Internet Security Q & A
about
 products
 members
 contact


Introduction
If you are connected to the Internet be it a permanent connection or just via periodic diallup there are security implications that require serious consideration. Having an inadequate or non-existant Internet Security Policy is as risky as failing to lock your doors at night. Depending on how much you value your computer system and the data it tracks it can be just as costly as well.

So how does running Parts Magician affect your Internet Security? The following Q&A sections should helpfully answer common questions and concerns we receive. If there is anything additonal you would like to know about the system, contact us at support@partsmagician.com

Q: Will running Parts Magician affect my Internet Security Risk in any way?

In short No. Running Parts Magician on your computer system in your business will not contribute or detract from the risk of being affected by malicious activity from other Internet users.  

The strength of all of the following Internet Security Policy activities outlined below will remain unaffected if you choose to add Parts Magician to your suite of business tools:
  • firewalling and tripwire (see firewalling questions below)
  • Regularly updated anti virus software
  • Restrictions on downloadable content in various delivery mechanisms (web, ftp, e-mail)
  • security prone service and application feature lockdown (scripting, RPC services etc)
  • Regular upgrade/updates of security prone components such operating systems, services and mail clients.

The technical staff at Parts Magician take Internet security seriously and consequently security considerations have been a prinicpal driver behind many design and implementation decisions concerning the development of the Parts Magician Network.

Q: In order to get Parts Magician working my firewall setup requires modification. What are the neccessary modifications and are there any security implications?

There are two key computer programs at work in the Parts Magician Network: a client and a server. The client is installed on an internet aware computer within your computer system. The server is a computer that we at Parts Magician manage. This setup is the same as many standard Internet services, such as web browsing and e-mail.

In order for you to connect to the network the client software needs to be able to establish and line of communication with the server. In technical language this is known as establishing a TCP/IP connection.

TCP/IP connections are the main conduits of the Internet and therefore the same routes used for malicious activity. It is the establishment and management of these connections that a firewall system is concerned with. Firewalls allow you to control who can communicate with who.

The base and most common configuration for a firewall is to disallow anyone on the outside arbitrarily attempting to establish a communication link with a computer inside your firwall, such as a hacker looking for a security hole which they can exploit. A more restrictive and less common firewalling setup will also restrict computers inside your network from establishing connections to computers outside of your network other than core Internet based services such as web browsing, email and FTP.

It is the second more restrictive firewall setup that impacts the running of Parts Magician. In order to run Parts Magician in such a network the firewall needs to be setup with a rule that states that it is OK for a computer inside your network to establish a connection to the Parts Magician server for Parts Magician based networking.

From a hackers perspective on the outside trying to get in, adding Parts Magician to your list of trusted services to connect to does not introduce a chink in the firewall armour. Access to your internal computer system from the outside will be just as restrictive and opaque as it was before.

Q: Can Parts Magician Server be spoofed? What are the implications?

Spoofing is an industry term that refers to the abiltity to trick a computer into thinking that they are communicating with internet service 'A' when in fact they are actually communicating malicious computer hacker 'M', potentially sending 'M' sensitive business information such as credit card details.

The Parts Magician Network by default does not employ encryption so it is theoretically possible for a malicious party to either spoof and/or intercept traffic between Parts Magician client and server.   The risk of such activity occuring has been deemed too insufficient to merit implementing encryption as standard within the network. Specifically:

  • Internet traffic interception and spoofing is significantly more difficult to perform than other malicious activities such as Denial of Service (DoS), virus propogation and hacking.
  • No sensitive data is transmitted between computers in the Parts Magician network, only part numbers and public business details such as name and address. So the rewards for such malicious activity are non existant.
  • Information is encoded using an internally developed encoding methodology. Although not nearly as secure as a strong cryptographic algorithm it is sufficient to deter all but the most determined attempts to spoof and/or intercept Parts Magician traffic.
  • Passwords are encrypted
If full encryption is a neccessary requirement for your Internet Secuirty Policy a special version of the Parts Magician Client is available at additional cost that implements encrypted communications. It utilises a replay attack safe 2048 bit RSA and TripleDES encipherment with regular key exchange and MD5 checksum checking.  

Q: Can Parts Magician be used as a conduit for viruses and worms?

In short No. In order for a virus or worm to propogate through an Internet connection the potential virus/worm receiver (In this case Parts Magician Client) must have the ability to run potentially dangerous bits of computer software that is sent to it.

The Parts Magician Client does not possess this ability.

Q: Can the Parts Magician Client be hacked into?

Some programs can inwittingly be used as a conduit for hackers, viruses and worms because they have exploitable defects in the software that allows snippets malicious computer software sent to it to be run. The most common form of forced entry is exploiting a common software defect known as 'buffer overrun'.

Parts Magician Client is at a very low risk of being a target for such an exploit, For the following reasons:
  • Parts Magician runs in a protective sandbox called the Java Runtime Environment. It offers an additional level of isolation seperating potential hackers from the actual computer.
  • Software that runs in a Java Runtime Environment is exempt from common hacks such as the buffer overrun exploit.
  • Except for auto-update (see below) Parts Magician cannot receive computer software snippits. It only deals with passive information such as part numbers.

Q: Is the Parts Magician auto-update facility secure?

Parts Magician Client has the ability to automatically download and install later versions of itself. Any such activity when poorly designed opens you to the possibility of a malicious hacker tricking your computer into downloading and installing software of their choice instead of the intended product. This is an advanced form of spoof attack.

Parts Magician Client protects against this via the usage of certificiate-less 2048 bit digital signatures.  The Parts Magician Client will not download, run or install any component from the Internet unless it's digital signature proves that the software in it's fully complete form came from us at Parts Magician.

Digital Signing is a cryptographic algorithm that allows a person to generate a signature for a piece of data that only they can write yet anyone in the world can check. So as we at Parts Magician create new versions of the software we sign the new version with a private digital 'key' that we keep secret. When Parts Magician client verifies that signature on auto-update, it is assured  that the software it is downloading really did come from us and not a malicious third party.

Certificate-less digital signing is actually more secure than the more commonly employed certificate based signatures used in secure web browsing and PGP email. Certificate-less digital signing can only be used when both parties (client and server) know in advance who they will be communicating with.