20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

Continue reading Survey identifies worst password practices

As often happens with electronics trends, the proliferation of a consumer device soon results in that gadget knocking on the door to the enterprise.  That’s the case with smartphones. The trend started with the Blackberry, was supercharged by the iPhone and will continue to grow with phones running Google’s Android operating system.

What’s worrisome about these devices is that they run applications… far too many applications that any IT department could vet for security purposes. Jupiter Research, purchased by Forrester research in 2008, estimates that by 2014, 20 billion apps will be downloaded annually to smartphones.

That is a nightmare in the making for network administrators, who see legions of unknown programs touching their enterprises. Such apps already exist for the iPhone to directly access enterprise programs like SAP and Oracle. And with more apps on the way, the potential for them to spread malware or facilitate unauthorized access to precious data is a sobering thought for gatekeepers.

One way to get a handle on mobile devices invading an enterprise is to impose tough policies on employee use of their mobiles when performing office tasks. Monitoring policy compliance manually, though, can be an overwelming task for overtaxed IT departments. There are automated systems for ensuring compliance, but they can be expensive to implement.

There are also some drawbacks to keeping a tight rein on smartphone use. By limiting an employee’s choices on how he or she must work, a policy could adversely impact the worker’s productivity. Then there’s the problem with exceptions to the rule. If someone higher up on the corporate food chain than an IT gatekeeper wants to use a particular application, whether it’s risky or not, an exception to its use will likely be made.

Continue reading Protecting the enterprise from mobile devices

USB devices can be a convenience and a curse.

Devices that plug into the USB ports on a computer are convenient to use, but they can be a security headache, too. What security-conscious system administrator hasn’t contemplated the grim consequences of gigabytes of sensitive data inappropriately stored on a thumb drive walking out the front door of his or her company in the shirt pocket or purse of an employee? What security specialist hasn’t cringed at the thought of a compromised USB device being plugged into his or her network where it can infect the system with a virus, Trojan or worm?

One way to identify problems associated with USB devices is to follow their leavings. Among the leavings left behind by USB devices when they’re attached to a computer running Windows are their serial numbers. Although not all USB devices have serial numbers, most do, and they can be used to perform some basic computer forensics, as Adrian Crenshaw pointed out in a recent posting in his Irongeek.com blog.

For example, if the ownership of a USB drive linked to malicious activity is in a dispute, a scan of the suspects’ computers would reveal which one the device had been connected to. Chances are the operator of the computer containing the serial number of the device in its Windows registry will be the culprit in the case.

If the source of a virus is linked to a USB device, comparing the serial numbers of the devices connected to the system at the time the infection began to spread could help identify the compromised hardware and even identify the point of initial infection.

Continue reading Follow the serial numbers

The end of the year is upon us, and for most of us this means time off from work to celebrate Christmas with our families and take a much needed break.  But before we shut down our computer and head out the door there are a few extra things that email admins need to think about.

Patches and Security Updates

Before taking an extended break is a good time to double check that your email servers are up to date with the latest security updates.

This includes updates for the server operating system, the email server application, and any other components on the servers such as backup agents, faxing software, and antivirus agents.

Even if your patching is automated it might pay to manually apply the latest updates now so that any problems that arise can be dealt with while you are still at the office.  You don’t want to get a phone call while you’re relaxing because the server was knocked offline by an automated update.

Backups

A lot of businesses use the end of the year to take a full backup of systems to store as a long term archive.  This is best performed while you are still available to assist with any issues and make sure that the backup is 100% successful and can be relied upon later for recovery if necessary.

At the same time some businesses halt their backups over the holidays if no staff will be present to change backup tapes.  For Exchange servers it is important to ensure that enough transaction log space is available for the server to run without backups for a week or more.

Support Calls

Nothing is worse than getting phone calls on your holiday for simple questions or problems.  If the business is still operating over the Christmas period and you might get phone calls from the Help Desk or on call staff then you can save yourself from being bothered by putting the right documentation and systems in place. Continue reading Christmas Checklist for Email Admins

Better security is changing iPhone's image in IT departments.

