Administrators confident about the safety of their data encrypted on company laptops should start squirming if a recent court decision passes muster in the United States.

The case involves a Colorado woman who has been ordered to open the encrypted drives on her laptop for federal investigators.

Unlike the cops on television shows and movies, who always seem to have a computer wizard on hand to decrypt a hard drive or crack a password, law enforcement authorities in Colorado, stymied by the encryption on a notebook in the possession of Romona Fricosu, simply went to a judge and asked him to order her to type in her password so they could see what was in the encrypted files.

In arguing against opening the files, Fricosu claimed doing so would violate her civil rights, in particular her Fifth Amendment rights against self-incrimination. Her reasoning was that the government, by forcing her to give up her password for decrypting the drive, were forcing her to incriminate herself if there were anything on the drive tying her to their criminal investigation of a mortgage scam. They believe Friscou is involved the scam that defrauded banks in the Colorado Springs area of some $900,000.

Federal District Court Judge Robert Blackburn didn’t buy that argument. Fricosu might be self-incriminating  herself if she were being asked to utter the password to the files or to give it to the investigators in some other way. However, she was only being asked to type in the password.

The government said it wasn’t interested in knowing what the password was. In fact, it said Fricosu could type the password into the laptop without any government operatives hovering over her. For that reason, the password could be treated like a key is treated in the physical world. Since the courts have ruled that the government can compel someone to give it the key to a safe or other repository of potential evidence in a case, Judge Robinson reasoned, it can compel Fricosu to type in her password.

Although the Fricosu case will be appealed and isn’t settled in law yet, it should give administrators some food for thought. It’s not that far of a stretch, for instance, from treating a password for decrypting files  as a key to treating passwords to anything that way.

That can have broad implications for your data’s security should you ever have to lock horn with any government for any reason. While Fricosu was involved in a criminal matter, the logic underlying the case could be extended to non-criminal government activity such as tax audits or compliance reviews.

With that in mind, should alternatives to passwords be considered? For example, if voice recognition were used to replace passwords, then the “utterance” test might be met and your data might be better protected against intrusive legal searches. Then there’s the question of whether other biometric solutions used for authentication are as legally vulnerable as simple passwords. If a retina has to be supplied to open a laptop, is that a potential act of incrimination?

One thing administrators should take away from the Fricosu decision, should it be upheld by the appellate courts, is that their passwords and the passwords of their organization’s users aren’t as safe as they as they used to be—and neither is anything that can be decrypted with a password.

Government Can Force You to Decrypt Your Data

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites.

With Windows 8, Microsoft is addressing several nettlesome issues that discourage people from creating and using strong passwords. In the upcoming version of Windows, user names and passwords are stored in a secure location called the Credential Password Vault.

The latest version of Microsoft’s web browser, Internet Explorer 10, is designed to automatically access the Vault for your credential information, but other browsers and applications will eventually be able to access the area, too.

What’s more, if you have or obtain a Windows Live ID, you’ll be able to synchronize the Vaults across all your devices. Not only does that remove the annoying situation of trying to remember credentials for a site when you’re away from the device where you created those credentials, but it can provide a safety net should the password information on any one device be corrupted.

Synchronization appears to be pretty robust too. Microsoft says it can take place behind a firewall. However, websites can block the storage of credentials used to access them. Some banks do that. In that case, synchronization will not work because your credentials won’t be stored in your Vault.

Another intriguing aspect of the Credentials Password Vault is that it can also store security keys. Typically, those keys involve the use of hardware tokens to authenticate a person’s identity. The Vault, however, is designed to work with something called the Trusted Platform Module, which is being incorporated into more and more computers these days. The Vault and the Module, which acts as a virtual security token, can team up to perform the same function as token-based key pair system.

For tablets or computers with touchscreens, Windows 8 has an even neater password option. It allows you to take a photo of your choice and use it to access your slate by performing a series of gestures on it.

Although some security experts are skeptical of the method, and even Microsoft acknowledges that smudges on a screen could compromise the gesture password, the approach has the potential to be more secure than ordinary password schemes. Microsoft estimates that there are 398 trillion five gesture combinations that could be applied to a photo, compared to 182 million combinations for a five-character password and nine trillion combinations for an eight character one.

