Tuesday, October 11, is the second Tuesday of October and is the usual day when Microsoft issues security updates for its Windows products. This one contains two critical updates, so you will want to make sure that you turn your automatic updates on at your home PCs. (Mac users don’t have to worry about such things…) Here’s the scoop:
Microsoft is planning eight security updates next week – two critical – as part of its regular Patch Tuesday program.
The obvious highlight of the batch is a critical update for Internet Explorer that affects all supported versions of Microsoft’s ubiquitous web browser, including IE 9. The second critical update covers flaws in Microsoft .NET Framework and Microsoft Silverlight that create a possible mechanism for miscreants to inject hostile code onto vulnerable systems.
The bad news is that most of the updates will require system restarts. I suggest you set updates to manual on any application servers.
Hilarious YouTube video that one of my fellow Net Admins sent out this morning. So, I’m going to kick off the new month with a bit of humor. And watch for some scary Halloween-esque real-life security horror stores in celebration of the scariest month of the year.
[kml_flashembed movie="http://www.youtube.com/v/L1jAr466DJc" width="425" height="350" wmode="transparent" /]
If your computer is not properly patched (according to all the best advice I have given you), you are at risk of infection. According to Sophos, “Even after 3 years, Conficker is the still the most common virus. Since 2008, it has exploited unprotected computers, weak passwords and USB storage devices.”
The good news is that Sophos has released a Conficker Removal Tool that you can use to scan your system and remove the virus. I tested the tool and it’s very simple – no complicated installation or configuration. Naturally, the tool didn’t find Conficker on my system
If you suspect you have Conficker on your system, or you’re not sure, but want to check, download the tool and remove Conficker now. They, get your system security patches up to date. Please. The virus will just keep spreading until everyone is patched.
Don’t be a Conficker enabler…
Sometimes, all we have to do is laugh about it.
We have a Skype room called the International Internet Marketing Group where we discuss various topics related to Internet Marketing. Last night, we had a discussion, which I led, about passwords and online security. Here’s an excerpt:
EVERYBODY here needs to LEARN this stuff today.
[9/26/2011 7:59:22 PM] ™ Gary Simpson: If you choose not to read it or – even worse – IGNORE it then more fool you!
[9/26/2011 8:00:16 PM] ™ Gary Simpson: Marj, you wanna kick off with the subject?
[9/26/2011 8:00:43 PM] Steve Lorenzo: Ken is the (*) tonight
[9/26/2011 8:00:51 PM] ™ Gary Simpson: Yep.
[9/26/2011 8:00:59 PM] ™ Gary Simpson: The Sheikh of Geek!
[9/26/2011 8:01:22 PM] Dennis Pippin: I’m all ears Ken
[9/26/2011 8:03:13 PM] ™ Gary Simpson: Banging fist on table: GEEK! GEEK! GEEK!
9/26/2011 8:04:17 PM] ™ Gary Simpson: Those who need it most ain’t here – as USUAL!
[9/26/2011 8:04:21 PM] Marj Wyatt: Bill will catch up
[9/26/2011 8:04:55 PM] ™ Gary Simpson: “I will read it later” <— translates to “I can’t be stuffed.”
[9/26/2011 8:05:16 PM] Maureen Amberg: I’m here
[9/26/2011 8:05:24 PM] ™ Gary Simpson: NEXT: “My site has been hacked!”
[9/26/2011 8:05:35 PM] ™ Gary Simpson: HEEEEEEEEEEEEEEELP MEEEEEEEEEEEEEEEEEEE!
[9/26/2011 8:05:39 PM] Marj Wyatt: Topic tonight is Online Security for your Business (think we ought to keep it focused on Business)
[9/26/2011 8:05:59 PM] + Ken Harthun (Co-host: TIIMG): [Monday, September 26, 2011 8:04 PM] ™ Gary Simpson:
<<< Those who need it most ain’t here – as USUAL!Let them eat Phish!
