Search Our Site

Our Newsletter

Our Ramblings

Home Network Security

1448644898859For those of us who grew up in the 80’s, we can probably think back to a time when hackers were looked upon as being pretty cool robin hood style outriders who dared to stand up against oppressors. The movie Wargames demonstrated that fascination about the possibilities of connectivity. Drinking terminals, discarded fast food boxes and unfinished cans of flat cola. The reality nowadays is considerably murkier. Hardly a week goes by without a story breaking about the nefarious activities of the hacking ‘community’ which is nowadays better described as organised criminals. As we’ve seen in the past it’s not just security agencies, nuclear launch facilities, or evil dictators that get stiffed by hackers, it’s more often normal folk like us.

In recent years hacking has continued to hit the headlines almost every week. The most well known has to be the UK phone hacking scandal. Ironically, that wasn’t even a true example of hacking as the clueless victims of the “hack” had merely neglected to change the pin on their voicemail from its default setting. It all goes to show that the weakest link in the security chain is usually human stupidity. I suppose calling it “hacking” deflected the glare of publicity away from their own stupidity but thats another discussion for another day. The ones that hit the headlines are usually interesting in some way, but they pale into insignificance when compared to the millions of attempts that occur every day to the rest of us. Cybercrime is big business. We hear it so often that the words threaten to lose their impact.

According to the Trustwave 2016 Global Security Report, there was a recorded 26.6 million victims of hacking and identity theft in a 12 month period during 2015. A number which roughly equates to one person being hacked every second. In 2015, 96% of all hacking attacks were credit card, or payment data theft used in fraudulent online or at the till transactions. Over £24 billion was estimated to be have been lost to identity theft from hackers, with a potential loss averaging £5,061 per household globally.

The checklist of items the hacker tends to go for are usernames, passwords, PINs, National Insurance numbers, phone and utility account numbers, bank and credit card details, employee numbers, driving licence and passport numbers, insurance documentation and account numbers, and any other financial background account details.

How they get this data ranges from acquiring remote access to your computer, SQL injections to a popular website, spoofing a banking or other financial website, remote code execution, exploits in website trust certificates, physical theft, and through social media.

On the subject of social media there are some interesting and worrying facts. According to sources, 18% of people under the age of 19 were the victims of a phishing scam, and 74% were victims when they followed links posted by they know that they believed were legitimate. Furthermore, 74% of all social media users share their birthday information publicly. 69% shared the schools and universities they attended. An amazing 22% of users publicly share their phone numbers, and unsurprisingly, 15% share the names of their furry little friends.

If these numbers aren’t scary enough, there’s the fact that 15% of all Wi-Fi users worldwide are still using WEP encryption for their home WIFI and, 91% of all public Wi-Fi hotspots are unsecured, unmonitored, and available 24x7x365.

And finally, it’s estimated that 11% of all spam contains some kind of code designed to hijack your computer if opened. A further 8% of all spam contains links to websites that have been designed to grab information or download some trojan to gain access behind your firewall.


We’ve put together a number of measures to help you prevent hackers invading your private domain, whether in the cloud or locally inside your trusted networks.

We don’t suggest you take thing to the extreme but there is a happy medium where you can do everything you reasonably can to protect yourself and educate yourself to spot the signs when they arise.


Starting with the home network there are a number of easy wins we can gain to stop the baddies from getting too close. Most of these steps are surprisingly simple.


This is one of the most common points of entry for someone to gain access to your home network. The router you received from your ISP may well be up to date and offer the best possible forms of encryption, but they have a weakness. They usually come with a limited number of preconfigured SSIDs and WIFI keys which can be found on the back of the router on a sticker.

It doesn’t take too much gumption to do a google search and find out the SSIDs and WIFI keys used by the big ISP’s. It doesn’t help that your router is usually advertising itself as a BT, Sky or Virgin Media router and that just makes life easier for the baddies.

A reasonably savvy hacker can therefore gain access to your router, get connected, and even log in using the weak default logins. For this reason we recommend that our customers change the default router usernames and passwords to something more complex.


Most routers come with a level of encryption already active, but there are some examples where the default state of encryption may be extremely weak, or worse still, completely open.