While the iPhone’s “cool factor” has made it a hit among status conscious corporate executives, the mopho has been greeted with skepticism from the rank and file in the IT trenches. From their point of view, competing products like Research in Motion’s Blackberry and smartphones built on Microsoft’s Windows Mobile platform offer better security for their organizations. With the introduction of the latest version of the iPhone’s operating system, version 3.0, and iPhone Configuration Utility, version 2.0, IT resistance to letting Apple’s handset into the corporate tent seems to be weakening.

What has bugged IT folks in the past about the iPhone? For one thing, user profiles can’t be managed over-the-air as they can with a Blackberry and Blackberry Enterprise server or Motorola Good for enterprise servers. Another irritant is there’s no way to ensure that corporate policies on email, encryption, etc. have been installed or updated on the phones. What’s more, it’s difficult to preconfigure the units with settings for email, VPN access and such.

Apple’s update of the iPhone’s configuration utility, which gives network administrators a rich set of policy controls, has addressed some of those concerns and may be why IT doubters are relenting on their staunch opposition to the hardware.

For example, password entry into a phone can be required. The composition of the password, when passwords should be changed, rules on reuse of passwords and the number of failed password attempts before a phone automatically wipes out all the data on it can all be controlled by an IT department.

Specific content can be blocked on the phones, although that’s not true for specific applications. A workaround for that situation is to install all necessary apps when the phone is issued, then turn off the ability to install any more programs. The problem with that approach, however, is a user won’t be able to upgrade the existing apps on the phone.

Continue reading Security skeptics less skeptic about iPhone

A Microsoft branded bulletin is offering bogus security updates.

A bane of Microsoft Windows users is the constant patching of the operating system to deal with security vulnerabilities. These frequent events are irritating, not only because they disrupt productivity since they often require a system reboot after they’re installed, but a user never knows how Windows will perform after it’s patched.

More often than not, a patch won’t disrupt the operation of a system, but once users have been burned by one of these updates, they’re forever on tenterhooks when they install them. A case in point: the recent flap over the “black screen of death” falsely attributed to November’s “Patch Tuesday.” Although reports of the glitch were incorrect, the reason they were given immediate credibility was that many Windows users have experienced behavioral problems after installing patches in the past so it was perfectly believable that the latest patches might have created unforeseen headaches for users.

Continue reading Fake security update targets Windows users

US-CERT has issued a vulnerability note that should worry anybody who relies on SSL VPN products to establish secure web sessions. SSL VPN is a very common method of establishing a secure connection between two remote sites over an Internet connection, where the user connects only through a standard web browser, without the need for any client software. It’s gained popularity because of its simplicity, and because of its clientless nature, it allows for easy, anywhere connectivity. It is commonly used in Internet commerce, and sometimes in cloud-based or remote email.

According to CERT though, many of the commercially available SSL VPN products bypass the security that exists in the web browser, and this could create a security problem. The problem revolves around the “same origin” policy enforced by standard web browsers, which enforce a rule that prohibits active content from accessing data from an external site. However, some of the SSL VPN products do take content from multiple sites, then present it as coming from the SSL VPN by rewriting the URLs that come from the VPN. It would be possible for example, for an attacker to lure a user to a rogue web page, gain access to the VPN session token, and alter content. It would be possible for such an attacker to, for example, use that malicious web page to launch an attack that could capture keystrokes from remote users.

The vulnerability is mostly theoretical, and whether you are vulnerable really depends on how you’ve configured your SSL VPN. It’s important not to take the SSL VPN warning as an indication that you shouldn’t use SSL VPN–such an indication would be unnecessary, and would have a dramatic impact on e-commerce as we know it.

According to CERT, there is no immediate solution to the problem, but there are three workaround solutions: (1) Limit URL rewriting to trusted domains, (2) limit VPN server network connectivity to trusted domains, and (3) disable URL hiding features. In limiting URL rewriting to trusted domains, most firewalls will allow policy rules to be set  to accommodate this neeed, so the VPN can only access specific domains.