[9/26/2011 8:06:14 PM] ™ Gary Simpson: ************************************
[Monday, September 26, 2011 8:05 PM] Marj Wyatt:
<<< Topic tonight is Online Security for your Business (think we ought to keep it focused on Business)************************************
[9/26/2011 8:07:15 PM] + Ken Harthun (Co-host: TIIMG): Gary, Steve, Anyone. What is the least secure password you can use.
[9/26/2011 8:07:26 PM] Kay Brasher: password
[9/26/2011 8:07:37 PM] ™ Gary Simpson: admin?
[9/26/2011 8:07:47 PM] Kay Brasher: I thought admin was the login?
[9/26/2011 8:07:49 PM] ™ Gary Simpson: Both are as DUMB as each other.
[9/26/2011 8:07:56 PM] Marj Wyatt: @Ken, children’s names, birthdays
[9/26/2011 8:07:58 PM] + Ken Harthun (Co-host: TIIMG): Yes, Kay, and what if I told you that password is perfectly OK to use IF you do something to it?
[9/26/2011 8:07:59 PM] ™ Gary Simpson: Your name?
[9/26/2011 8:08:01 PM] Marj Wyatt: Marj Wyatt just guessing
[9/26/2011 8:08:11 PM] Kay Brasher: Oh I am all ears
[9/26/2011 8:08:11 PM] Dennis Pippin: 123456
[9/26/2011 8:08:19 PM] ™ Gary Simpson: eg password versus !pass!word%
[9/26/2011 8:08:40 PM] + Ken Harthun (Co-host: TIIMG): Yes, 123456 is a good one. Also, can be one of the most secure passwords you can use. Anyone confused yet? Ready to lynch me?
[9/26/2011 8:09:09 PM] Marj Wyatt: have no idea, Ken
[9/26/2011 8:09:09 PM] ™ Gary Simpson: @ Ken – depends how you “conceal” it.
[9/26/2011 8:09:27 PM] + Ken Harthun (Co-host: TIIMG): Gary, you’re too damn smart for your own good… LOL
[9/26/2011 8:09:39 PM] Marj Wyatt: combo of upper/lower case alpha with numeric and special characters
[9/26/2011 8:09:47 PM | Edited 8:09:58 PM] ™ Gary Simpson: LOL!
[9/26/2011 8:10:01 PM] Marj Wyatt: lower case “us” Robert
[9/26/2011 8:10:22 PM] + Ken Harthun (Co-host: TIIMG): Here’s a question, based on Marj’s comment. What is the most secure password of these two? Xh73!*j3 or Dog……..?
[9/26/2011 8:10:37 PM] Kay Brasher: Xh73!*j3
[9/26/2011 8:10:48 PM] Marj Wyatt: [Monday, September 26, 2011 8:10 PM] + Ken Harthun (Co-host: TIIMG):
<<< Xh73!*j3that one
[9/26/2011 8:10:55 PM] + Ken Harthun (Co-host: TIIMG): @Kay BUZZZZZ! Not!
[9/26/2011 8:11:04 PM] + Ken Harthun (Co-host: TIIMG): Wrong, Marj.
[9/26/2011 8:11:20 PM] Marj Wyatt: oh well
[9/26/2011 8:11:28 PM] ™ Gary Simpson: 1k2e3n4h5a6r7t8h9u10n
[9/26/2011 8:11:34 PM] Marj Wyatt: I use an online strong password generator tool
[9/26/2011 8:11:44 PM] + Ken Harthun (Co-host: TIIMG): @Gary BUZZZZ you’re out XXXXXX
[9/26/2011 8:12:04 PM] ™ Gary Simpson: Spill Geek.
[9/26/2011 8:12:15 PM] Marj Wyatt: Ok Ken, why would Dog…….. be better?
[9/26/2011 8:12:23 PM] + Ken Harthun (Co-host: TIIMG): I vill give you my secret for a fee!
