a bit harder to detect; I had to write a quick hack for the Shadow system to track RESET scans. Bill Ralph rewrote and improved the module look4scans.pl. Likewise, the following DNS example eludes all intrusion detection systems that I have worked with.

What About About Detecting Scans?

Until some brilliant researcher comes up with a better technique, scan detection will boil down to testing for X events of interest across a Y-sized time window. An intrusion detection system can and should have more than one scan detect window. For instance, we have seen several scans that exceed five events per second. By using a short time window in the range of one to three seconds, the system can detect a high-speed scan and alert in near real time, three to five seconds after the scan begins. Nipping such scans in the bud is one of the best uses of automated reaction. The next reasonable time window is on the order of one to five minutes. This will detect slower but still obvious scans. The Shadow intrusion detection system has had some success with a scan detect of five to seven connections to different hosts over a one hour window. At a later date, they employed scan detect code for a 24-hour time window in order to investigate the TCP half-open scans that are plaguing the Internet. These half-open scans are detailed in the stealth section of this chapter. Scans have also been detected using database queries with rates as low as five packets over 60 days. A scan rate that low would make sense only if it was interleaved (executed in parallel from multiple source addresses) to the extreme. More on that later!

This example may appear to be similar at first glance to smurf. In contrast to the smurf attacks, the broadcast echo requests here are spaced reasonably far apart in time. The source IP address is not spoofed. The time delay between broadcasts gives the attacker time to process the echo replies without getting overloaded.

As we discussed in Chapter 6, "Detection of Exploits," the zero is an archaic broadcast; UNIX and other systems will often still answer it. Windows systems will not; they will answer the 255 broadcast. This allows the attacker to distinguish between types of systems.

What About About Detecting Scans?

Until some brilliant researcher comes up with a better technique, scan detection will boil down to testing for X events of interest across a Y-sized time window. An intrusion detection system can and should have more than one scan detect window. For instance, we have seen several scans that exceed five events per second. By using a short time window in the range of one to three seconds, the system can detect a high-speed scan and alert in near real time, three to five seconds after the scan begins. Nipping such scans in the bud is one of the best uses of automated reaction. The next reasonable time window is on the order of one to five minutes. This will detect slower but still obvious scans. The Shadow intrusion detection system has had some success with a scan detect of five to seven connections to different hosts over a one hour window. At a later date, they employed scan detect code for a 24-hour time window in order to investigate the TCP half-open scans that are plaguing the Internet. These half-open scans are detailed in the stealth section of this chapter. Scans have also been detected using database queries with rates as low as five packets over 60 days. A scan rate that low would make sense only if it was interleaved (executed in parallel from multiple source addresses) to the extreme. More on that later!

This example may appear to be similar at first glance to smurf. In contrast to the smurf attacks, the broadcast echo requests here are spaced reasonably far apart in time. The source IP address is not spoofed. The time delay between broadcasts gives the attacker time to process the echo replies without getting overloaded.

As we discussed in Chapter 6, "Detection of Exploits," the zero is an archaic broadcast; UNIX and other systems will often still answer it. Windows systems will not; they will answer the 255 broadcast. This allows the attacker to distinguish between types of systems.

What is Network and Host Mapping

The goal of host mapping is simply to determine what hosts or services are available in a facility. In some sense, the odds are in the analyst's favor; we are defending sparse matrices. Suppose you have a class B network, 172.20.0.0—that is 65,536 possible addresses. There are also 65,536 TCP ports and 65,536 UDP ports. That means that the attacker has in excess of 23 trillion possible targets. Scanning at a rate of 18 packets per second, it would take a shade under five million years to completely scan the network. Because computers have a life span of between three and five years, the rate of change confounds the usefulness of the scan.

Now to be sure, attackers are coming up with smarter and faster scanning techniques. There is no need for an attacker to consider all possible port numbers. Fifty TCP and UDP ports will account for all the probable services, so the target space is something in the range of 163 million, which could be scanned in less than four months at 18 packets per second. Hmmmm, that is achievable! And if the site doesn't have intrusion detection, the site owners will probably never know if the attacker's scan randomizes the addresses and ports a bit.

But if the attackers can get an accurate host map, they can turn the tables on those of us who defend networks. Many address spaces are lightly populated. If the attacker is able to determine where the hosts are, they have a serious advantage. Say our class B network was populated with only about six thousand computers and the attacker can find them. Now, the attacker can scan the populated hosts on the net, at 18 packets per second, in less than ten days—and there still are much more efficient ways to do the scan. In fact, if we allow ICMP echo request broadcasts, they can ping map our network with only 255 packets.

The point of the story is obvious. If attackers are not able to get intelligence information about our site, they are forced to guess about a very sparse matrix. If we do let their intelligence-gathering probes succeed, then they don't have to do much guessing at all different.

So how could an attacker get such an accurate host map? Many sites still make a "host table" available for FTP download. Other sites allow DNS Zone transfers. Or perhaps the attacker will have to work to discover this information with host scans.

What is Network and Host Mapping

The goal of host mapping is simply to determine what hosts or services are available in a facility. In some sense, the odds are in the analyst's favor; we are defending sparse matrices. Suppose you have a class B network, 172.20.0.0—that is 65,536 possible addresses. There are also 65,536 TCP ports and 65,536 UDP ports. That means that the attacker has in excess of 23 trillion possible targets. Scanning at a rate of 18 packets per second, it would take a shade under five million years to completely scan the network. Because computers have a life span of between three and five years, the rate of change confounds the usefulness of the scan.

Now to be sure, attackers are coming up with smarter and faster scanning techniques. There is no need for an attacker to consider all possible port numbers. Fifty TCP and UDP ports will account for all the probable services, so the target space is something in the range of 163 million, which could be scanned in less than four months at 18 packets per second. Hmmmm, that is achievable! And if the site doesn't have intrusion detection, the site owners will probably never know if the attacker's scan randomizes the addresses and ports a bit.

But if the attackers can get an accurate host map, they can turn the tables on those of us who defend networks. Many address spaces are lightly populated. If the attacker is able to determine where the hosts are, they have a serious advantage. Say our class B network was populated with only about six thousand computers and the attacker can find them. Now, the attacker can scan the populated hosts on the net, at 18 packets per second, in less than ten days—and there still are much more efficient ways to do the scan. In fact, if we allow ICMP echo request broadcasts, they can ping map our network with only 255 packets.

The point of the story is obvious. If attackers are not able to get intelligence information about our site, they are forced to guess about a very sparse matrix. If we do let their intelligence-gathering probes succeed, then they don't have to do much guessing at all different.

So how could an attacker get such an accurate host map? Many sites still make a "host table" available for FTP download. Other sites allow DNS Zone transfers. Or perhaps the attacker will have to work to discover this information with host scans.