As your personal business life becomes accessible in digital form, using strong passwords to keep that information safe and secure is more important than ever. The proliferation of Web 2.0 services such as online payment, banking, accounting and payroll services means that your company’s most sensitive information is accessible to anyone with the proper login.

Relying on your pet’s name for a password just doesn’t cut it anymore. The only thing worse is having your passwords scrawled on a sticky note under your keyboard – you know who you are.

The Basics


Security experts agree: Most people have passwords that provide woefully inadequate protection against hackers and identity thieves. That’s because a password that’s easy to remember is also easy for an automated hacking program to guess, and one that’s hard to guess is also hard to remember—and winds up on that sticky note. But there are a few tricks that can help you come up with complicated passwords that will still be easy for you (and only you) to remember.
“A good technique is to come up with a base password, and then just change it a bit for every site,” advises David Ulevitch, CEO of OpenDNS, the leading provider of Domain Name System services. For example, your banking log-in for Bank of America could be ca$h!cowBoA, while your QuickBooks online accounting password could be ca$h!cowQB.
Which brings up a second point: Be sure to use a mix of upper- and lowercase letters, number, and symbols. The reason? Automated hacking programs can cycle through all known words (spelled both forward and backward), plus common names (including Fido and Queenie), in a matter of minutes.

“The best way to do strong passwords is to simply replace letters with characters and numbers, and make use of other keyboard tidbits,” advises Eric Green, president of ELG Consulting and a consultant to SCIPP International, the first non-profit security-awareness training certification organization. So while NYYankees is a weak password, it can be made stronger (and still remain memorable) with the simple tweak to NY_Y@nkee$$.
Another trick is to think of a passphrase that is meaningful to you and that can be turned into an acronym (again, with some symbols in place of letters). So, for example, the fact that my first car was a 1964 Buick Electra could become the PayPal password MfCw@!964BE!PP. And if you are worried about forgetting it, you could write down a reminder for yourself that will be useless to others, like “first car sentence.”
Other Observations


Ultimately, the security of your password (and hence your data) is only as secure as the site you enter it into. “When doing any work online and entering any kind of personal information at all, make sure the little pad lock is at the bottom of your screen indicating the site is using SSL (Secure Socket Layer) to encrypt your data,” cautions Green. “The strongest password in the world is a waste if someone can simply copy that information over an insecure network.”

Also be aware of keylogger programs and other malware that can lurk on a PC, recording your keystrokes and surreptitiously sending them to a hacker. The string “www.paypal.comjohndoefido” lets the thief know that a PayPal user name is John Doe and that the user’s password is Fido.

So never enter a vital password at a public computer terminal (such as at an Internet café), since you don’t know what programs people have installed onto the computers. And on your own home and business PCs, be very careful what you and your employees load (in fact, in Windows block employees from loading programs altogether) and be sure each PC’s spyware program (such as SpySweeper) is up to date.

Jamie Bsales is an award-winning technology writer and editor with nearly 14 years of experience covering the latest hardware, software and Internet products and services.
This article was first published on SmallBusinessComputing.com.

INNEAPOLIS -- What's worse than being 12 years out of high school and on your way to having $40,000 in debt?

Being 30 years old, with no college degree, making $15 an hour.

That's why Jesse Mullan has taken a risk and gone back to college, sitting in classrooms with college juniors who were 8 years old when he graduated from high school in St. Paul, Minn., in 1994.

Mullan, who expects to graduate from college in 2008, figures that taking on debt to further his education will pay off. He expects to triple his hourly pay shortly after collecting a degree in computer science from the University of Minnesota, allowing him to pay off his school loans in no more than 10 years.

"It's better than car loans," he said.

Mullan is still making a good bet, many economists agree. While the cost of college has soared, the incomes of college graduates are still staying well ahead of those who don't have four-year degrees.

How far ahead? Lifetime incomes of college grads in today's dollars average nearly $300,000 more than high school graduates over a 40-year career. And that's the net benefit, after deducting an average cost of more than $100,000 in tuition, room and board and potential income lost while attending college.


The income gap between those with and without a college degree continues to grow, though at not as fast a pace since the mid-1990s as in the 1980s. Why? A rising tide of economic prosperity has lifted most of the boats, providing higher incomes for even the undereducated.

"Since the mid-1990s, the average (inflation-adjusted) wages of college graduates have skyrocketed, increasing by 18 percent" as of 2004, a recent study found. In contrast, wages of high school dropouts rose at about half that rate -- 10 percent -- over the same period.