[9/26/2011 8:12:36 PM] ™ Gary Simpson: Stop speaking like the Count!
[9/26/2011 8:12:39 PM] Marj Wyatt: umhmmm
[9/26/2011 8:12:43 PM] ™ Gary Simpson: Has he bitten you?
[9/26/2011 8:12:43 PM] + Ken Harthun (Co-host: TIIMG): Everyone must pay the fee!
[9/26/2011 8:12:58 PM] Marj Wyatt: (bow)
[9/26/2011 8:13:09 PM] + Ken Harthun (Co-host: TIIMG): Ist you villing to pay ze fee?
[9/26/2011 8:13:27 PM] ™ Gary Simpson: I vill keel you if you keep the teeze.
[9/26/2011 8:13:30 PM] Kay Brasher: Sorry I am broke
[9/26/2011 8:13:37 PM] Marj Wyatt: I just bowed to you, that’s all yer gettin
[9/26/2011 8:14:04 PM] + Ken Harthun (Co-host: TIIMG): OK. The fee is simple: Promise to heed these words and USE what I am about to reveal to you!
[9/26/2011 8:14:10 PM] + Ken Harthun (Co-host: TIIMG): Agreed?
[9/26/2011 8:14:19 PM] Dennis Pippin: Agreed!!!
[9/26/2011 8:14:19 PM] ™ Gary Simpson: Agreed.
[9/26/2011 8:14:20 PM] + Ken Harthun (Co-host: TIIMG): It’s really a revelation1
[9/26/2011 8:14:21 PM] Marj Wyatt: (nod)
[9/26/2011 8:14:27 PM] Tina Golden: Agreed <and I’m here now… lol>
[9/26/2011 8:14:35 PM] ™ Gary Simpson: Quoting from the Bible now?
[9/26/2011 8:14:37 PM] Suzanne Patricia Howarth: most programs won’t allow 3 letter passwords anyway
[9/26/2011 8:14:41 PM] Kay Brasher: Agreed
[9/26/2011 8:14:43 PM] ™ Gary Simpson: ie Revelations.
[9/26/2011 8:14:50 PM] Maureen Amberg: Why can’t you have a password that noone could guess?
[9/26/2011 8:15:02 PM] Marj Wyatt: @Suzanne, except for DAP
[9/26/2011 8:15:03 PM] + Ken Harthun (Co-host: TIIMG): The correct answer is that Dog…… is a very secure password and easier to remember than XH@*222>>>@
[9/26/2011 8:15:22 PM] Marj Wyatt: That’s why I use Roboform!
[9/26/2011 8:15:23 PM] ™ Gary Simpson: @ Maureen – A brute force password attack will crack almost any English word so it’s
best to include some random characters to avoid the possibility of that.
(See Steve Lorenzo’s e-book/report on the most common passwords NOT to use.)
[9/26/2011 8:15:26 PM] -Bill Vallee (Leader:TIIMG): (whew) (wave) (flag:us)
[9/26/2011 8:15:38 PM] Suzanne Patricia Howarth: You are not saying why. please get to the point I need to go
[9/26/2011 8:15:40 PM] + Ken Harthun (Co-host: TIIMG): Gary, you’re stealing my thunder here.
[9/26/2011 8:15:59 PM] ™ Gary Simpson: Soz Ken. I will STFU. LOL!
[9/26/2011 8:16:14 PM] Dennis Pippin: so you mean dog with the dots?
[9/26/2011 8:16:45 PM] + Ken Harthun (Co-host: TIIMG): OK. here’s the scoop. You take any dictionary word, your name, your dog’s name, anything you want and PAD it with a personal password pattern that you will easily remember and you have an virtually unbreakable password.
[9/26/2011 8:17:05 PM] ™ Gary Simpson: EXCELLENT point.