Windows 8 Offers New Password Features

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The recent spike in security breaches resulting from meticulously planned and executed spear phishing attacks may have forced email administrators to start thinking of topics that they may never have considered previously, such as the repercussion of a hacked Exchange Server account, or the reasons why hackers would be interested in attacking your email server.  Indeed, you may have already read Securing Your Microsoft Exchange 2010 Server, and have duly implemented the various hardening measures that I’ve linked to in that article.

Moving ahead though, you may be wondering if your Exchange Server is truly protected against malicious attacks.  Beyond waiting for a hacker to successfully break in, is there anything that the diligent administrator can do to reduce the chances of a successful break in?  I had the opportunity to attend an EC-Council Certified Ethical Hacker course recently, and one indelible lesson I gained would be how proper penetration tests can facilitate better security.  The rationale is simple – if you can break in, then so can hackers.  Today, I want to highlight some very simple penetration testing strategies that cash-strapped businesses can perform on their Exchange Servers to get a better pulse on their security readiness.

Obviously, permission must first be obtained from the relevant management prior to any penetration testing – preferably in writing.  Also, the usual caveat emptor about the dangers of tinkering with malware applies; there is also the very real possibility of Trojans hidden within typical tools used by hackers.  Finally, I would strongly advocate hiring a properly qualified and professional penetration team, which has the added benefit of a detailed report on any findings with recommendations for improvements.

Port scan

One of the simplest ways to establish the presence of malware or illicit server software would be to do a port scan on your Exchange Server.  While simplistic, this is nevertheless one of the first steps that a hacker will perform when targeting your organization, and could potentially reveal flawed configurations or the presence of unwanted (and forgotten) software services.

An extension of this idea would be to scan for the presence of SMTP (Port 25) listeners on your internal network, the presence of which could indicate the presence of unauthorized software or zombie computers running spamming software.  A basic and very well-known network and security scanner would be the free NMap, though many commercial variants exist that are capable of more detailed scans such as detecting common misconfigurations.

Sending malware to yourself

An easy way to test the capability of one’s malware filter or gateway antivirus scanner would be to deliberately send malware to an account on your server.  This may range from executable files, hiding them within archives, or malformed PDF files or Word documents – you essentially employ the same tricks that spammers and hackers are known to use.  Obviously, administrators should take pains to send infected email attachments only to unused accounts or one that has been set aside for the purpose of testing.

It should also be noted  that many of the recent attacks rely more on phishing or social engineering that push users into clicking a link to a malware-laden website as opposed to sending malware as an email attachment.

Brute Force Password Hacking

A brute force password attack entails repeatedly logging into an account with various combinations of passwords, and is a strategy employed by hackers looking for soft targets on the Internet.  Unlike cracking an actual password hash file or database, attempting to break in via brute forcing the password as part of a penetration test is a lower risk proposition, and viable if care is taken not to disrupt the access of legitimate users.

Moreover, this is a good way of weeding out easy-to-guess passwords that may be used by some employees, and is an activity that be conducted when server and network utilization is lower (such as over the weekend or overnight).  Dictionary files in your company’s native language can be compiled relatively easily, or downloaded from various repositories on the Internet.  Finally, there is no need to find a tool dedicated to breaking into Exchange Server either, since any password brute force tool that supports POP or IMAP can be made to work.

Are you aware of any simple penetration testing strategies that can be used to test the robustness of an Exchange Server deployment?  Feel free to highlight them in the comments section below.

Simple Penetration Testing Strategies for Your Exchange Server

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Systems with RPC and Outlook Anywhere can turn off some forms of authentication that attract hackers.

As most security folks know, the holidays are a peak time for hacker activity. Not only do the levels of spam and phishing attacks increase, but direct assaults on Exchange servers jump, too. One way to discourage intruders from poking your system for usernames and passwords is to tinker with the authentication settings on your SMTP server.