Economists Lisa Barrow and Cecilia Elena Rouse said in the same paper that "there are no signs that the value of a college education has peaked or is on a downward trend."

While many people have heard stories of degree-holders with nothing more to show for their high-priced education than a job behind a coffee counter, sticker shock about the rapidly rising cost of tuition and fees is largely misplaced, said Rouse, a Princeton University economist.

Rouse cites two factors to back up that claim: Significant numbers of students get some form of aid, income tax credits at the very least -- meaning they pay less than the posted price for their degrees. What's more, by far the largest cost of going to college is foregone income, and wages of high school grads have not climbed nearly as fast as the double-digit gains in tuition at many colleges in recent years.

To be sure, paying for college is a bigger gamble for some than for others.

Sixty-three percent of all students with family incomes of $79,000 or less face a gap between the annual cost of college and the money they can raise through grants, scholarships, work-study programs and family contributions, according to a national study released last month by the Southern Regional Education Board.

That gap is filled by debt.

For example, in the spring of 2005, nearly two-thirds of the students graduating from the University of Minnesota's Twin Cities campus left with debt -- an average of more than $22,000. That was up 65 percent from the average for indebted students in the class of 2002.

But the average return to a college education is large enough to overshadow those liabilities, many studies have found.

The Census Bureau in 2004 calculated that the average college graduate earns $27,800 more per year, adjusted for inflation, than the average high school graduate. That adds up to more than $1 million over a lifetime.

Barrow and Rouse calculated that over 40 years, the average payback for a college diploma comes to $402,959 in today's dollars. Subtract $107,277 in their estimated average total cost for a four-year degree and the average expected benefit would come to about $296,000.

And what about the English majors or art students who end up behind a counter at Starbucks after graduation? Their degree still is likely to make them more attractive as a management candidate than someone who didn't go to college.

"There probably are more opportunities open to these people who maybe aren't doing as well as the average," Barrow said.
source:seattlepi.com

Here's a simple fact: the security of your organization is at risk every time anyone logs on to your network. If it's an authorized user then you're probably safe, but if it's a hacker that's logging on then here's what could be on the menu: malware infections, network unavailability, server downtime, data loss or corruption, leakage of confidential or proprietary information, and much more besides.

Given all this, it's astounding that most businesses require only a user name and password to authenticate users onto their networks, even when logging in remotely. According to research house Gartner, about 94 percent of companies of all sizes require only single-factor authentication of this sort from their users.

It's astounding because single-factor authentication using "something you know"—a password, in other words—is notoriously insecure. If a password is to be easily remembered then it's probably easily guessable and rarely changed. If users are forced to use more secure passwords which are long, random and frequently changed, then the chances are they'll write them down on a sticky note "hidden" somewhere obvious.

Factor In Tokens
A sensible way to beef up security is to bump up authentication to a two factor process, involving "something you have"—some form of security token which users must be in possession of when they authenticate themselves to the network—as well as the "something you know" password. This is the model that ATMs use: a PIN that the user has to know, and an ATM card that has to be inserted to prove that it in their possession.

The most common form of network authentication credential is the SecureID token from RSA Security, part of storage company EMC. The SecureID token generates a one time password (OTP) which changes every minute or so, and the user has to type in this OTP to prove that the token is in his or her possession. The OTP is generated by putting a time value into an encryption algorithm using the token's unique "seed record" as the key. Since the only other entity in possession of the key is the authentication server, and since the server's and the token's clocks are kept in synchronization, the server is able to compare the OTP the user enters with the one it is expecting, and authenticate the user if it is correct.

But RSA is far from being the only player in town, with a number of other vendors active in the security token market including Vasco with its Digipass range, Secure Computing's SafeWord tokens, the ActivIdentity token range and Entrust IdentityGuard tokens. These products use a variety of systems, including event synchronous authentication. Such tokens generate an OTP each time they are activated (usually by pressing a button) and this OTP is compared with the next OTP that the server generates using the same crypto algorithm and key, and an incremental counter. These are in theory less secure than time synchronous systems as a hacker who gained access to one of these tokens temporarily could generate a sequence of OTPs for later use. These OTPs would remain useful until the next time the owner generated an OTP and submitted it for authentication, as at that point all previous OTPs would cease to be valid. These and other vendors (including memory stick manufacturers) also sell USB dongle tokens and smart cards which have to be physically inserted into a USB port or card reader of some sort during authentication.