[9/26/2011 8:17:35 PM] Steve Lorenzo: [Monday, September 26, 2011 8:06 PM] + Ken Harthun (Co-host: TIIMG):
<<< Gary, Steve, Anyone. What is the least secure password you can use.The MOST used password is
See the Most Used 500 Passwords here:
^^^ It is still free to get for you ^^^
But I’ll be releasing it as a PAID product WSO next week
[9/26/2011 8:17:54 PM] Tina Golden: Awesome tip, Ken, thanks!
[9/26/2011 8:17:57 PM] + Ken Harthun (Co-host: TIIMG): The secret is that the hackers don’t know your password. They will try dictionary words and common variations, but once you force them to use brute-force guessing routines, they’re lost.
[9/26/2011 8:18:00 PM] Maureen Amberg: I do not use a dictionary word…..and do add numbers or symbols. Is OK?
[9/26/2011 8:18:45 PM] Tina Golden: I use a name (not my own) and number combination
[9/26/2011 8:18:51 PM] Steve Lorenzo: One VERY important thing is
You do not need ONE password .. <<< dumbest thing to do, no matter how complicated it is!
[9/26/2011 8:18:56 PM] Tina Golden: But I like Ken’s suggestion
[9/26/2011 8:19:10 PM] Steve Lorenzo: But rather different passwords for each separate website
[9/26/2011 8:19:13 PM] + Ken Harthun (Co-host: TIIMG): Steve, I’ll use 123456 every day. Try to guess this one: +_..123456.._+
[9/26/2011 8:19:18 PM] Dennis Pippin: [Monday, September 26, 2011 8:16 PM] + Ken Harthun (Co-host: TIIMG):
<<< OK. here’s the scoop. You take any dictionary word, your name, your dog’s name, anything you want and PAD it with a personal password pattern that you will easily remember and you have an virtually unbreakable password.I don’t understand this
[9/26/2011 8:19:48 PM] Maureen Amberg: Excellent point Steve!
[9/26/2011 8:19:51 PM] Tina Golden: If you have a virtually unbreakable password, would it matter if we used it on more than one site?
[9/26/2011 8:19:52 PM] Steve Lorenzo: Ken, it’s not about me, but the hackers who would use software to try all the combos possible
[9/26/2011 8:20:04 PM] Steve Lorenzo: the simpler it is, the fastest they can push through it
[9/26/2011 8:20:11 PM] Dennis Pippin: PAD it with a personal password pattern…. this is what I don’t understand
[9/26/2011 8:20:25 PM] ™ Gary Simpson: @ Dennis – look what I did here:
[Monday, September 26, 2011 8:11 PM] ™ Gary Simpson:
[9/26/2011 8:20:34 PM] + Ken Harthun (Co-host: TIIMG): Once you add the padding, which is unkown to a hacker, and force brute force attacking methods, then length trumps complexity. Use anything you will easily remember, just add a pattern that you will remember and you’re good to go.
[9/26/2011 8:24:52 PM] + Ken Harthun (Co-host: TIIMG): @Marj. Brute force means you have to guess every character one at a time. It can take eons if your password is long enough.
Are you getting this?
[kml_flashembed movie="http://www.youtube.com/v/IB2FZvHuICU" width="425" height="350" wmode="transparent" /]
Data leakage? What’s that, you ask? Well, it’s a growing security issue which has at its root, the explosive proliferation of mobile and portable devices and the exponential growth of social networking tools, instant messaging, and external storage devices. Simply defined, data leakage is “the intentional or accidental exposure of sensitive information ranging from personally-identifiable information to protected intellectual property and trade secrets” (Source: Data Leakage for Dummies, Sophos Special Edition by Lawrence C. Miller, CISSP). You can download your own copy here which, if you are involved in enterprise security like I am, I highly suggest you do.
The book outlines six ways to reduce data leakage risks, but I consider only five to be relevant and my order of importance is somewhat different. That probably doesn’t matter in the overall scheme of things as longs as all the bases are covered. Here is my top five in order of most important to least important:
- Device control – policy should be in place to control who is issued mobile devices such as laptops and smart phones based on roles and responsibilities. Policy should also include how staff, contractors, etc. may use removable storage devices such as external hard drives, USB thumb drives, CD/DVDs, cloud storage etc.
- Encryption – laptops should be issued only with full-disk or file-level encryption. Employees who use USB thumb drives to occasionally move data around, or take it home to work on (yes, I know this isn’t best practice, but people do it anyway) should be instructed in the use of security that is normally provided on today’s leading USB storage devices.
- Anti-Virus – it goes without saying that ALL endpoints must have complete anti-virus/anti-malware protection to prevent hackers for accessing sensitive data through trojans and malicious links. Security policies should be implemented in Group Policy and automatically applied to any device connected the network.
- Network access – strict policy should be in place to dictate who is granted access to the network and what level of access they are granted. Traffic in the network should be segmented so it can be monitored and any potentially insecure segments should be locked down tight.
- Application control – User-installed applications increase the risk of data leakage in your organization. Third-party IM, games, VoIP applications, and P2P software should be tightly controlled and if allowed should be thoroughly tested and vetted by the IT department before approval is issued.
These five areas form the basis of a comprehensive security policy to prevent data leakage in your organization. They also apply to your personal information.
Give them due consideration, won’t you?
This snippet from SANS NewsBites Vol. 13, No. 74, 16 September 2011:
Researchers have detected a rootkit that targets the BIOS, Master Boot Record (MBR), the kernel, and files of PCs. It has been at least four years since malware that focuses on BIOS has been found. Trojan.Mebromi adds malicious instructions to the BIOS that cause machines to becomere-infected when they are booted even after the master boot records has been cleared of infection. Mebromi is unlikely to become widespread as it affects just one type of BIOS. However, it raises the question of how to create a utility to clean BIOS and poses no risk of damage.
Regardless of whether or not this becomes widespread, it points up the reality that nothing in a PC is truly safe; indeed, routers switches and other networking equipment all contain IOS chips that can be flashed. In this case, it’s only one BIOS maker, Award. Here is an interesting flowchart put together by Symantec after they analyzed the trojan’s behavior:
It’s almost too simple. I think we’ll be seeing more of this type of thing in the future.
The National Institute of Standards and Technology (NIST) issued a draft of Special Publication 800-118 entitled “Guide to Enterprise Password Management” that I have been using to help our corporate IT folks formulate standard password policy. The guide is a comprehensive look at the subject and I highly recommend that anyone involved in establishing enterprise-level password policy give it a read.
If you have ever read any of the NIST security-related publications – or any other government publications – you know that their standards dictate a define-your-terms approach to everything. This got me to thinking that over the years, I have used much password-related terminology in my various posts, many of which I have never defined. The guide contains a listing of the terms used in the report along with their definitions. I found this enlightening and I think you will too.
Authentication: The process of establishing confidence in the validity of a claimant’s presented identifier, usually as a prerequisite for granting access to resources in an information system.
Brute Force Attack: A form of guessing attack in which the attacker uses all possible combinations of characters from a given character set and for passwords up to a given length.
Capturing: The act of an attacker acquiring a password from storage, transmission, or user knowledge and behavior.
Claimant: An entity that has presented an identity but has not been authenticated.
Cracking: The process of an attacker recovering cryptographic password hashes and using various analysis methods to attempt to identify a character string that will produce one of those hashes.
Dictionary Attack: A form of guessing attack in which the attacker attempts to guess a password using a list of possible passwords that is not exhaustive.
Guessing: The act of repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords.
Hybrid Attack: A form of guessing attack in which the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords.
Identification: A claimant presenting an identifier that indicates a user identity for a system.
Keyspace: The total number of possible values that a key, such as a password, can have.
Keystroke Logger: A form of malware that monitors a keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker.