On most servers, all the authentication settings–Anonymous, Basic and Integrated–for the SMTP receive connector are enabled. The Anonymous Authentication setting allows the server to receive external email. The Basic Authentication setting lets your users send their usernames and passwords without securing them. And Integrated Windows Authentication permits your domain users to use SMTP and verify access to the server using credentials from their Windows accounts.

You can’t disable Anonymous Authentication unless you want to choke off all incoming email, but you may be able shut off the other authentication settings. If a server has RPC over HTTPS and Outlook Anywhere configured on it and you don’t have any users with SMTP/POP3 accounts sending through your Exchange server, there’s no need to enable Basic and Integrated authentication.

Disabling those forms of authentication can be a signficant deterrent to hackers mounting automated atacks on your system. After disabling those settings on some servers that were under sustained attack by net sappers, Alan Hardisty reports that attacks on the boxes had dried up to nothing in two days.

In mounting their sustained attacks on Hardisty’s servers, the Internet miscreants used one of the oldest techniques in the Black Hat book of tricks, the brute force assault. The approach is a very blunt instrument. How else can you describe trying to guess a username and password with thousands of trial and error combinations? Users, though, can make a brute force hacker’s job easier by guarding their email accounts with weak passwords. That problem and others  can be addressed with a preventive program. Here are some elements that should be included in such a program.

• Require complex passwords from your users. The passwords should contain both upper and lower case letters, numbers and special characters. Such passwords can foil “dictionary” attacks where words from a dictionary are thrown at a password challenge until the right one is found.
• Require a minimum length for passwords. Longer passwords are better than shorter ones but none should be shorter than eight characters.
• Force passwords to be changed regularly. Security experts will argue on what “regularly” means but somewhere in the 30 to 60 day range should sufice.
• Lock out an account after a set number of abortive password attempts. That number should be low–three to five failed attempts. Once an account is locked down make sure it stays that way for a sufficient amount of time to discourage attackers from renewing their efforts. The hiatus doesn’t have to be too long–15 minutes or so.
• Configure your firewall so that only the protocols that you need are enabled. All other protocols should be disabled.
• Check the settings for your firewall on a regular basis to make sure that only the ports that you need are open. Unneeded ports should be closed down.
• Make sure your firewall logs collect login information from your entire system. That information can be invaluable in identifying IP addresses from which suspicious activity may be originating, especially multiple login attempts.
• Archive firewall logs that are full and keep them in a safe place.
• Set up alerts for your system’s Security Log so you’ll be notified when multiple invalid login attempts occur. This will allow you to quickly react to a possible cyber attack and the quicker you react, the less time intruders will have to compromise your system and steal usernames and passwords.
• Disable any account on your system named Administrator. This is the first account penetrators will look for when probing your system. Items in the Administrator account should be moved to another account created by you, Server Admin, for instance, and the administrator account disabled.
• Inventory your user accounts on a periodic basis. Disable or delete accounts that appear to be dormant. Dead wood accounts are meaty targets for system intruders.
• Locate all your server user accounts in Active Directory, preferably in a single OU, or organizational unit. That will allow you to more easily keep tabs of the accounts on your system and make it less likely for a compromised account to avert  your notice because it’s buried in some obscure location that you rarely, if ever, eyeball.

How to fight hacker attacks on Exchange servers

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

In an analysis of some 32 million pilfered passwords performed earlier this year by a security firm, it was discovered that 60 percent of the users chose passwords made from a limited set of alpha-numeric characters. Worse yet, 50 percent of the passwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.” Internet grifters are well aware of those tendencies among users. So what they do is rather than trying to direct thousands of attempts at an account to crack its password, they take the most common passwords used by users and direct them at thousands of accounts. Not only does that skirt lock-out defenses, but it’s much more efficient than a brute force dictionary attack.

That kind of common password attack, though, can be blunted by adopting the methods proposed by the authors of Popularity Is Everything. Their system calls for limiting the number of times a particular password can be used. So even if an intruder guesses a correct password, he or she would only be able to compromise a handful of accounts at the most.

“Replacing password creation rules with popularity limits has the potential to increase both security and usability,” the researchers contend in their paper. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.”