If you scan your WIFI using your phone and you see a padlock beside your network name then you at least know you have some encryption active. If you then look on your router and it tells you that the encryption method is WEP then you’ll need to fix that PDQ. WEP is the older standard of wireless encryption and can be cracked in less than fifteen minutes by using a variety of tools, all of which are freely available on the net. Unfortunately, WPA isn’t great either, but the its generally strong enough to hold back low level hackers.


Every network interface has a unique identifier known as a MAC (Media Access Code) address, regardless of whether it’s a computer, tablet, phone, or sky box.

The idea behind MAC address filtering is simple enough. You obtain the MAC addresses of your devices at home and enter them into the router so that only those you know about are able to connect. Obviously, if you have loads of network connected devices this could take a while. But it will improve your chancer against a drive by hacker in a car outside your home with their laptop balanced on their dashboard.

But hey, MAC addresses can be spoofed, so while the junior hacker will likely give up the more determined one will not. Think of MAC address filtering as putting a padlock on the garden gate; it may stop most casual nasties from entering your garden, but those who really want to get in there will just jump over.


There are two schools of thought when it comes to hiding your network SSID. The first recommends hiding your router’s SSID from the public view, with the idea that invisibility to those around you makes you somehow immune to their attempts. But a hidden SSID may seem like a far more juicy target to a determined hacker with an SSID radio grabber. Both sides of the argument have merit. Are you successfully hidden by being invisible, or is the best hiding place in plain sight? Probably invisible on balance.


By default your router will automatically assign an IP address to any device that connects to it, so the pair, and the rest of the network, can communicate successfully.

DHCP (Dynamic Host Configuration Protocol) is the name for this feature, and it makes perfect sense. After all, who wants to have to add new IP addresses to new devices every time they connect to your network?

On the other hand, anyone who gains access to your router will now have a valid IP address which allows it to communicate with your network. So to some degree it’s worth considering opting out of DHCP controlled IP addresses and instead configuring your devices and computers to use something like as their range of IP addresses.

Like most good anti-hacking attempts though, this will only slow the intruder down.


This simple network protection act is one of the best, if done correctly.

Believe it or not, by moving your router to the centre of your house, or more to the rear (depending on where your closest neighbours or the road is), you are limiting the range of your wireless broadcast signal.

Most routers are located in the front room where the master phone socket usually is. This means the router can reach most corners of the house, and to some degree beyond the house. If someone was moving down the road, for example, sampling wireless networks then they would come across yours as they passed your house.

If the router is situated in a more central location, away from the front window, then the signal may be too weak to get a successful reading without having to stand on your porch.


Most people will already do this anyway. Since no one is using the router, what’s the point of wasting electricity?

However, a lot of people simply have their router powered on all the time, regardless of whether they are in the house or not. Granted there are those who will be running a server, or downloading something while at work or asleep, but the vast majority just keep it on.

If you’re not using the internet or any other home network resource, it’s a good idea to power off the router. And if you’re away for an extended period, then do the same.


cloud-computingHome network security is one thing, and frankly it’s not all that often you’ll get a team of hackers travelling down your street with the intent of gaining access to you and your neighbour’s home networks.

Where most of us fall foul in terms of hacking is when we’re online and surfing happily without a care in the world.


Passwords are the single weakest point of entry for the online hacker. Face it, how many of us use the same password for pretty much every website we visit? Some people even use the same password for access to a forum that they use for their online banking, pretty alarming we think you’ll agree.

Using the same password on every site you visit is like giving someone the skeleton key to your digital life. It’s a bloody pain having different passwords for every different site, but when you stop and think logically about it, doing so leaves you incredibly vulnerable to those who have ill intentions with regards to your identity and bank balance. For many a kind of compromise is usually sufficient. Many of the sites we use on the net that require us to use a password are pretty innocuous. Using the same password for this swathe is normally fine but make sure that you use strong passwords for those services that are really sensitive. More about that below.

Where passwords are concerned, using ‘12345’, ‘password’, or ‘qwerty’ isn’t going to stop someone from gaining access. And passwords such as ‘L3tmeIn’ aren’t much better either. Additionally, as we mentioned earlier, using the names of your pets may seem like a good idea, maybe even mixing their names with the date of your birth as well sounds like a solid plan, but if you then go and plaster Mr Tiggywinles, Rover, or Fido’s name all over public posts on Facebook along with pictures of you blowing out the candles on your birthday cake then you’ve just seriously lowered the strength of your passwords from staying secret.

Security questions and two-phase verification techniques are now being employed by a number of credible sites. What this means is that you basically enter more than one password to log into your account. Most online banking is done this way now, and sometimes includes a visual verification such as a pre-selected thumbnail image from a range that the user can click on to verify who they are.

If you have trouble coming up with passwords yourself, then there are a number of password managers available that can help you create highly secure combinations of letters, numbers, and special symbols unique for every website you visit. Even better they’ll even store them for you in the program itself in case you forget them. They are usually managed by one ultra secret master password. Be sure to keep that one complex and safe. Some examples are as follows.

LastPass – LastPass allows you to create a single username and password while securely entering the correct details.

Kaspersky Password Manager – A fully automated and powerful password manager that can store your username and password details, then enter them into the site for you while remaining encrypted throughout.

Either way, human beings are the weakest link in the secure password chain so any help you can get is to be welcomed.


David Glasser, the MD at Twitter US, recently admitted, “I hate to say it, but in reality, people need to share a little bit less about themselves.”

While there’s nothing wrong with letting your nearest and dearest know what you’re up to on Facebook, you really must consider the fact that they probably aren’t the only ones reading. Facebook and Twitter often come under fire because of their attempts to make users newsfeeds public by default and where you have to jump through hoops to limit the views for your own timeline.

It’s worth taking the time to double-check the security settings on all your social media sites and check back often. Are the things you’re posting on your timeline or feeds viewable by friends only, or friends of friends? Has it mysteriously been reverted back to public viewing? Are you sure you want to display that picture of you sat at your desk with all that information on the screen behind you?

As we said before publicly announcing your private details, like when you’re on your hols and for how long, the names and birthdays of you, your nearest and dearest, children, pets and so on, isn’t particularly smart, but hey we’re all guilty of it.


The newsworthy hacking events of Pippa Middleton and many others has rammed home to us the fact that cloud storage isn’t quite as secure as we’d like to think.

Every device, either Android, Microsoft, or Apple, is capable of backing up your photos to its own particular cloud storage solution – sometimes it’s even a default setting. Most of the time the cloud solutions used are so secure that anyone trying to hack into them will have a pretty rough time of it, and no doubt bring down the wrathful vengeance of Google or Apple upon themselves. How the celebrity photos and videos were obtained is something you’ll have to find out for yourselves, but if storing stuff on the cloud is alarming you there are a couple of choices.

The first is to encrypt everything locally on your computer before uploading it to the cloud. This will take time, we’ll grant you, but it means only you’ll be able to decrypt them. Secondly, you could always compress everything first, using Winzip/Winrar etc., then password the compressed file. Breaking a password compressed file takes far longer than it’s actually worth, providing you’re not a celebrity, so most hackers won’t bother.

Finally, there are cloud storage solutions that encrypt the data on the device before uploading it to the also fully encrypted servers e.g. SpiderOak and Tresorit.


The very fact that you’re online makes you a potential target. If you’re sitting back and saying “they’ll have no interest in me” you’re sadly mistaken. Lets face it, you’re easy to find, easy to hack, and probably won’t do much about it when you do get hacked. Its in your best interests to stay up to speed with the latest hacking techniques and how to defend yourself against them.

Spread Spectrum Modulation Techniques

Wireless Local Area Networking technology today exploits a technology which was thitherto mostly hidden inside the shadowy domain of military communications and radar. This technology comprises a collection of ideas which are termed Spread Spectrum Techniques (SST). Spread Spectrum techniques have some powerful properties which make them an excellent candidate for networking applications. To better understand why, we will take a closer look at this fascinating area, and its implications for networking.

Spreading the Spectrum

The first major application of Spread Spectrum Techniques (SST) arose during the mid-sixties, when NASA employed the method to precisely measure the range to deep space probes. In the following years, the US military became a fan of SST due to its ability to withstand jamming (ie intentional interference), and its ability to resist eavesdropping.

Today this technology forms the basis for the ubiquitous Global Positioning System (GPS), the not so ubiquitous NMIDS (Nato Multifunction Information Distribution System/AWACS) datalink (used between aircraft, ships and land vehicles), and last but not least, the virtually undetectable bombing and navigation radar on the bat-winged B-2 bomber. If you ever get asked what technology your home shares with a stealth bomber (excluding astronomical cost), you can state without fear of contradiction that it uses the same class of modulation algorithm.

