Friday, August 19, 2005

The Password Problem: Day 4, Password Maker 

Password Maker is another Firefox extension to help you maintain a zillion strong passwords for the zillion web sites where you need them.

Unfortunately, the first time I tried to run it, up came an error message, "Unable to copy [xpconnect wrapped nslFile] to [xpconnect wrapped nslFile]. Do you have sufficient read/write privileges?".

Anyone want me to troubleshoot?

|

Thursday, August 18, 2005

The Password Problem: Day 3, Password Composer 

Today we take a look at a Firefox extension, "Password Composer", which generates a new password for each web site based on a single master password.

This one fits smoothly into the browser's interface. It puts a little red icon to the left of a web page's password field. Click the little red icon and it asks you for your master password, and asks whether you want to create the per-site password based on the full name of the site (e.g. "login.example.com") or just the short name (e.g. "example.com").

There are a few drawbacks. It's not really compatible with my favorite Firefox extension, Noscript. You don't have control over what characters go into the computed password, so you're stuck if you have to use a web form with an obnoxious password policy like "must include at least one punctuation mark". And when I looked at the actual programming it turns out to be missing a standard precaution against bad guys trying passwords from dictionaries. Also it's missing some of the anti-phishing checks that "pwdhash" has.

|

Internet Explorer, critical security hole reported 

This is only for the Windows version of Internet Explorer. The Macintosh version of Internet Explorer is a completely different program.

There's a bug in an optional component (optional, but just about everyone has it) which reportedly lets a bad guy take over your computer if you visit the wrong web page.

Worse, someone's already released a program that supposedly takes advantage of the security hole and installs some remote control software on a PC. Microsoft says this was not "responsible disclosure". Microsoft is right.

This kind of problem, you'll remember, is something your firewall doesn't help with. Your firewall probably reasons that if you asked for the web page you must have wanted it.

There's no patch yet, and I haven't heard of a pre-patch workaround yet.
UPDATE 8/19: Corey Nachreiner at Watchguard tested the exploit code on a spare machine. Corey Nachreiner's test showed that XP Service Pack 2 does defend itself against this attack. You'd have to ignore a lot of warnings to let your machine get taken over.

|

All platforms: update "Acrobat reader" 

You know those ".PDF" files that you see everywhere? The program that reads them has a security flaw. This affects you no matter what operating system you're on, and the impact is that opening the wrong PDF might let the file's author take over your computer.

Adobe, the author of the reader program for PDFs, has published a fix. How you install it depends on what operating system you're on. Start at Adobe's security page to hunt down detailed upgrade instructions.

|

Wednesday, August 17, 2005

The Password Problem: Day 2, Secure Password Generator 

The prolific Jeremy Gillick wrote us a Firefox extension to create random passwords. It works quite a bit differently from pwdhash, which we discussed last time.

Secure Password Generator is simply a dialog box that builds passwords out of random letters, numbers, and punctuation and then lets you copy them to the clipboard.

Random passwords are hard to remember but you can let Firefox remember them for you. There's a feature to make passwords easier to pronounce (a checkbox called "mnemonic"), but it weakens the passwords more than I'm comfortable with.

You can customize SecurePassword Generator six ways from Sunday. There's even a feature to restrict the contents of a password to keys you can reach with just one hand, so you can type a password with one hand while the other is free for the mouse or something.

|

Mac users, it's your turn for an emergency patch 

OS X has a serious security flaw that might allow someone to take over your computer. Apple's fixed that and a few other problems.

The trend these days is for bad guys to begin using a security flaw sooner and sooner after they find out about it. In other words, don't put this off.

|

Monday, August 15, 2005

The Password Problem: Day 1, pwdhash 

I have dozens of web site passwords. Betcha that you do too.

So everybody winds up using the same password all over, even People Who Should Know Better. The most clueful people use three or four passwords, saving the longest and most elaborate for home banking and using the junkier passwords for things like their New York Times registration.

There is a better way. It's easy for a computer to create a separate password for every place you visit. You can invent and use just one strong password, and the computer can create a new one from it for each web site.

That's what today's featured software does. The Firefox extension pwdhash (also available for Internet Explorer)adds a new feature to the way password entry fields work. When you click in a password entry field you can either type in a password like always, or you can begin by pressing F2 or by typing "@@". Then the magic takes hold. If you type in a regular strong password after the double @ or the F2, pwdhash will rewrite it to be a mathematical combination of your password with the name of the web site you're visiting.

This is cool in several ways. First, the Stanford team that wrote this wisely chose their math so that the web site you're visiting can't calculate your master password. They see the rewritten password but the only way they can get your master password is to guess it (so pick one that's hard to guess).

Notice that you don't have to remember the per-site password. Even if you lose all your stored passwords, you can still get back to all the web sites because pwdhash will calculate the same password each time. Even if your computer burns down and you don't have pwdhash installed any more,you can re-create your passwords at http://crypto.stanford.edu/PwdHash/RemotePwdHash/.

The developers point out another bit of coolness. Suppose someone tricks you into typing your online banking password while you're on the bad guy's web site. It won't work! You'll hit F2 and your master password, but the scammer will see and steal a different password than the one that goes to your bank.

I took a look at the actual programming and found more coolness and a quibble. Notice how everybody's got different requirements for passwords? This program can adapt. To start with it builds a password as long as your master password, made entirely of numbers and mixed-case letters (and pluses and slashes). That should be safe anywhere. But what if a web site demands that you include some more exotic characters in your password, the password that pwdhash is making for you? Then just put some comic-book profanity into your master password. Pwdhash checks whether you've done that and says to itself "Hmm, the user is trying to drop me a hint here, I'd better stick some comic book profanity onto the password I just calculated".

Needs more salt

"The hash needs more salt" sure sounds like something you'd hear at a diner. What it means is that your master password is too easy to guess. They should be stirring into the calculations a number which stays the same for any given user but is different from one user to the next. That's a quibble, though: first, you're safe if you use a good password to begin with and second, bad guys have much easier ways to make trouble.

|

Friday, August 12, 2005

Hurry up on those Microsoft patches 

If you haven't installed them yet do it now: attacks are said to be circulating against the security flaws Microsoft fixed on Tuesday.

|

Watch out for new scam to get your eBay password 

Security firm F-Secure has screen shots of a new eBay scam. The new part is that it doesn't pretend to be from eBay, it pretends to be from an eBay member complaining that you failed to ship something. Then there's a button at the bottom of the email you're supposed to click to send a reply. It takes you to a criminal web site that prompts you for your eBay login.

|

Wednesday, August 10, 2005

Are you having trouble with Windows Update? 

Are you doing everything right?

Are you logging in as someone without administrator privileges? Good, you should. Are you using the Run As feature (shift-right click on a program) to run things like Windows Update that actually need administrator privileges? Good, you should.

Unfortunately that doesn't work with Windows Update any more. You need to log off from your regular account and login again as an administrator to run the new Windows Update. Why would Microsoft break something that useful, especially when they've been pushing people to log in with limited rights? Because Microsoft is a big place and the left hand doesn't always get the memo from the right hand.

If you're getting a completely information-free error message from Windows Update try logging off and logging back in to an administrator account.

|

Tuesday, August 09, 2005

Opera 

There are other web browsers besides Microsoft Internet Explorer and the one I'm using now, Firefox. Some of them are worth looking into if you're security-conscious.

Security guru Bruce Schneier uses a program called Opera for his web surfing. You may already have seen Opera if you have a smart cellphone, but it also comes in a version for desktop computers.

Opera's had a mostly clean security record. Of course with a minority product you have to wonder whether anybody's looking. Their one major security bug was an embarrassing "what were they thinking?!" kind of bug.

Opera comes with some nuances for slowing down phishing. It puts up a better display than most browsers of the technical information that's supposed to identify a site. It also takes precautions against scam sites that use international characters in their names to they can imitate the name of the site they're impersonating.

Opera has tons of features which you can live without but which you could have fun exploring. There's even a built-in BitTorrent client!

Opera is a free download for an ad-supported version, $39 for an ad-free one.

|

Medal of cluefulness - Bank of America 

BofA is making it harder for a crook to impersonate their online banking web site. They're following a suggestion that's been rattling around the security community and identifying themselves to you with a secret image that you pick when you sign up. Every customer might choose a different secret image so there's no way for a crook to build a fake BofA site that will fool everyone.

Just in case you use the same password everywhere, they protect you from the consequences of a stolen password by requiring both a password and the answer to some personal question before they open up your account.

|

Curious about trends in security threats? 

Kaspersky Anti-Virus analyst Yury Mashevsky writes about recent trends in malicious software.

The big change from a year or two ago, of course, is that organized crime is doing computer attacks for money now. Attackers now want profit instead of notoriety.

Mashevsky reports that Trojan Horses delivered by spam are becoming the most typical attack, and predicts that they'll be more closely targeted in the future. He's right -- the industrial espionage scandal in Israel illustrates his point.

He expects the current crop of mild viruses (one even asked for permission to install itself!) on mobile phones to get much nastier as soon as enough people start using their phones to make payments.

|

Microsoft tries clever idea and succeeds 

People who find security flaws in Microsoft products have an unusual turn of mind. But they have a normal tendency away from evil. That's why so many problems get reported to Microsoft first, so that Microsoft has a chance to fix them.

But what if somebody unethical or desperate is the first to find a security problem? That person could use it to break into computers or sell it to spammers and spyware pushers. Then the attacks are out on the net, and no Microsoft patch or antivirus update can detect them.

Microsoft started a project to detect unknown attacks. They simply set a bunch of computers to follow links through the Web's seedier areas. When one of the computers catches something, Microsoft can autopsy it and learn to recognize the new attack.

The good news is that until last month they didn't find any web sites that could infect a fully patched XP system. Last month they caught the first attack that could slip by the defenses of a machine that's up to date on patches. Microsoft had the fix out by July 12.
UPDATE 8/12: It turns out that a company called "SEC Consult" had found the problem first, though Microsoft was the first to see bad guys actually using it.

|

Happy patch day! 

Microsoft released their monthly patches. You need to get them soon. Every operating system after Windows 98 or ME is affected, and the bugs include some that would allow someone to take over your computer.

They've fixed the remote desktop problem which there were rumors about last month. They've also fixed several more bugs in Internet Explorer, one of which Microsoft says is "critical" and for which you should download the patch "immediately".

I've lost track of whether there are still outstanding known security holes in IE.

As usual, go to the Start menu, choose Windows Update and follow the directions.

|

This page is powered by Blogger. Isn't yours?