“We conjecture that usability also increases,” they continue. “System designers no longer need to create increasingly complex password-selection rules with no guarantee that they will result in truly strong passwords. Users needn’t read, learn, or interpret these rules. Instead, users are only inconvenienced when their password choice is one that would lead to a [quantifiable] unacceptable level of vulnerability to a statistical guessing attack.”

Although the password philosophy advocated by the researchers has yet to undergo close scrutiny from the security community, steering users away from common passwords has gained some traction at one of the largest social networks on the Internet.

“Twitter, in responding to an online password guessing attack that exploited their failure to lock out guessers, now forbids 390 of the most common passwords,” the researchers noted. “It would appear that Twitter decided that this inconveniences their users less than the introduction of cumbersome password policies.”

How to choose a password according to Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

How many electronic accounts do you have? If you’re like me you have usernames and passwords for everything from bank accounts to email accounts to accounts that are used to access personal hobby sites such as woodworking or auto mechanics.

And in any organization, employees may also have multiple accounts with different passwords which allow them to access departmental email as well as select user groups within their areas of expertise.

All of these have accounts require passwords but like our keys or our socks we sometimes lose or forget them. Losing or forgetting your password to specific email accounts can cause minor irritation for some but can also be a source of panic when needed emails cannot be accessed immediately. Fortunately, there are many password recovery applications on the market for administrators and IT departments to choose from.

Here are five tools on the market for Email Password Recovery.

1. Outlook Password Recovery Master is an application which can display the logins and the passwords for all email accounts that have been created in Microsoft Outlook. It can also be used for recovering passwords for Microsoft Outlook personal folder files (outlook pst passwords).
   • Microsoft Outlook 2003 and earlier version support.
   • Instant password recovery.
   • Storing of recovered passwords in formatted text file.
   • Copying and pasting recovered passwords using the clipboard.
   • Easy and intuitive graphical user interface.

It can be downloaded from the following site: http://www.rixler.com/outlook_password_recovery.htm

This application is very easy to run and has a graphical interface that is very intuitive. Just start up the application and it will recover passwords instantly. It also has the capability to discover server addresses and the type, login and password of all email accounts on the server. As mentioned previously, any password protected personal folder files that are registered with the Microsoft Outlook can also be discovered along with their respective file names and passwords associated with the pst files. And if the passwords contain non-English characters those passwords can still be recovered. Password recovery of non-English passwords is a feature not found in many password recovery applications.

Additional features and benefits include:

2. Atomic Mailbox Password Recovery has a user-friendly interface and a very nice help feature that provides extra tips about restoring lost passwords. The password recovery process takes very little time and can be completed in as little as five minutes after installation of the software.

Atomic Mailbox Password Recovery can be downloaded from the following site:
http://www.massmailsoftware.com/password/email-pwd.htm

3. Mail Password Recovery 1.1 is an application that enables the recovery of passwords that have been stored in your email program for any Post Office Protocol (POP3) account. To enable the recovery of passwords an administrator has to change the email program settings – just temporarily – such that the email program is allowed to connect to Mail Password Recovery. Once a connection is made then the end user’s password can be recovered.

The methodology used to recover the passwords is that Mail Password Recovery will emulate a local POP email server which allows it to capture and reveal the stored password upon connection. The only requirement is that the target email program must have the accounts and passwords stored so that Mail Password Recovery can recover the password.

Mail Password Recovery is authored by “Aleksandar Boros” and can be found on many freeware sites by performing an Internet search.

Mail Password Recovery is compatible with the following operating systems:  Win9x, NT4, ME, Windows 2000 and Windows XP.

4. Mail PassView is a small password recovery tool that can recover the passwords and other account details of many applications including:  Microsoft Outlook 2000 (POP3 and SMTP accounts only), Microsoft Outlook 2002, 2003, 2007 (POP3, IMAP, HTTP and SMTP accounts), Windows Mail, Windows Live Mail, Yahoo! and Hotmail accounts.

Mail Passview can be downloaded from the following site: http://www.nirsoft.net/utils/mailpv.html

When Mail PassView is run it can display the following information: account name, application, email, server, type (POP3, IMAP, SMTP), username and password.

