razorpoint security glossary

Author:Razorpoint Security TeamVersion:1.5

Date of current version:2006-01/09

Date of original version:2001-04/04

Copyright © 2001-2006 Razorpoint Security Technologies, Inc.All Rights Reserved.

Razorpoint Security Glossary

™

[ WHITE PAPER ]

Razorpoint Security GlossaryAre you up to speed with the latest in security and hacker terms? Do you know the difference between a hacker and a cracker? How about why a DoS attack can render your entire network useless?

The more you know about security, the terms and the techniques involved, the better prepared you’ll be to guard against break-ins, trojans, identity theft, and other unwanted attacks. The Razorpoint Security Glossary is provided as a public service to help guide you through the latest terminology of hackers, crackers, and other threats to your technology infrastructure.

Razoroint Security Technologies, Inc. continues to update this list on a regular basis and attempts to keep it as one of the most comprehensive security glossaries available. This list contains terms that span most operating systems and network technologies, including: Sun Solaris, Linux, Mac OS X, BSD Unix (OpenBSD, FreeBSD, NetBSD, etc.), Windows, Cisco, Nortel and 3Com.

If you have any questions or information about terms not listed please contact Razorpoint Security Technologies at:[email protected].

Any copyrights mentioned in this document are the sole property of their rightful owners.

AACKAcknowledgment. A response from a receiving computer to a sending computer to indicate successful receipt of information. TCP requires that packets be acknowledged before it considers the transmission complete.

Access ControlTechniques for limiting access to resources based on authentication information and access rules.

Access ProviderCompanies that offer Internet access through a variety of means such as dial-up, cable, DSL, etc.

Acrobat ReaderAn Adobe independent or Web browser plug-in that allows the viewing of Portable Document Format (PDF) files with complex graphic designs. Adobe does not charge for Acrobat Reader and it can be downloaded directly from them.

AddressSynonymous with URL, the phrase to connect to a website.

Address MasqueradingConfiguring a network interface with an IP address intended for another system. This undermines access control mechanisms based on network addresses.

Address SpoofingCounterfeiting IP datagrams in a way that causes the receiving system to believe they originated from a host other than the actual sender.

Address TranslationSee NAT.

AgentThe software routing in an SNMP managed device that responds to get and set requests and sends trap messages.

AH AuthenticationA planned security enhancement to IP that provides sending system authentication and datagram integrity; but not confidentiality. See also ESP.

AlgorithmA mathematical function or set of rules used in the process of encryption and decryption of data.

™

January 9, 2006 Razorpoint Security Glossary [v1.5] Page 1 of 18

31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | [email protected] Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.

AltaVistaPopular search engine.

Anonymous RemailerA program that removes all traces of an e-mail messages’ actual sender and location before forwarding the message to its intended recipient.

Anti-VirusA mechanism that provides detection and innoculation of viruses on a local disk or in files as they are transferred between networks.

APIApplication Programming Interface. A high-level language binding that enables a programmer to easily use functions in another program.

Application GatewayA system used to restrict access to services, or specific functions within services, across a firewall boundary.

Application LayerThe protocol layer used by applications (like Telnet, FTP, and so on) that rides atop the services provided by the transport and network layers.

ARPAddress Resolution Protocol. A protocol in the TCP/IP suite used to resolve a network (IP) address to its link-layer address.

Asymmetric AlgorithmA 2-key system using a complementary pair of keys: a public key and a private key. The public key is used to encrypt or verify messages, and the private key is used to decrypt and sign messages.

AttackAn electronic assault (typically unprovoked) that attempts to somehow break the target’s systems, networks and security mechanisms.

AUPAcceptable Use Policy. Within an organization, the policy that has been arranged for proper use of the website.

AuthenticationA systematic method for establishing proof of identity between two or more entities, usually users and hosts.

AuthorizationThe predetermined right to access an objective or service based on authentication information.

AVIAudio Video Interleave. Created by Microsoft, a digital video file. Noted as an avi file, it displays both picture and sound elements intermittently.

BBack DoorA method of circumventing an enterprise security policy through an unknown vulnerability, allowing an illegal user access to the network.

Back OrificeA program that installs itself on a machine as a server, allowing a user with the Back Orifice client to control the host remotely.

BandwidthThe transmission capacity, commonly measured in bits per second, of a network connection.

BannerGraphic advertisements appearing on the Web.

BaudModem speed.

BCCBlind Carbon Copy. When writing email, the bcc-ed person receives email without knowledge of others on the distribution list.

BiometricsThe use of a unique physical characteristic, such as a fingerprint, voice recording, or retinal scan, to authenticate a user.

Block CipherAn encryption method that places data in fixed-size blocks before encryption



BlowfishPowerful, free 128-bit encryption cipher. Installed as standard in OpenBSD.

BookmarkIf you have a favorite site, you can save the link through the Bookmark feature located in the browser.

Brute Force AttackAn attempt to illicitly recover a cryptographic key by trying al reasonable possibilities.

BS7799 (a.k.a. ISO 17799)British Standard 7799. The international equivalent is the ISO 17799. Standardized document outlining requirements for remote security auditing and testing.

BSD TrustA trust mechanism whereby one host trusts the identity of users of another system without requiring them to authenticate with passwords.

Buffer OverflowA buffer overflow is an attack where too much data is sent to an application that is expecting a lesser amount. The application is ill-prepared for the wave (overflow) of excess data and is sent into a state whereby arbitrary programs can be run by an attacker with the same privileges as the original application or service. Most services (web, email, ftp, etc.) run with root or administrator access. Buffer overflowing an application allows an unwanted attacker to execute programs with those same privileges. This is a very powerful and very common method crackers use for penetrating systems.

BXAThe U.S. Department of Commerce, Bureau of Export Administration. BXA is the primary regulatory agency responsible for export controls on encryption, and is responsible for the issuance of export licenses.

CCable ModemDevice connected to computer enabling you to receive am request information from the Internet over your TV line. Greatly exceeds the bandwidth of dial in modems.

CacheTemporary storage space in computer hard drive. Web browsers store most recently viewed Web pages in cache.

Camping OutCreating a safe undetected spot for hacking, storing or retrieving information, and/or creating another way to get in at a later time upon admission into a network.

CCCarbon Copy. When writing email, the cc’d person also receives a copy of the email message.

CertificateAn electronic document bound to an individual’s or entity’s public key that portrays attributes of the key holder as vouched for by a trusted party or Certification Authority.

Certificate Authority (CA)A trusted entity that digitally signs certificates in order to validate ownership of public keys.

Certificate RevocationThe act of removing the validity of a previously issued certificate.

Certificate Revocation List (CRL)A list maintained by a Certificate Authority of certificates that are no longer valid, excluding expired certificates.

Certificate ServerA server that assists in the process of certifying public keys.

Challenge Handshake Authentication Protocol (CHAP)A protocol for authenticating remote users utilizing a three-step authentication mechanism.

Chat‘Talking’ on the Internet via realtime, typed words. Interactive online communication. See also IRC.

ChrootA Unix system call used to intentionally restrict a server’s view of a host’s file system. A chroot configuration is important when enabling certain Unix services so as to minimize a host’s vulnerability in the event of a buffer overflow attack.



CipherAn algorithm that is either symmetric or asymmetric (see definitions below) and allows for either fixed or variable key lengths.

Cipher Block Chaining (CBC)A block cipher mode, where the previously encrypted block of cipher text is used to encrypt the current block of cipher text.

Cipher TextA message that has been encrypted to maintain its privacy when traveling over untrused networks.

CISSPCertified Information Systems Security Professional. A comprehensive certification covering many areas of security (electronic, physical, personal, etc.). This certification is becoming the standard for security professionals worldwide.

ClientA computer system that requests services of another computer system on the network.

CleartextHuman readable text. See also Plaintext

Common CriteriaA multi-national standard for evaluating security products and assigning ratings of trust to them.

Compulsory TunnelA term used in PPTP and L2TP to describe the creation of an involuntary VPN session.

Connectionless ServiceA delivery service that treats each packet independently from all others before and after it. HTTP (the WorldWide Web) is a connectionless system.

Content SecurityThe ability to specify the content of a communication as an element of a security policy, in contrast to defining a security policy on the basis of header information only.

CookieA small piece of information sent to your computer from a website. This information is stored in your hard drive by the site, containing user information such as registration information, shopping cart items or preferences.

Covering TracksMethod of avoiding detection by removing, replacing or disabling log files that would otherwise indicate a security breach.

CPUCentral Processing Unit. The main silicon chip inside the computer that runs the programs and operating systems.

CrackerFrom CRiminal hACKER -- often confused with ‘hacker.’ A person who does not respect the computers she/he hacks on. These are the people that break, deface, and otherwise improperly use technology. See also hacker.Cross-certificationThe act of sharing levels of trust across two or more organizations or certificate authorities.

CryptanalysisThe science of analyzing and breaking secure communication.

CryptographyThe science of enabling secure communication through encryption and decryption.

CryptologyThe study of secretive communication, including both cryptography and cryptanalysis.

CyberspaceTerm to describe the Internet. i.e. You’re in Cyberspace when you are surfing the Web.

CybersquatterA person who buys domain names (URL’s) with the hope of reselling them for profit.

DDaemon (‘demon’)Individual process (background program) typically running on a Unix system.

DatagramA packet of data and its delivery information usually associated with connectionless service.



DDoSDistributed Denial-of-Service Attack. An attack on a network or single system that renders it unuseable. See also DoS.

DecryptionThe inverse of encryption; the process of converting ciphertext into plain (usable) text.

Dedicated lineA direct phone line between two computers.

DESData Encryption Standard. The once-thought-of-as-unbreakable encryption standard adopted by the U.S. Government in 1977 as the federal standard for the encryption of commercial and sensitive yet unclassified government computer data.

Demilitarized Zone (DMZ)A network located outside the trusted or secure network but still protected from an untrusted network, by a firewall gateway.

Dial-UpA temporary connection over a telephone line from your computer to your Internet Service Provider (ISP) in order to get on the Web.

Diffie Hellman or Exponential Key ExchangeA concept related to public-key cryptography, it provides a mechanism for setting up a secret but unauthenticated connection between two parties.

DigDomain Information Getter. Useful tool for discovering where unresolved IP addresses originate from. Dig can also help determine what version DNS server someone is running.

Digital SignatureAn unforgeable electronic signature that authenticates a message sender and simultaneously guarantees the integrity of the message.

DNSDomain Name System. The mechanism on the Internet (via a distributed database system) that maps Internet protocol (IP) addresses (10.1.20.200) to the more easily remembered hostnames (www.WebSite.com). DNS provides other important data such as email exchange information.

Domain nameAn original name that identifies an Internet site.

DoS AttackDenial-of-Service Attack. Internet or IP services disrupted by a flood of phony traffic that clogs the provider’s network. SYN Flood, Ping o’ Death, Smurf, Fraggle and Jolt are some examples of Denial-of-Service attacks.

DownloadTransfer data from a server to your computer’s hard disk.

DSLDigital Subscriber Line. Service that offers a faster Internet connection than dial-up.

DSLAMDigital Subscriber Line Access Module. Connection point or ‘switch’ that connects all DSL-connected subscribers in a given geographical area.

E802.1XA set of specifications devloped by Institute of Electrical and Electronics Engineers for wireless local area networks (WLANs).

EmailElectronic Mail. A message sent through the Internet from one person to another (or several others).

Email addressAn electronic mail address.

Email aliasAn additional email address that redirects email messages to your email address.

EmoticonThe sideways smiling (and other) faces used on the Internet to convey emotions. i.e. :-) and :-(



Encapsulating Security Payload (ESP)A fundamental component of IPSEC-compliant VPNs, specifying both encryption of an IP packet, as well as data integrity checks and sender authentication.

EncapsulationThe act of placing the contents of an entire packet inside a second packet.

EncryptionA procedure for scrambling data before sending it over a public network like the Internet. The appropriate recipient usually has a mechanism by which to ‘decrypt’ the scrambled gibberish into the sender’s original format.

Encryption SchemeA mechanism for encrypting and authenticating messages, as well as managing and distributing keys.

EnumerationThe act of extracting valid accounts or exported resource names from systems. Enumeration is target acquisition and information gathering. Enumeration entails making active connections to systems / network resources in the attempt of gathering data for malicious use.

EthernetCommon method to connect computers to a Local Area Network

Explorer (a.k.a. Microsoft Internet Explorer)Microsoft’s Web browser on the Internet.

ExtranetA collaborative network that uses Internet technology to link businesses with their suppliers, customers, or other businesses. The shared information can be accessible only to the collaborating parties or can be publicly accessible.

FFAQFrequently Asked Questions. A file on a website that contains the most common questions and answers on a specific subjects or websites.

FingerA IP protocol that provides potentially useful information about a user and sometimes a server.

FirewallOne or more packet filters or gateways that shield ‘internal’ trusted networks from ‘external’ untrusted networks such as the Internet. Firewalls are generally one of the tools used when securing a network from unwanted intruders.

FrameTechnology that allows the browser window to be broken into several sections.

FTPFile Transfer Protocol. An Internet protocol that allows for the transfer of files from one computer to another.

FQDNFully Qualified Domain Name. The combination of a system’s host and domain name.

FTPDFTP Daemon. The server program that runs the FTP protocol. See also wu-FTPd.

GGAKGovernment Access to Keys. As provided for in key escrow and key recovery systems.

GatewayAn interface that connects two different networks.

GIFGraphic Interchange Format. A common graphics file format used on the Internet, most commonly used to show clip art images.

Gigabyte (a.k.a. GB)About 1 billion bytes.



GlitchSmall malfunction in a system.

GPGGnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is an RFC2440 (OpenPGP) compliant application.

GUIGraphical User Interface. A graphical environment of an operating system.

HHackerA person who uses vast amounts of time and knowledge to learn about technology and what makes it work and what makes it break. Generally not a person who breaks into or destroys systems. Often confused with a ‘Cracker.’ See also cracker.

HashA one-way function that produces a message digest that cannot be reversed to reproduce the original message.

HeaderData carried at the beginning of a packet or other type of message that contains information vital to delivery.

Hierarchical TrustThe distribution of trust through a group of organizations in a top-down fashion, commonly used by certification authorities issuing x.509 certificates.

High AvailabilityA method of providing continuous access to a network resource or application.

HitA measurement of the popularity of a website based on a single request from a browser to a server.

Home pageThe main page of a website.

HostThe server on which a website is stored.

HREFHyperlink Reference. Specifies a URL as the linked resource.

HTMLHypertext Mark-up Language. The language used to create hypertext documents on the Internet.

HTTPHyperText Transfer Protocol. An application-layer protocol used to deliver text, graphics, sound, movies, and other data over the WWW via the friendly hypertext interface of a Web browser.

HTTPD (HTTP daemon) ServerHyperText Transfer Protocol Daemon. Generically refers to the process running on a WWW server.

HyperlinkA highlighted graphic or word within a web page that will take you someplace within the same page, or to another page on the site.

HypermediaPictures, video and audio on a Web page that act as hyperlinks.

HypertextText on a Web page that includes links to other Web pages.

IICMPInternet Control Message Protocol. An IP maintenance protocol that monitors and communicates control information, including notification of unreachable destinations, between network participants.

IDEAInternational Data Encryption AlgorithmA patented block cipher operating on 64-bit plaintext blocks. The key is 128 bits long.



Identity CertificateA certificate which binds a public key to an individual for the purpose of identification.

In-Place EncryptionA mechanism that encrypts only the data of an IP packet, while the header is not encrypted.

International Data Encryption Algorithm (IDEA)A secret-key, 64-bit block cipher algorithm that usesa 128-bit key for encryption.

IETFInternet Engineering Task Force. An international standards body.

ImpressionEach request for a Web page on a particular server which serves as a basis to measure the popularity of a website.

IntegrityThe current condition of data compared to its original, pristine state.

Integrity CheckA mechanism for ensuring that data has not been tampered with by adding to, removing from, or otherwise modifying its contents. Often achieved through digital signatures and oneway hash functions.

InternetThe world’s largest collection of networks that reaches universities, government research labs, commercial enterprises, and military installations in many countries.

IntroducerA person or organization that vouches for the authenticity of a public key. An introducer is designated by a signed public key.

IntranetA private network of computers using the same protocols as the Internet, but only for internal use.

Intrusion DetectionA powerful type of active security technology. Intrusion detection systems combine network monitoring with real-time capture and analysis of packet data, utilizing sophisticated algorithms to recognize types of attack signatures upon discovery, send alarms, and even take action.

IPInternet Protocol. Along with TCP, one of the most fundamental protocols in TCP/IP networking. IP is responsible for addressing and delivering datagrams across the Internet.

IP AddressThe 32-bit address that uniquely identifies a node on an IP network.

IP SpoofingA technique whereby an intruder attempts to gain access by altering a packet’s IP address to make it appear as though the packet originated in a part of the network with higher access privileges.

IRCInternet Relay Chat. A chat network where any words typed by any user are seen by everyone who is in the chat room at that moment.

ISAKMPInternet Security Association, Key Management Protocol. Defines the procedures for authenticating a communicating peer, and for creating and managing Security Associations, key generation techniques and threat mitigation (e.g., Denial-of-Service and replay attacks).

ISAKMP/OakleyAn IETF specification for a public-key cryptosystem. See ISAKMP or Oakley.

ISDNIntegrated Services Digital Network A digital telephone system that can provide high speed transmission of voice and data.

ISOInternational Standards Organization. An international body founded to draft standards for network protocols.

ISPInternet Service Provider A company that provides Internet access, email services and website development tools for its members.



JJavaSun Microsystems’ object-oriented language based on C++ that allows developers to develop platform-independent applications.

JavaScriptA scripting language embedded into HTML documents.

John The RipperPowerful tool available for multiple operating systems used to crack (decrypt) passwords on Unix and Windows systems.

JoyridingCommandeering a phone service or ISP connection, allowing the intruder to exploit these services without paying for them.

JPEGJoint Photographic Experts Group. A compression standard used for full color digital images. Most photos on the web are JPG, while most clip art images are GIFs.

KKbpsKilobits per second. A measure of data, i.e. A 28.8 Kbps modem transfers data at about 3.6 kilobytes per second.

KerberosA distributed authentication system, developed at MIT as part of Project Athena, which identifies users, client, and server applications to each other.

KeyOne of all possible values that can be applied to plaintext with an encryption algorithm to produce ciphertext, or vice versa.

Key ExchangeA mechanism for transferring a secret session key securely across an unsecured channel.

Key EscrowA mechanism that provides for storage of private keys, usually for the purpose of guaranteeing third party (government or employer) access to plaintext of encrypted data.

Key FingerprintA uniquely identifying string of characters used to authenticate public keys. Key fingerprints are matched to determine that a public key is actually the key it is supposed to be.

Key IDA legible code that uniquely identifies a key pair. Two key pairs may have the same User ID (as in an email address or individual’s name), but will have different Key IDs.

Key LengthThe number of bits representing key size. Generally, the longer the key, the stronger the encryption.

Key ManagementThe process of storing and distributing cryptographic keys to authorized recipients.

Key RecoveryThis model requires a sophisticated management system that must securely store keys requiring escrow. A vulnerability in this key management system can compromise the security of all encrypted data. Furthermore, the third party storage of private keys creates the possibility for digital signatures to be created by parties other than the key’s owner. This would invalidate the nonrepudiation of digital signatures from these escrowed keys.

Kilobyte1,000 bytes.

LLANLocal Area Network. A communications network that spans a small office or geographical area.

Layered ProtocolsProtocols that are ‘stacked’ one atop another, whereby ‘lower’ protocols transparently provide services to ‘higher’ ones.



Leased lineA dedicated phone line that supplies a 24-hour connection from one location to another.

LinkMarked text or picture within a hypertext document.

Lightweight Directory Access Protocol (LDAP)A mechanism for Internet clients to access and manage a database of directory services over a TCP/IP connection.

LinuxInvented by Linus Torvalds. A powerful Unix-based operating system for various computer hardware types.

LoginEntering into a computer system, also the account name or user ID that you must enter before you can access a computer system.

LynxUseful, text-based web browser available for most operating systems.

L0phtCrackPowerful tool that easily cracks (decrypts) passwords on the Windows operating system, demonstrating the weak algorithms used .

MMAC AddressMedia Access Control address. An IEEE-802 hardware address that uniquely identifies each node of an ethernet network. Every network connected device must have a unique MAC address.

Mailing ListE-mail addresses of subscribers for either different webbased e-commerce purposes or discussion groups.

Mail ServerServer that handles incoming and outgoing email.

MainframePowerful computer used for intensive computational tasks.

Managed Service Provider (MSP)A company that provides outside organizations with Internet services beyond basic connectivty.

Man-In-The-Middle AttackA hacker/cracker attack where the attacker has setup a connection somewhere in-between multiple points and uses this position to steal passwords, data or spoof connections to impersonate a valid user.

Megabit Roughly one million bits.

Message DigestA message that has been condensed into a string of letters and numbers using a one-way hash function.

MIBManagement Information Base. A database of objects that represent various types of information about a device. Used by SNMP for device management purposes.

MIDIMusical Instrument Digital Interface. Used by electronic music industry for regulating and synthesizers.

MIT-MAGIC-COOKIE-1 The universally available but infrequently used mechanism for the X Windows System that can help to prevent unauthorized access to the user’s graphical display, keyboard, and pointing device.

ModemModulator/Demodulator. Allows for computer communication via telephone lines turning digital information into analog information and the reverse.

MPEG/MPGCompressed video format, downloaded from the Web.

Multiprotocol Label Switching (MPLS)Method of forwarding IP packets across networks using predefined routes.



MP3Music, downloaded from the web, in a compressed format.

MTAMessage Transfer Agent. An entity that shoulders responsibility for transferring e-mail messages to their destination, or at least one step closer to it.

NNATNetwork Address Translation. Hiding a single IP address or an entire network behind another IP address. Typically used for networks that do not want to expose all of their machines to the Internet.

Name ResolutionThe process of mapping a host name to an IP address. DNS is the Internet’s primary system for resolving host names.

NetShort for Internet.

Net LingoSlang used on the Internet.

Net Surfing Searching or surfing on the Web.

Netscape Company that produces one of the most visible Web browsers (Navigator and Communicator) on the Internet.

NetworkGroup of connected computers which can share resources and data.

Network LayerOn the Internet, the layer that implements IP, and provides services to the transport layer.

NewbieA new Web user.

NewsgroupsDiscussion groups organized by subject.

NISNetwork Information System. A naming service developed by Sun that provides a directory service for network and host information.

NFSNetwork File System. A weakly authenticated distributed file system built on RPC that was developed by Sun Microsystems. NFS clients mount remote server directories and then access them as if they were local. See also Secure NFS.

nmapNetwork Mapper. Excellent tool for researching network port openings.

NNTPNetwork News Transfer Protocol. Network News Transfer Protocol. Used for the distribution, inquiry, retrieval, and posting of articles on the Usenet news system.

NonceA random number sent to a recipient, signed with a digital signature, and sent back to confirm identity.

Non-RepudiationAssures a sender cannot deny having sent a file or a message.

OOakleyProvides a hybrid Diffie-Hellman session key exchange for use within the ISAKMP framework.

OfflineNot connected to a computer network.



One-Time PasswordsUser passwords that are used only one time to establish authentication, and are therefore not subject to snooping and replay attacks. S/Key is an example of a system that uses one-time passwords.

One-Way HashA one-way function that produces a message digest that cannot be reversed to reproduce the original message.

Online Connected to a computer network.

Open Platform for Security (OPSEC)An open, industry-wide alliance that ensures interoperability at the policy level between security products.

OSIOpen Systems Interconnection. A set of ISO standards that define the framework for implementing network protocols in seven layers.

PPacketA unit of data that is broken down into packets and travels independently through the Internet. An Internet packet contains the source and destination address, identifier, and a data (payload) segment. Often used as a synonym for segment or datagram

Packet FilterA network device that scans packet header information to determine whether packets should be accepted or rejected from passing through the filter. These are generally associated with routers and the way routers attempt to act as firewalls.

PassphraseA series of keystrokes created by the user to allow exclusive access to a private key, used to sign and decrypt data.

PayloadThe portion of an IP packet that holds actual message data.

PEMPrivacy Enhanced Mail. A standard for message encryption and the authentication of message senders.

PGPPretty Good Privacy. Developed by Phil Zimmerman, a free cryptosystem and data format available across a wide variety of operating systems, used to exchange encrypted and authenticated e-mail messages and files.

PhreakerA phone hacker/cracker. From PHone fREAKER.

Ping o’ DeathA denial of service attack that can crash or reboot a large number of systems by sending a ‘ping’ message of greater than 65,536 bytes (the default size is 64 bytes).

Ping SweepA network reconnaissance technique that uses ICMP echo (pings) to map a network.

PKIPublic Key Infrastructure. A publicly available system for obtaining public keys in a secure and predictable manner.

PlaintextMessage text that is easily readable and understandable by anyone; the opposite of ciphertext.

PlatformComputer operating system.

Plug-inSmall piece of software which adds new features.

POP2Post Office Protocol version 2. An e-mail protocol primarily used to transfer messages between a central mail server and a user’s workstation. This normally runs on TCP/IP port 109.

POP3Post Office Protocol version 3. An e-mail protocol primarily used to transfer messages between a central mail server and a user’s workstation. This normally runs on TCP/IP port 110.

Port16-bit identifiers used by TCP and UDP that serve to specify which process or application is sending or receiving data.



Port ScanThe act of discerning which TCP/IP ports are open on a given network device (workstation, server, router, etc.).

Port SweepA network reconnaissance technique that determines services available on a host computer.

PortalAttracts visitors by providing free information or services on a daily basis. Major portals: Excite, HotBot, Lycos, InfoSeek, and Yahoo.

PostA single public message to a newsgroup.

PPPPoint-to-Point Protocol Allows computer to join Internet via modem.

Private KeyThe secret half of a user’s key-pair in an asymmetric system. The private key is known only to the user.

ProtocolWay for two network computers to understand each other through a set of rules and conventions the computers must follow.

Proxy ServerSits between a client, such as a Web browser, and a real server. Often used to improve performance by filtering out undesirable material.

Public-Key CryptosystemA cryptosystem in which one-half a single keypair is used for encryption and the other half for decryption.

PunchTo create a hole in a device or network allowing legal or illegal entry.

QQuality of Service (QoS)The ability to define a level of performance for data communications through the setting of priorities, guarantees, or service level agreements for certain traffic types or destinations.

QueryRequest for specific information.

R‘r’ CommandsRemote commands used in Unix between trusted servers. When used between trusted hosts, the trusted server does not need a password to be accessed from the trusted server. Rlogin, rsh and rcp have the most serious security implications.

Race ConditionA method used by an attacker to gain entry into a system. Some TCP/IP services, while running as non-privileged users, must occasionally make requests or perform functions as a privileged user. Attackers can attempt to make a service perform those privileged functions and then ‘race’ to use this temporary privilege to gain unauthorized access to a system.

Remote Authentication Dial-in User Service (RADIUS)A centralized network-authentication standard that includes authentication, authorization, and accounting features.

RealAudioStandard for compressed audio over the Internet.

ReconnaissanceScoping out potential targets in order to zero in on the most lucrative, least protected, target.

RelayA program that passes unstructured data to and from an application client and server, across an intervening firewall.

Replay AttackPlaying back another party’s packets or other messages recorded in a prior snooping attack in an effort to a accomplish the same or similar results achieved earlier.

ResolverClient software that enables access to the DNS database.



RFC (Request for Comment)Documents written for and by the Internet community that describe Internet protocols, surveys, measurements, ideas and observations.

ReconnaissanceScoping out potential targets in order to zero in on the most lucrative, least protected, target.

Replay AttackPlaying back another party’s packets or other messages recorded in a prior snooping attack in an effort to a accomplish the same or similar results achieved earlier.

ResolverClient software that enables access to the DNS database.

RelayA program that passes unstructured data to and from an application client and server, across an intervening firewall.

RIPEMRiordan’s Internet Privacy Enhanced Mail. A specific and well-known implementation of the PEM standard.

RijndaelPronounced RHINE-doll. As of October 2000, Rijndael is the proposed specification as the United States’ new government encryption standard. It will overtake DES and 3DES (the previous standards). Rijndael will be available in 128-, 192- and 256-bit key lengths, while the previous standard was 56-bit.

RobotProgram that automates Internet tasks such as collating search engine databases or automatically responding in IRC. Also called a Bot.

RootkitA suite of software tools installed on a cracked system to allow an attacker undetected re-entry.

RouteThe path network traffic takes from its source to its destination.

RouterSpecial-purpose computing devices dedicated to delivering packets between communicating endpoints.

RPCRemote Procedure Call. A weakly authenticated mechanism that allows an application to call a procedure that executes on a remote machine. See also Secure RPC.

RSARivest-Shamir-Adleman. The most widely used, public-key cryptosystem. It offers encryption and digital signature functionality.

SSATANSystem Administrator’s Tool for Analyzing Networks. Developed by Dan Farmer, a controversial, and useful auditing tool for network security.

SCPSecure Copy. Encrypted file copy between two systems. One of the functions of SSH. See also SSH.

Search EngineWebsite that allows surfers to search for information through keywords on Web pages.

Secure NFSAn enhanced version of NFS built on Secure RPC that allows for authenticated and encrypted access to files stored on a remote server.

Secure RPCA version of RPC enhanced to support DES encryption over the network connection.

Security Audit An examination of networks and computer systems to determine an organization’s vulnerability to attacks from hackers, viruses, or other sources.

Security PolicyA set of rules that defines the network security parameters of an organization, including access control, authentication, encryption, content security, network address translation, logging and other security components.

SeedA random number or sequence used to ensure randomness and security during generation of keys.



SegmentA protocol data unit consisting of part of a stream of bytes being sent between two machines. Also includes information about the current position of the stream and a checksum value.

ServerGenerally a powerful computer that has a permanent connection to the Internet making services available to end-users.

Server FilterA host-based firewall that logs and filters client access to server applications.

Service Level Agreement (SLA)A contract between a provider and user that specifies a level of network service, such as bandwidth availability, network uptime, and other measures of network performance.

Session KeyA symmetric key which encrypts a specific message or “session.” Using public key cryptography, it is typical to encrypt a message with a symmetric session key, then encrypt the session key itself with the recipient’s public key and send the encrypted session key with the encrypted message.

Shadow PasswordsUser passwords stored in a database accessible only by privileged system administrators.

Shared SecretA string of text or numbers communicated between two parties in an out-of-band connection such as over a phone, through the mail, or on a disk.

Shoulder SurfingFinding out what a user is typing by looking over their shoulder, and watching the keyboard or monitor.

S-HTTPSecure HyperText Transfer Protocol. An extension of HTTP with security enhancements designed to enable WWW-based commerce. S-HTTP typically runs on port 443.

Signature FilePersonal footer that can be automatically displayed on an email. Shooting Writing in capital letters. Site Website. Snail Mail Old-fashioned mail delivered by post.

S/KeyA one-time password system where users can only validate themselves once with a given password to a system. This protects against password stealing because each password is only valid once.

SKIPSimple Key management for Internet Protocols. An authentication/encryption system that secures the network at the IP packet level.

S/MIMESecure Multi-Purpose Internet Mail Extension. A proposed standard developed by a consortium of email software vendors, led by RSADSI for encrypting or authenticating MIME data.

SMTPSimple Mail Transfer Protocol. The protocol used to transfer electronic mail messages from one machine to another.

SnifferA tool used to capturing the traffic travelling between multiple points on a network. Sniffers can be used to diagnose poorly configured routers and switches, as well as steal passwords and other non-encrypted data on a network.

SNMPSimple Network Management Protocol. A protocol used to manage local networks on the Internet. SNMP enables a management station to configure, monitor and control network devices such as routers.

Snooping AttackPassively eavesdropping on network traffic in order to capture valuable data or secrets, such as user passwords.

Social EngineeringTo use lies, deceit, play acting and verbal cleverness to trick legitimate users into divulging the secrets of the system.

SocketA bi-directional pipe for incoming and outgoing data that enables an application program to access the TCP/IP protocols.

Source RouteA route identifying the path a datagram must follow, determined by the source device.

SpamJunk email.January 9, 2006 Razorpoint Security Glossary [v1.5] Page 15 of 18


SSH (OpenSSH)Secure Shell. A replacement for Telnet that encrypts all traffic between the two points connected. SSH (in version 1 and version 2) is a free, downloadable application available for nearly every operating system. The SSH server (usually running on TCP/IP port 22) also offers the ability to do encrypted file transfers. See also SCP.

SSL (OpenSSL)Secure Socket Layer. A layer between the application and transport layers that ensures that information sent between two systems is encrypted. SSL transparently protects application layer protocols (like HTTP, for which it was originally conceived) and data, with little effort on the part of the user.

Static PasswordsIn contrast to one-time passwords, user passwords that are reused many times for authentication purposes. Because they are reusable, static passwords are subject to snooping and replay attacks.

SteganographyThe art and science of communicating in a way which hides the existence of the communication. A common form of steganography is hiding messages (emails) in pictures (JPG files).

StreamingDelivered in real time instead of waiting for the entire file to arrive before playing.

Stream CipherAn encryption method that uses continuous input, as opposed to fixed length blocks of data.

SurfingLooking through a site or multiple sites.

SquattingSee Camping Out

Symmetric AlgorithmA session or single-key system where the same secret key is used for encryption and decryption. It is difficult to protect the secret key transmission, thus the combination of both Asymmetric and Symmetric algorithms are used in the same system.

SYN FloodA denial of service attack designed to prevent a server from servicing other users.

TTCP/IPTransmission Control Protocol/Internet Protocol. A connection-oriented transport protocol that provides reliable, full-duplex data transmission between two entities, often a client and a server application. The language by which all Internet devices talk to each other.

TelecommutingWorking at home while using a computer and modem to communicate with the office.

TelnetInternet protocol that allows connections as a remote terminal to a host computer. It enables a terminal attached to one host to log in to other hosts, as if directly connected to the remote machine.

TFTPTrivial File Transfer Protocol. A no-frills, unauthenticated protocol used to transfer files. TFTP depends on UDP and often is used for backing up router and switch configurations as well as booting diskless workstations.

TimestampA mark that records the time of creation or transmission of a document.

TokenA password that can be used only once, typically generated as needed by a hardware device.

Transport LayerOn the Internet, the layer that implements TCP and UDP over the network layer.

Triple DESA 168-bit encryption algorithm that encrypts each piece of data with three different DES keys in succession.

Trojan HorseJust ‘Trojan’ for short, a piece of code, embedded in an otherwise benign program, that is used to attack a site.





Trusted IntroducerAn individual or organization that is trusted to introduce other keys. If a key contains the signature of a trusted introducer, that key is determined to be valid.

Trusted SystemA trust mechanism that allows hosts to trust the identity of users of another system without requiring them to authenticate using passwords.

TTLTime-To-Live. The maximum number of router hops that a datagram can experience on a network before it should be discarded. Used to prevent packets from looping endlessly.

TwofishDeveloped by Bruce Schneier and Counterpane Systems, Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. Twofish is designed to be highly secure and highly flexible. It is well suited to encrypt and decrypt efficiently on powerful computers, smart cards and wireless devices alike.

UUDPUser Datagram Protocol. A connectionless transport protocol. Delivery is not guaranteed, nor is it guaranteed that datagrams will be delivered in the proper order. It provides a less reliable channel than TCP and is used mainly for audio and video related information that can tolerate small errors.

UnixOperating system used by most service providers and universities.

UploadSend files from your computer to another computer through the Internet.

URLWeb address.

Usenet A collection of networks and computer systems that exchange messages, organized by subject into newsgroups.

Unified Threat Management (UTM)An emerging trend in firewall appliances that employs many services including: firewalling, intrusion detection, content filtering, spam filtering, and anti-virus.

VVerificationThe act of ensuring that a message has not been altered since it was sent by the sender, by comparing a signature created with a private key with its corresponding public key.

Virus A program that replicates itself on computer systems by incorporating itself into other programs that are shared among computer systems.

VPNVirtual Private Network. Implementing security devices on network endpoints so as to encrypt and decrypt traffic as they travel over a public network (like the Internet).

VRMLVirtual Reality Modeling Language. Method for creating 3D environments on the Web.

WWetwareHacker slang for the human brain.

World Wide WebInvented by Tim Berners-Lee in the early 1990s, an Internet client-server system to distribute information, based upon the hypertext transfer protocol (HTTP).



WANWide Area Network. A physical communications network that spans large geographical distances. WANs usually operate at slower speeds than LANs.

WebmasterPerson responsible for a web server, web authoring and maintaining web sites.

Web-of-TrustA trust model used by PGP to validate public keys where trust is cumulative, not hierarchical, and depends on the trust of ‘introducers.’

WEPA security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. Also called: Wireless Encryption, Wireless Encryption Protocol, and Wired Equivalent Privacy

WPAThis Wi-Fi standard that was designed to improve upon the security features of WEP, improving data encryption user authentication. Also called: Wireless Encryption and Wi-Fi Protected Access

WrapperA package that logs requests for internet services and provides an access control mechanism for Unix systems.

wu-FTPdWashington University - File Transfer Protocol Daemon. A more streamlined and secure version of FTP server software. Major corporations and organizations use this in place of most other FTP servers available.

WWWWorld Wide Web. A cohesive and user-friendly view of the Internet through many protocols, especially HTTP.

W3CThe World Wide Web Consortium. The international standards body.

XX Windows SystemA graphical windowing system developed at MIT that enables a user to run applications on other computers and view the output.

x.509v.3A certificate format used to prove identity and public key ownership that is based on a system of hierarchical trust.

ZZipPC file compression format that creates files with the extension of zip using PKZip or WinZip software.