Security is major barrier to adoption of cloud computing.

Security is playing a key role in the willingness of organizations to adopt cloud computing solutions, according to  a study recently released by Launchpad Europe, a business accelerator outfit based in London.

The study based on a survey of 105 IT security experts across the globe found that more than 50 percent of them identified security concerns as the primary reason their organizations were shying away from embracing the cloud.

Asked what their highest priority was when considering a cloud services provider, 37.9 percent cited security of the cloud infrastructure. Another 12.6 percent identified security procedures to protect their data centers as their highest concern.

The data collected by the researchers also suggests there is considerable doubt about whether those security worries can be met by a cloud vendor. Some 49.5 percent of the respondents told the pollsters their companies neither use nor plan to use the cloud in the next 12 months.

Other significant items when choosing a cloud vendor cited by the survey respondents were due diligence and track record of service provider (18.4 percent) and ease of migrating data from vendor’s service to a new service.

Among the companies participating in the survey who do have cloud deployments, 16.5 percent said they used public deployments; 16.5 percent, private deployments; 10.7 percent, hybrid; and 6.8 percent managed.

Continue reading Security tempers zeal for cloud computing

The increasing popularity of cloud-based solutions has resulted in many new offerings of cloud platforms as well as numerous as-a-service software solutions. We also have storage-as-a-service, to alleviate in-house storage demands; and even supercomputing-as-a-service. Are all of these cloud services robust enough for mainstream, daily use?

Computing is seldom a one-size-fits-all proposition, and what works for one company won’t work for another. The same is true with the cloud. What’s clear though, is that it is here to stay. There are two things that have led more companies to face the cloud question head-on: Available technology in the form of cloud services and solutions, and greater availability of cheap, high-speed connectivity; and simple economics. These two factors have converged nicely.

Continue reading When is in-the-cloud security appropriate?

P2P file sharing networks aren’t seen very often on corporate PCs. At this point, most managers have implemented policy to prohibit their use, and admins have implemented technological measures to make sure employees aren’t putting them on their PCs. And that’s all well and good, but it’s not enough.

Do you leave your work at the office at the end of the day? Didn’t think so. Most companies have at least several people, if not the majority of employees, taking work home; and many have staff members telecommuting from home on a regular basis. This too, is a wonderful trend. I personally haven’t seen the inside of a cubicle in 18 years, and this trend is only going to increase. The office is fast becoming obsolete and unnecessary.

But those security measures, and the trend of working at home, work at cross purposes. Security measures in the office usually stop at the network, protecting access to files and applications and ensuring that PCs within the physical boundaries of the workplace are protected against attack. But today, physical boundaries are irrelevant.

We saw this last week when an ethics report from the US House of Representatives was accidentally leaked onto a public P2P file sharing network. The document was an internal file that listed several members of Congress who were being investigated for ethics violations.

There is an argument, which has some legitimacy, which says that ethics investigations should indeed be made public. Citizens have the right to know whether their elected representatives are crooks. But that argument is misplaced. The policy of the Ethics Committee is not to disclose those investigations unless there is a formal investigation, and at that point it would be made public. But that again is besides the point.

The point is, the House of Representatives used lax security rules, and needs to tighten them up. Whether the information should have been public or not doesn’t matter; the fact is that they screwed up from a security perspective by allowing something to be made public that they had not intended to be made public.

The Ethics Committee was quick to release a “not our fault” statement, saying that the leak wasn’t caused by their own information systems. But this is only a half-truth. The leak was in fact caused when a junior staffer took the file home and stored it on a home computer where P2P software was installed, and as such, the Committee argues that it wasn’t their systems—but in fact, it was their own lack of policy and oversight that caused it. Security policy once again must go beyond the borders of the enterprise and into every computer that touches the network. If a worker telecommutes, then the computer used for telecommuting—especially if sensitive documents are being worked on—must also comply with corporate policy. And that means no P2P file sharing applications on it.