5. SniffPass is an application that captures passwords of email programs that are not supported by Mail PassView. It is a small password monitoring software application that will listen on the network and capture and display passwords as they pass through your network adapter. The following protocols are supported by SniffPass: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords). This application can also be used to recover lost Web or FTP passwords.

SniffPass can be downloaded from the following site: http://www.nirsoft.net/utils/password_sniffer.html

5 Tools for Email Password Recovery

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

In addition to making passwords at least eight characters long, NASA, as well as many security experts, recommend a watchword be a combination of upper and lower case letters, numbers and special characters, such as !@#$%^&*()+. If there is only one special character, it should not be either the first or last character in the password.

Needless to say, the passwords plucked by the hacker were woefully inadequate in the character choice department. Only 36.94 percent of the watchwords used numbers and letters and a mere 3.81 percent had special characters in them. The largest portion of the passwords (41.69 percent) used only lowercase letters. Another 15.94 percent used only numbers, while 1.62 percent limited their choices to only uppercase letters.

Based on length and character composition, only 0.2 percent of the 32 million passwords in the sample met NASA standards and could be considered strong passwords, the researchers said.

But there’s a third standard. It says passwords should not be a name, slang or word in a dictionary, nor should they include any part of the creator’s name or email address. That’s not the case for the 5000 most popular passwords shared by 20 percent of the users in the database studied by the researchers.

If the 5000 top passwords were used by a hacker as the basis for a dictionary to mount a brute force attack, the researchers point out, it would only take one attempt to guess 0.9 percent of the users’ passwords per every 111 attempts. Using a DSL connection with an upload rate of 55KBPS and assuming each attempt is 0.5KB in size, a hacker could perform 100 attempts a second at a site. At that rate, about one account would be compromised every second. In 17 minutes, 1000 accounts could be compromised.

But it gets worse, according to the researchers. “After the first wave of attacks,” they observed, “it would only take 116 attempts per account to compromise five percent of the accounts, 683 attempts to compromise 10 percent of accounts and about 5000 attempts to compromise 20 percent
of accounts.”

What’s a system administrator to do to avoid this kind of nightmare descending on their organization? The researchers made these recommendations.

• Enforce a strong password policy. If you give the users a choice, it is very likely that they would choose weak passwords.
• Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
• Make sure passwords are not kept in clear text. Always digest passwords before storing to a database.
• Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slow for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker such as CAPTCHAs, computational challenges, etc.
• Employ a password change policy. Trigger the policy either by time or when a system compromise is suspected.
• Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.

Survey identifies worst password practices

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The end of the year is upon us, and for most of us this means time off from work to celebrate Christmas with our families and take a much needed break.  But before we shut down our computer and head out the door there are a few extra things that email admins need to think about.

Patches and Security Updates

Before taking an extended break is a good time to double check that your email servers are up to date with the latest security updates.

This includes updates for the server operating system, the email server application, and any other components on the servers such as backup agents, faxing software, and antivirus agents.

Even if your patching is automated it might pay to manually apply the latest updates now so that any problems that arise can be dealt with while you are still at the office.  You don’t want to get a phone call while you’re relaxing because the server was knocked offline by an automated update.

Backups

A lot of businesses use the end of the year to take a full backup of systems to store as a long term archive.  This is best performed while you are still available to assist with any issues and make sure that the backup is 100% successful and can be relied upon later for recovery if necessary.

At the same time some businesses halt their backups over the holidays if no staff will be present to change backup tapes.  For Exchange servers it is important to ensure that enough transaction log space is available for the server to run without backups for a week or more.

Support Calls

Nothing is worse than getting phone calls on your holiday for simple questions or problems.  If the business is still operating over the Christmas period and you might get phone calls from the Help Desk or on call staff then you can save yourself from being bothered by putting the right documentation and systems in place.

Make sure your fellow IT staff know how to troubleshoot email problems and have the minimum level of access they will need to deal with routine support issues.

You can also avoid simple support requests such as spam quarantine releases by putting in systems that support end user self-service for those functions.

Passwords

Most networks have a password policy that forces a new password to be chosen every 30 or so days.  Depending on the remote access infrastructure in place it is not always possible to update an expired password via remote access.