How is this black magic achieved? The starting point is Claude Shannon’s information theory, a topic beloved by diehard communications engineers. Shannon’s formula for channel capacity is a relationship between achievable bit rate, signal bandwidth and signal to noise ratio.

Shannons theory states that channel capacity is proportional to bandwidth and the logarithm to the base of two of one plus the signal to noise ratio, or:

Capacity = Bandwidth*log2 (1 + SNR).

What this means is that the more bandwidth and the better the signal to noise ratio, the more bits per second you can push through a channel. This is indeed common sense. However, let us consider a situation where the signal is weaker than the noise which is trashing it. Under these conditions this relationship becomes much simpler, and can be approximated by a ratio of Capacity/Bandwidth = 1.44* SNR.

What this says is that we can trade signal to noise ratio for bandwidth, or vice versa. If we can find a way of encoding our data into a large signal bandwidth, then we can get error free transmission under conditions where the noise is much more powerful than the signal we are using. This very simple idea is the secret behind spread spectrum techniques.

Consider the example of a 3 kHz voice signal which we wish to send through a channel with a noise level 100 times as powerful as the signal. Manipulating the preceding equation, we soon find that we require a bandwidth of 208 kHz, which is about 70 times greater than the voice signal we wish to carry. Readers with a knowledge of radio will note here that this idea of spreading is a central part of FM radio and the reason why it produces better sound quality compared to the simpler AM scheme.

Other than punching through large levels of background noise, why would we otherwise consider using spread spectrum techniques ? There are a number of good practical reasons why spread spectrum modulation is technically superior to the intuitively more obvious techniques such as AM and FM, and all of the hybrids which lie in between.

  • The Ability to Selectively Address. If we are clever about how we spread the signal, and use the proper encoding method, then the signal can only be decoded by a receiver which knows the transmitter’s code. Therefore by setting the transmitter’s code, we can target a specific receiver in a group, or vice versa. This is termed Code Division Multiple Access. or CDMA
  • Bandwidth Sharing. If we are clever about selecting our modulation codes, it is entirely feasible to have multiple pairs of receivers and transmitters occupying the same bandwidth. This would be equivalent to having say ten TV channels all operating at the same frequency. In a world where the radio spectrum is being busily carved up for commercial broadcast users, the ability to share bandwidth is a valuable capability.
  • Security from Eavesdropping. If an eavesdropper does not know the modulation code of a spread spectrum transmission, all the eavesdropper will see is random electrical noise rather than something to eavesdrop. If done properly, this can provide almost perfect immunity to interception.
  • Immunity to Interference. If an external radio signal interferes with a spread spectrum transmission, it will be rejected by the demodulation mechanism in a fashion similar to noise. Therefore we return to the starting point of this discussion, which is that spread spectrum methods can provide excellent error rates even with very faint signals.
  • Difficulty in Detection. Because a spread spectrum link puts out much less power per bandwidth than a conventional radio, this means that they can coexist with other more conventional signals without causing catastrophic interference to narrowband links.

These characteristics endeared spread spectrum comms to the military community, who are understandably paranoid about being eavesdropped and jammed. However, the same properties are no less useful for local area networking over radio links. Indeed these are the reasons why the current IEEE draft specification for radio LANs is written around spread spectrum modulations. To better understand the inner workings of this fascinating area, we will now more closely examine the various choices we have for spread spectrum designs. The two basic methods are indeed both used in LAN equipment.

Direct Sequence Systems 

Direct Sequence (DS) methods are the most frequently used spread spectrum technique, and also the conceptually simplest to understand. DS modulation is achieved by modulating the carrier wave with a digital code sequence which has a bit rate much higher than that of the message to be sent. This code sequence is typically a pseudorandom binary code (often termed “pseudo-noise” or PN), specifically chosen for desirable statistical properties. In effect we are transmitting a wideband noise like signal which contains embedded message data. The time period of a single bit in the PN code is termed a chip, and the bit rate of the PN code is termed the chip rate.

A wide range of pseudorandom codes exist which can be applied to this task. These codes should ideally be balanced, with an equal number of ones and zeroes over the length of the sequence (also termed the code run), as well as being cryptographically secure. This is necessary because a spread spectrum system which uses a cryptographically insecure code will still possess the properties previously discussed, but if an eavesdropper can synchronise on to the signal they will eventually be able to crack it and extract the data. Using a secure code prevents this. The mechanics of generating pseudorandom codes is a fascinating area within itself. The most commonly used approach for producing a wide range of code types is the use of a tapped register with feedback as well as a modulo 2 adder. These are very simple to implement in hardware.

A PN code generator of this type uses a register with taps between selected stages. These taps are logically ORed and then fed back in to the input stage of the register. The state machine produced in this fashion will periodically cycle through the same PN sequence as the clock is applied.

Significantly, code sequence lengths of up to thousands of bits in length can be produced with about a dozen register stages. With modern VLSI techniques it is feasible to build generators with clock speeds up to hundreds of MHz on any die, moreover recent high speed Emitter Coupled Logic (ECL) devices allow the creation of generators with clock speeds into the GHz region.

Having produced a black box which generates a PN code with the required characteristics, the process of combining the PN modulation with the data to be transmitted, and modulating this upon a carrier is not technically difficult at all. The simplest technique, one of many, is to invert the PN code when a ‘0’ bit of message data is to be sent, and to transmit the PN code unchanged when a ‘1’ bit of message data is to be sent. This technique is termed Bit Inversion Modulation. The result is a PN code with an embedded data message.

The simplest form of carrier modulation which can be used is AM, however in practice one or another form of Phase Shift Keying (PSK) is usually employed. PSK schemes are commonly used in modems, and involve the modulation of the carrier phase with the data signal. In a DS transmitter using Binary PSK, the carrier wave is phase shifted back and forth 180 degrees with each 1 or 0 in the PN code chip stream being sent. The process of modulating the carrier with the PN code is often termed spreading.

The internals of a DS receiver are somewhat more complex than those of the transmitter, but not vastly so. The central idea in all SST receivers is the use of the correlation operation.

Correlation, a favourite method of our friends in the statistics community, is a mathematical operation which determines a measure of likeness or similarity between two sets of data or two time processes. In an SST receiver, the correlation operation is use to measure the similarity of a received PN code sequence to an internally generated PN code sequence. Ideally, if these PN sequences are the same, a high correlation will be detected, whereas if the codes are different, a low correlation is detected.

Mathematically the correlation operation, in its simplest form, is the integral of the product of two time varying functions. In a DS receiver of the simplest kind, the hardware maps directly onto the basic maths. The correlator is built by combining a multiplier with a low pass filter (ie integrator in a control engineer’s language).

One of the two time varying functions is the received PN modulated signal, the other is the PN sequence produced by a PN generator internal to the receiver. In the simplest situation, the receiver’s PN generator is a clone of the PN generator in the transmitter.

The multiplier can be one of many designs, importantly it multiplies in effect two single numbers and is therefore trivially simple. Classical textbooks cite the analogue doubly balanced mixer as the standard multiplier. The output from the multiplier is a time varying measure of the similarity between the two codes, blended with the remnants of uncorrelated (ie real) noise and interfering signals.

The integration operation disposes of the latter, and we are then left with the data which we intended to extract. This series of operations is often termed despreading. In practice, we often need to synchronise our receiver’s PN generator to the incoming SST signal, therefore there is often much additional complexity required to produce an internal reference PN sequence in proper sync with the incoming message PN sequence.

At this point it is worth reflecting upon what we have. We can generate either cryptographically secure or insecure codes. We can embed a digital data stream in one or another fashion into the code stream. All of this can be performed with pure digital logic. Once we have a combined data/code stream, we can use a very simple analogue modulation to put the message upon a carrier.

The resulting radio signal looks like white noise to a third party who doesn’t know the code. Our receiver shares similar hardware design with our transmitter. It uses a trivial demodulation scheme, and extracts digital data from the incoming PN data/code stream. Other radio signals occupying our bandwidth are largely ignored. Whilst an SST transmitter-receiver pair may be conceptually more complex to understand than most classical analogue schemes, it is well suited to implementation in digital logic because most of the smarts at either end of the link are purely digital. This means that such hardware can be made much more compact than many classical narrowband analogue schemes, which often require a lot of analogue hardware which may or may not be easy to squeeze into Silicon.

Consider a narrowband 16 or 64 level QAM scheme, which is not only vulnerable to interference and noise, but also requires a digital signal processing chip to demodulate. For those readers with a bent toward radio engineering, the spectral envelope of a DS system is typically a sine function, with suppressed outer sidebands beyond the first null, and often a suppressed carrier. A parameter which radio types will appreciate is process gain, a measure of signal to noise ratio improvement achieved by despreading the received signal. For a DS system it is typically about twice the ratio of RF bandwidth to message bandwidth. Therefore to improve your ability to reject interference by 20 dB, you need to increase your chip rate by a factor of 100.

Frequency Hopping Systems 

Frequency Hoppers (FH) are a more sophisticated and arguably better family of spread spectrum techniques than the simpler DS systems. However, performance comes with a price tag here, and FH systems are significantly more complex than DS systems. The central idea behind a FH system is to retune the transmitter RF carrier frequency to a pseudorandomly determined frequency value. In this fashion the carrier keeps popping up a different frequencies, in a pseudorandom pattern. The carrier itself can be modulated directly with the data using one of many possible schemes. The available radio spectrum is thus split up into a discrete number of frequency channels, which are occupied by the RF carrier pseudorandomly in time.

Unless you know the PN code used, you have no idea where the carrier wave is likely to pop up next, therefore eavesdropping will be quite difficult. Frequency hoppers are typically divided into fast and slow hoppers. A slow frequency hopper will change carrier frequency pseudorandomly at a frequency which is much slower than the data bit rate on the carrier. A fast frequency hopper will do so at a frequency which is faster than that of the data message.

Hybrid (FH/DS) Systems

If we are really paranoid about being eavesdropped, we can take further steps to make our signal difficult to find. A commonly used example is that of a hybrid spread spectrum system using both FH and DS techniques. Such schemes will typically employ frequency hopping of the carrier wave, while concurrently using a DS modulation technique to modulate the data upon the carrier.

In this way an essentially DS modulated message is hopped about the spectrum. To successfully intercept such a signal you must first crack the FH code, and then crack the DS code. If you want to be even more secure, you encrypt your data stream with a very secure crypto code before you feed it into your DS modulator, and employ cryptographically secure PN codes for the DS and FH operations. Your eavesdropper then has to chew his way through three levels of encoding. Such a scheme is used in the NMIDS (Nato Multifunction Information Distribution System/AWACS) datalink.


Spread Spectrum techniques are technologically superior to conventional narrowband modulation techniques in a number of important areas. They form the datalink layer of todays WLANs in operation in most households in the UK as well as in most offices. Their ubiquity belies their complexity and without SST the modern day advantages of mobile telephony as well as wireless LAN networking would not be possible. If your organisation needs assistance with its radio communications in the field of wireless networking, give us a call free today on 0800 012 1090. We look forward to your call.

Security At the Edge: Locking Down the Network Perimeter

When securing your company’s network, it’s best to start on the edges — the perimeter — where the system interfaces with the rest of the world. It’s an approach that makes sense. While installing safeguards deep inside the network is a good idea for securing against some types of threats, you’ll generally get the broadest protection — and the biggest bang for your security buck — by building up protection along the edges.

To begin planning a perimeter-oriented network-defence strategy, one has to understand exactly where the perimeter lies and what technologies are involved. Put simply, the perimeter is the network’s boundary: the frontier where data flows in from (and out to) other networks, including the Internet. Perimeter defense functions like a checkpoint, allowing authorized data to enter unencumbered while blocking suspicious traffic.

Perimeter-checkpoint duty is handled by several different technologies, including border routers, firewalls and a variety of other specialized security products. Let’s take a look at each of these technologies and the roles that they play in perimeter security.

Border Routers: Network routers work much like traffic policemen, directing data into, out of and within networks. A border router is a special type of router: the one that stands between your network and an external network, such as the Internet. Therefore, the border router is like a traffic policeman posted at a spot located on the main road into a town — the one who spots the registration plate on the bad guy’s car. Since all Internet traffic passes through the border router, it’s a logical place for filtering.

Firewalls: A firewall’s basic job is to permit or stop data flowing into or out of a network. For perimeter defence, firewalls are available as software (installed inside a router) or as stand-alone hardware appliances. A firewall can provide services such as stateful inspection (analysing transactions to ensure that inbound packets were requested); packet filtering (blocking data from specified IP addresses and ports); and NAT (network address translation), which presents a single IP address — representing multiple internal IP addresses — to the outside world.