Cost Slows Adoption
One reason why many organizations have so far been reluctant to introduce two factor authentication is the cost involved, according to Dr. Ant Allan, a research vice president at Gartner. "For a small enterprise, with a few hundred people working remotely, the cost has been something like $50 per user for a token, plus the same again for the infrastructure required," he says.

But Dr. Allan says the economics are changing rapidly. As well as RSA's time-synchronous tokens and time- or event-synchronous tokens from companies like Vasco and ActivIdentity, which use the ANSI X9.9 standard for identification codes, there's a significant project called OATH: the Initiative for Open Authentication. All tokens that use the OATH standard can be used with OATH-compatible authentication systems, unlike RSA SecureID tokens, for example, which only work with RSA back-end systems. "OATH has enabled the commoditization of security tokens," says Dr. Allan. "It provides the interoperability so you can implement a solution with OATH and buy some tokens from one vendor and others from another vendor. " OATH has been heavily promoted by security services vendor VeriSign, which wants to offer managed authentication services without having to be a token manufacturer or locking its customers in to a single token supplier, Dr. Allan says. Entrust, another security vendor, now supplies OATH based tokens for $5 each (albeit with a minimum order of 100), so token hardware costs have become almost negligible.

In fact, token hardware cost is rapidly becoming irrelevant for another reason: The increasing power and sophistication of mobile phones means that it is now perfectly practical to give users soft tokens-software which runs on a mobile phone or other handheld device which emulates a hardware token. "We actually see phone-based authentication tokens becoming increasingly popular, and we predict that 50 percent of future two factor authentication implementations will use phone-based tokens," says Dr. Allan. Once up and running these offer a similar level of security to hardware token based systems, he says, although he warns that enrollment issues (essentially getting the software to the right mobile phone) can be a potential security problem.

Vendors that provide authentication systems using cheap hardware tokens or software tokens make their money from the back-end systems (which they either license or provide as a service). Interestingly, authentication systems are available that uses precisely the opposite model: open source authentication server code which is supplied at no cost to work with more costly tokens. For this to work the tokens have to be differentiated in some way to be worth paying more for.

An example of this is the YubiKey, a tiny USB token from a Sweden-based outfit called Yubico. The YubiKey is "seen" by the user's device's operating system as a USB keyboard. Touching the YubiKey's single button automatically generates and enters an OTP into the active field on the user's computer without any other activity required on the part of the user. YubiKeys cost $20 each (in orders over 100), but since the authentication software is open source there are no annual license fees to be paid (although there are obviously costs associated with integration and maintenance). Yubico also offers a free basic managed authentication service -- it previously cost $2 per user per year -- for companies that do not wish to run their own authentication servers. (Ed. Note: See update)

"There are many companies providing expensive validation services and there is clearly a void in the market today for a no-subscription, "no strings attached" offering," says Stina Ehrensvärd, Yubico's CEO. "A buyer needs to look at the total cost of ownership and for large deployments that run for many years the Yubico offering is less expensive than the competition. We do not subsidize the tokens to regain on services." Ehrensvärd expects the price of the YubiKey to drop in the near future, and says by mid-August the device will support OATH.

Because the cost of token based authentication has historically been high, a number of other authentication methods have appeared, providing a variety of levels of security. The prevalence of mobile phones has led to a degree of popularity for out of band authentication methods using SMS messages, email, or even voice messages. A user attempting to log on has a security code sent to their mobile phone using one of these methods, and this code must be entered as part of the log on procedure. As long as the communication channel (in this case the mobile phone connection) is not compromised, this method is actually pretty secure. Problems occur if network latency means that the user has to wait too long for the security code to arrive - or if the user is outside a mobile phone coverage area.

Alternative Factors
Other authentication methods involve identifying the IP address from which a user logs in, or the device the user is operating (using network access control devices, or proprietary systems). These, however, authenticate a location or a device not a user, so they can't be used when a user is mobile (in the case of IP address authentication) or when a user wants to use a different computer system (in the case of NAC or other systems). It also leaves a network vulnerable to attacks from malware-infected, authorized machines operated remotely.

What's clear is that with the commoditization of tokens thanks to standards like OATH, and with open-source based solution using low cost hardware such as the YubiKey, the cost barrier to implementing strong two factor authentication is falling fast. "There has historically been an authentication chasm because the cost of hardware has been high," says Dr Allen, "but now that cost is shrinking." What that means is that there is now less of a reason than ever before to rely on user names and passwords for the security of your network. For a fairly modest cost you could introduce two factor authentication and increase the level of your network's security significantly.
Create:Paul Rubens

Last week we learned how to make pages of labels, business cards, and form letters using OpenOffice Writer and Base. The steps for setting up any mail-merge document in OpenOffice are easy; the one potentially gnarly bit is creating your contacts database in the first place. Your contacts list must be in Base, which is a bit of a pain. But the good news is Base can import data from most other databases, spreadsheets, text-delimited files, and email address books. Figure 1 shows the import screen. Yours may have some different options, depending on your Linux distribution.

Base can connect directly to most relational databases, such as MySQL, PostgreSQL, Oracle, Adabas D, or any database that supports the Open Database Connectivity (ODBC) or Java database connectivity (JDBC) drivers. So it also functions as a graphical front-end to other databases, and you can use it to edit and change them. Address books, spreadsheets, and delimited text files are read-only. You can import their data into Base, but whenever you make a change to the source document you have to import the new data; you can't change it or directly access it from Base.

My contacts are in a KDE address book. Importing this into Base is so easy your cat can do it:

File - New - Database
Connect to an existing database
Yes, register the database for me and open the database for editing
Click finish, name and save the new file
You will see something like Figure 2. Double-click on the Address Book table to see your imported data
If Base doesn't have an option to directly import from your address book, try exporting your addresses into a comma-delimited .csv file. Then in the "Connect to an existing database" dropdown list, choose "Text". The next screen asks for the path, be sure to check "'Comma separated value files ' (*.csv)", and then select the correct delimiters. If it is a correctly-formed .csv file Base will have no problems with it. Here is an abbreviated example from my KDE address book export:
"Family Name","Given Name","Honorific Prefixes","Home Phone",
"Home Fax","Home Address Street","Home Address City",
"Home Address State","Home Address Zip Code"
"Robby","SIlaen","Mr.","","","Sumatera Utara",
"Indonesia","Medan","20154"

Even though there are line breaks for readability, the real line breaks are at the ends of the lines with no commas. You have to have the exact same number of fields in your field definitions line, which is the first line in the file, and in your data lines. In this example there are nine. Any empty fields need "" for a placeholder, and each field is separated by a comma. You can use a comma, single space, tab, colon, or a semi-colon for the delimiter.

Source:LinuxPlanet.com

The Payment Card Industry Data Security Standard (PCI DSS) sets forth the security requirements for organizations that store, process and/or transmit credit or debit card transactions. These requirements stem from a series of affecting databases of consumer credit information over the past decade.
What does PCI DSS mean to you as a database professional? If you review the PCI DSS standard, you’ll find seventeen pages packed with detailed requirements for securing cardholder information. If your organization processes transactions, it’s a good idea to review the entire standard and ensure you’re meeting all of those requirements. That said, I’ll highlight a few salient points that pertain directly to database professionals.
Place the database in an internal network zone, segregated from the DMZ. PCI requires that you place your database server on your internal network and that you deny attempts to directly access the database from untrusted networks. Additionally, you must use private IP addresses for the database server.
Change vendor-supplied default passwords. You must ensure that your database uses strong passwords for all user accounts and that you change the passwords for any default accounts supplied by your database vendor.
Encrypt all non-console administrative access. You’re required to use encryption technology (e.g. VPN, SSL, ssh) to encrypt any administrative connections to the database. This reduces the risk of an eavesdropper obtaining administrative credentials to the database.
Keep cardholder data storage to a minimum. You should never store cardholder data that you no longer need. If you don’t need to store it, don’t. If you’re finished with it, purge it from your database. In all cases, you may never store data from the card’s magnetic stripe or the three digit security code on the back of the card.
Encrypt card numbers that you do store. If your business requirements dictate that you store card numbers, you must encrypt them using a strong encryption algorithm. Furthermore, you must use sound key management practices to limit access to the encryption keys.
Ensure that you patch your database regularly. A recent study revealed that many DBAs . PCI requires that you apply security updates within one month of their release.
Develop web applications securely. Granted, DBAs seldom have control over the code written by developers, but it's important that we act as security evangelists, educating developers about the risk posed by database attacks such as .
Practice secure user management. In addition to the controls you'd expect, such as requiring individual user accounts with strong passwords, you also need to in a fashion that limits access to those with a need to know.
Log everything. PCI requires that you record the name of the user, type of event, timestamp, and other technical information about any individual user access to cardholder data, administrator actions and failed authentication attempts.
This article provides only a high-level overview of the PCI DSS requirements most applicable to database administrators. I encourage you to and discuss it with other IT and business professionals in your organization.

source : database.about.com