I’ve been caught out by this before and had to drive into work on holidays to fix an issue that would have taken me 5 minutes over remote access, all because my password had expired.

Take a moment before you go away on holidays to update the passwords on any accounts that you need so that they won’t expire again for another 30 days.

Lock the Door Behind You

Ever created an account with a weak password just for a “quick test” and then forgotten to delete the account afterwards?  Spend some time checking your email servers and accounts for any test accounts or other administration oversights that might lead to a security breach while you are away.

Remember that hacking activity increases over holiday periods both because the hackers are bored and because they know a lot of networks are unmanned during these times.

Double check your firewalls and other access points to make sure they are still locked down the way you intended.

This can all mean the difference between returning from holidays to a healthy network or starting off the new year with a disaster on your hands.

Christmas Checklist for Email Admins

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Password problems can be perplexing – sorry I couldn’t resist the tongue twister

Seriously, administrators will have the challenge of correcting password issues under time constraints as business activities and users are all working toward completing projects on time. So having a tool chest of techniques for solving and correcting password issues is a requisite of any good administrator.

One problem that you will encounter from time to time is when passwords are not being kept by Outlook even though they have been specified to be retained. This may happen even if the “Save Password” box has been checked.

Several solutions have been offered on the internet.

Deleting User Account Information

One solution involves deleting the user account information and resetting the password. This method involves making changes to the Registry. As always, anytime you touch the registry you should always back it up first.

There are other times when Outlook doesn’t remember the passwords after the operating system has been reinstalled. The system is configured correctly in that the correct passwords are in the account properties but when the end user attempts to send or receive an email they get the username and password dialog box popup.

Disabling Prompts

Another solution you can try is to disable the prompt that asks to save passwords. You can do so by bringing up the Control Panel by going to the lower left corner of the screen and clicking on the Start button and then click on Control Panel. Once you have the control panel up you should then double click on Internet Options and select the Content tab. Next, click on the AutoComplete button in the Personal Information section. Check the box for “User names and passwords on forms” and uncheck the box for “Prompt me to save passwords”. You should now close Outlook and then restart it and try your password again.

Sometimes you will have a user who is able to receive email without being asked to enter a password but they are unable to send email without getting the password prompt request. The administrator should check the account properties server tab on the outgoing mail server and then, for that end user, uncheck the “My server requires authentication” setting and click OK or hit enter. This should stop the password requests from occurring when sending email.

Creating a New Email Account

Another problem situation can occur if you have any users who are using Microsoft Office Outlook 2007 then you might run into a problem when you go to create a new email account. For instance, when creating a POP3 email account you have the option to specify “Require logon using Secure Password Authentication”. If you do not type in a password and the “Remember password” check box is left unchecked in the Add New Email Account dialog box, then when you go to test your account settings you will be prompted to enter in your credentials. This prompting for credentials will happen every time the user starts Outlook.

What is happening is that Outlook 2007 is not using the logon credentials configured in the Windows operating system.

Microsoft has provided a hotfix package as of April 30, 2009. You can correct the problem by applying the hotfix and set an appropriate value for the AlwaysUseCachedCredsForSPA registry entry. As always, anytime you touch the registry you should always back it up first.

To start the Registry editor go to the bottom left corner of your screen and click Start. Next, click Run and type “regedit” in the Open text field. Click OK or just hit enter. Find the following registry subkey and then click on it:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\InternetMail.

Then, from the Edit menu, move the cursor to New and then click on DWORD Value. You can then type in “AlwaysUseCachedCredsForSPA” and press or hit enter. This procedure will allow you to modify the value for “AlwaysUseCachedCredsForSPA”. Right click on it and then select Modify. Enter a value of “1” in the Value data box and hit enter or click OK. Lastly exit the Registry editor.

As an alternative you can implement a workaround which consists of entering in your credentials when in the “Add New Email Account” dialog box. You can do so by clicking on the “Test Account Settings” and entering in the credentials. Select the “Remember password” check box and type in the password.  This workaround will allow you to not be prompted for the credentials when you test the account settings.

Troubleshooting Outlook Password Problems

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators