When application developers are developing, parameters are often hard-coded in the source code. These hard-coded parameters are often pulled out of the source code and put into property files or configuration files. System and network security policies may force a developer to address security concerns over the data that is stored in external files. So, how do you make sure that your sensitive external parameters are safe?

Last time I showed you how to exchange and verify public PGP keys with an individual. After you’ve verified a user’s key (KeyID, bits, type, fingerprint, and user’s actual identity) you should sign their key.

Verification is part of any security system. SSH, FTP, POP, and IMAP servers ask for your password before it lets you log into the machine, get your files, or snag your email. NTP can be configured to require keys before it’ll let you mess with it’s clock. CIFS requires a password or kerberos tickets before granting you access to shares.

GnuPG and other PGP implementations allow you to encrypt (scramble the data so only intended recipients can read it) and/or sign (provide proof that the data has been unaltered in transit). As you should remember, PGP keys are made up of two parts, a public key and a private key. The public key can (and in most cases should) be available to anyone – there’s no harm in allowing it out to the entire world. The private key should be kept somewhere secure, protected with a strong passphrase.

Last time[1] we’d created our PGP key. Let’s jump in with some encryption and decryption examples.

Jumping right in, let’s create our PGP public/private key pair. I’ll use GnuPG, the Gnu Privacy Guard, available at http://www.gnupg.org, and which is very likely already available with your Linux distribution. If you want to use older free or commercial PGP versions, the commands are very similar. Any GUI front end will also have the same functionality.

File and mail security is easy to achieve with the right tools. PGP has proven itself the leader, and GnuPG is the tool of choice in the Linux world.

Network attacks are the biggest risk for Windows 2000 servers. Since the release of the old Windows NT 3.1, hackers have been actively looking for bugs in Microsoft Windows operating systems. Tools like SecHole, IISInjector, NAT (NetBIOS Auditing Tool), SMBRelay and L0pthcrack have been developed to reveal passwords, execute actions on a server, forge network connections and degrade system performance. In addition, several critical security vulnerabilities have been recently released for Windows 2000 that can completely expose a network to an intruder.

Wiretapping is a common occurrence; nothing is secure unless secured.

Where has your password been?