Passphrase: A relatively long password consisting of a series of words, such as a phrase or full sentence.
Password: A secret, typically a character string, that a claimant uses to authenticate its identity.
Password Expiration: The process of forcing a user to select a new password after a certain amount of time.
Password History: The retention of one or more previous passwords or password hashes for comparison against new passwords or password hashes.
Password Management: The process of defining, implementing, and maintaining password policies throughout an enterprise.
Password Management Software Utility: A local utility that allows a user to store usernames, passwords, and other small pieces of sensitive information, such as account numbers.
B-1 GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT) B-2
Password Recovery: The process of a user regaining access to a password that the user has forgotten.
Password Reset: The process of a user having a new password set for a user account.
Password Synchronization: A technology that takes a password from the user and changes the passwords on other resources to be the same as that password, so that the user can use the same password when authenticating to each resource.
Personal Identification Number (PIN): A password that is relatively short (usually 4 to 6 characters) and consists of only digits.
Rainbow Table: A lookup table that contains pre-computed password hashes, often used during cracking.
Reduced Sign-On: A technology that allows a user to authenticate once and then access many, but not all, of the resources that the user is authorized to use.
Salting: The inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash.
Single Sign-On: A technology that allows a user to authenticate once and then access all the resources that the user is authorized to use.
Stretching: The act of hashing each password and its salt thousands of times, which makes the creation of rainbow tables more time-consuming.
I use Last Pass and Steve Gibson’s Password Haystacks to create super-secure passwords. I also own and use a Yubikey for secure, two-factor authentication. I’m not overly-paranoid about my sensitive information–I just feel that I’m taking reasonable precautions that everyone should follow. However, there are those who don’t even trust trustworthy services like LastPass and want nothing to do with any of their passwords or encryption keys being stored on line. I guess I understand that, though I consider it a bit unreasonable.
There’s good news for the completely paranoid amongst us, however. Steve Gibson has created the only known system to provide secure encryption using nothing but a specially designed piece of paper: Enter “Off The Grid: A paper-based system for encrypting domain names into secure passwords.” While the system uses technology to set up the grid, nothing is stored and no other software is involved. There is always the concern that since modern encryption technology relies upon software running on various devices, there is a risk of security vulnerabilities that can lead to compromise of your system. The beauty of “Off the Grid” is best described by its inventor:
“Off The Grid” converts any website’s name into a secure password that you never need to write down, store, or remember because you can easily re-create the same secure password from the same website name the next time, and every time, you need it.
Websites are routinely compromised with their users’ logon identity (eMail address and password) stolen. So reusing the same password on separate websites creates a tremendous risk because bad guys could obtain your eMail address and password from one site, then logon as you somewhere else with your reused password.
The “Off The Grid” system securely and uniquely encrypts each website’s domain name into your personal password for that one site, so it automatically creates a different secure password for each website and reuse never occurs.
Is that beautiful, or what?
I tried it and it is very easy to use; however, it’s not completely ready for prime time yet, as Steve explains on this page:
. . . a KEY requirement for the practical use of this system is that you should be able to recreate and reprint, perhaps in different sizes, fonts, character spacing, etc., YOUR own unique grid, not only now, but at any time in the future. To enable that, the final version of this page — which will be forthcoming shortly — will provide you with a matching randomly generated cryptographic KEY that you will be advised to record and store securely. Then, at any time in the future, you will be able to reuse that unique KEY to recreate YOUR unique personal grid structure, while being able to freely change its shape, size, coloration, fonts, and so forth.
I am currently working to complete the remaining background web pages to fully document this “Off The Grid” system. Once they are complete, I will add the finishing technology touches to this grid generation and printing page.
In the meantime you can, of course, play with the technology. But since there is currently no way for you to recreate any of the grids that this page displays, you should not commit to any grid until the cryptographic keying technology has been added.
In the meantime, have fun with it!