IDS (Intrusion Detection Systems):
An IDS protects networks by analyzing traffic for suspicious activity. If something unusual is detected, the IDS alerts the network administrator, who can then take action to stop the event that is taking place. In fact, an IDS is often described as a network burglar alarm. Various vendors offer IDS products with a range of different capabilities, enabling customers to easily find a system that most closely match their security and budgetary needs.

IPS (Intrusion Prevention Systems): An IPS is similar to an IDS, except that the product is designed to take immediate action — such as blocking a specific IP address or user — rather than simply issuing an alert. Some products also use behavioral analysis to spot and stop potentially dangerous data. The line between IDS and IPS technologies is blurring, so it’s now possible to find an IDS that incorporates IPS functions.

VPN (Virtual Private Networks): A VPN provides perimeter security by encrypting the data sent between a business network and remote users over the Internet. In essence, the technique creates a private tunnel through the Internet. VPN technology is widely popular and is used by enterprises of all sizes. The approach’s biggest threat is from an attacker who figures out a way of compromising an authorized user’s system, then gains control of an encrypted pathway into the company network.

DMZ (Demilitarized Zones):
Borrowing its name from the no-man’s-land created between North Korea and South Korea at the end of the Korean War, a DMZ is a neutral area that is created outside the firewall between a company’s network and an external network, such as the Internet. One way of forming a DMZ is to install a host (a dedicated server) that resides between the two networks. The DMZ host can initiate sessions for Web pages, email and other requests on the public network. The system can’t, however, initiate a session back into the company’s network — it can only forward packets that have already been requested. The technique prevents unrequested and potentially destructive data from entering a company’s network.

Perimeter network security works by providing several layers of protection at the network’s edge. Different security technologies working in unison create a fortress-like barrier that can thwart most types of attackers. Perimeter security can’t, however, block all attacks — particularly a DoS (denial-of-service) onslaught. Yet a well-planned system will efficiently deflect most network threats, providing peace of mind for business owners and managers, network administrators, and end users.

Strong cryptography in PHP

If you are a professional web developer, security is an important aspect of your job. If you are planning to store some critical or sensitive data in your web application, like passwords, credit cards, etc, you should use strong cryptography to protect the data.

What is strong cryptography?

Strong cryptography is the usage of systems or components that are considered highly resistant to cryptoanalysis, the science of cracking codes.

Theoretically speaking, if we encrypt and store sensitive data in a database or file, a malicious attacker will not be able to decrypt it without prior knowledge of the key, a sequence of elements used to encrypt or decrypt data.

How can we prove that an attacker will not be able to decrypt the data? Unfortunately, the correct answer is that we cannot be sure. We can only obtain a good level of security using well tested algorithms of cryptography (strong cryptography).

By way of an example, the ENIGMA cipher, used in the second world war was a system to encrypt the communication between german soldiers. It is not considered cryptographically strong today.
The DES, a FIST standard algorithm in 1976 that, unfortunately, is still used in many systems, is not considered strong cryptography anymore. In 1998 the Electronic Frontier Foundation (EFF) built a machine, the EFF DES cracker, to perform a brute force search of DES cipher’s key space — that is, to decrypt an encrypted message by trying every possible key. The aim in doing this was to prove that DES’s key is not long enough to be secure. This machine was able to find the key of an encrypted message in less than 1 day and bear in mind this was 1998.
Currently, some of the algorithms that can be considered cryptographically strong are: Blowfish, Twofish, Advanced Encryption Standard (AES, Rijndael), 3DES, Serpent, RSA, etc. It is important to say that the security of an algorithm is related to the strength and the size of the key.

Why should we use strong cryptography?

Many developers, try to implement their personal cipher using different approaches. On the internet, you can find many implementations of homemade ciphers in PHP. We strongly discourage the use of these homemade ciphers. Creating a secure cipher is very complex undertaking which can only be completed by an expert.In addition to this, the testing phase of the design of the cipher will require some time to prove it is secure.

Strong cryptography in PHP

PHP offers different implementations of the most important cryptographic algorithms. In particular PHP has the following cryptographic extensions:

  • Hash
  • mcrypt
  • OpenSSL

The Hash extension requires no external libraries and is enabled by default as of PHP 5.1.2. This extension replaces the old mhash extension. With this extension you can generate hash values or HMAC (Hash-based Message Authentication Code). These extensions support the most common hash algorithms used in strong cryptography. If you want to know which algorithms are supported by your PHP environment you can use the function hash_algos() that gives a list of all the algorithms supported. For more information about this extension refer to the PHP manual.

The mcrypt extension is an interface to the mcrypt library, which supports a wide variety of block algorithms such as DES, 3DES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. This extension is the most frequently used method in PHP to encrypt data using symmetric ciphers.

The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data. You can use OpenSSL to protect data using public key cryptography with the RSA algorithm.

Best practices in PHP

So far we have discussed some general aspects of strong cryptography. We now look at some recommendations for best practice in the field.

Use standard algorithms
Always use a standard algorithm to encrypt your data. Don’t try to implement your homemade cipher, you will spend a lot of time and energy without obtaining any real security. Our primary suggestion is to use the best algorithms available. Example of algorithms which are cryptographically strong are:
– Symmetric-key algorithms: AES, that is a FIST 197 standard since 2001;
– Public-key algorithms: RSA, an industry standard algorithm used in many products;
– Hash functions: SHA-x, where x can be 1,256,384, and 512. SHA is a NIST standard.

Key space
When we talk about the security of a cipher the key space is one of the most important parameters. If no explicit design strength is given by a cipher, the design strength is equal to the key size. For instance, the DES cipher uses 56-bit key, that means the key space is 2^56. This number may seem huge but it is within the grasp of modern computers.

For symmetric ciphers we would say that 128 bit is the minimum size for a strong cryptographic key. With regard to public-key cryptography, experts reccomend a minimum size of 2048 bit or so if we want to protect our data for 20 years.

Kerckhof’s principle
Auguste Kerckhof was a Dutch linguist and cryptographer who was professor of languages at the School of Higher Commercial Studies in Paris in the late 19th century. He wrote, in a famous article of “le Journal des Sciences Militaires”, the following sentence, that is considered seminal in modern cryptography:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge

Using the Shannon interpretation “The enemy knows the system”. In our opinion, in the software world the only true security is to be achieved by the use of open source algorithms. If the source code has been tested by thousands of people around the world the probability of finding a security bug and consequently a security fix is higher using open source software compared to the usage of closed source.

Don’t use rand() or mt_rand()
You cannot implement a secure random number generator using the rand() function or the mt_rand() function of PHP. The rand() function uses the libc library to generate pseudo-random numbers that would not be secure for cryptographic applications. It generates random numbers using a linear additive feedback method, with a short period, that is predictable. Even the mt_rand() function is not secure from a cryptographic standpoint. It uses the Mersenne Twister algorithm to generate pseudo random numbers. This function is better than the rand() because it faster and it produces pseudo random numbers with a bigger period but is still a deterministic algorithm so is predictable. To generate a cryptographically strong random number in PHP you have to use the function openssl_random_pseudo_bytes() from the OpenSSL library. This function is available starting from PHP 5.3 if you are using an oldest version of PHP you can use this implementation:

function secure_rand($length) {
  if(function_exists('openssl_random_pseudo_bytes')) {
    $rnd = openssl_random_pseudo_bytes($length, $strong);
    if($strong === TRUE)
      return $rnd;
  for ($i=0;$i<$length;$i++) {
    $sha= sha1(mt_rand());
    $char= mt_rand(0,30);
    $rnd.= chr(hexdec($sha[$char].$sha[$char+1]));
  return $rnd;

In this implementation we hash the mt_rand() outputs. This method improves the security of the Mersenne Twister but is not the same level of security of the OpenSSL implementation.

Use a salt value in hash functions
If you are using a hash function to protect data, for instance a password, concatenate the data with a random value (salt) befor you generate the hash. A random salt will protect your data from Dictionary attacks.

Size and strength of the passwords
Don’t make it possible for users of your web application to choose small or dummy passwords. You should always use passwords with, at least, 8 characters mixed with numbers and letters. You can use the CrackLib library to test the “strength” of a password.

Don’t use plaintext passwords as key for ciphers
A good practice in cryptography, using symmetric ciphers, is to use a hashed value as the key of a cipher. This method improves the security of the encrypted data by adding more randomness. That means if you want to generate a good key for a cipher you should use the hash of the password and use that as key of your encryption algorithm.

Use Base64 to encode encrypted data
If you need to exchange encrypted data with different systems, for instance, trasmitting data over the internet, it is reccomended to encode the data in Base64. In PHP you can use the functions base64_encode() and base64_decode(). This encoding will guarantee that your data will be stored correctly independently of the encoding system used in your environment.