- Jesper Johansson responds to my Password Size column
- IE 7 to be pushed in Automatic Updates
- IE 7 to be pushed in Automatic Updates
- Comments on my Password Length column
- Citrix's Response to Unauthorized Applications Article
- More WROX books for cracked passwords!
- Great NIST paper on calculating password strength
- Microsoft buys Sysinternals
- Win money and books for cracking my Windows password hashes!
- Excellent intro to Honeyclients
July 27, 2006 | Comments: (0)
Jesper Johansson responds to my Password Size column
Dr. Jesper Johansson of Microsoft agrees with my password length argument, with caveats.
Dr. Johansson is one of Microsoft's chief security architects. During my recent column http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html (and multiple public mailing list emails) on password length, I mentioned his previous papers http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx. I have read his three papers on passphrases vs. passwords many times. I had concluded that Dr. J (as many of us call him) strongly supported shorter complex passwords over non-complex passphrases.
Here's Dr. Johansson's reply:
"I think you misquoted me a bit. I've said a lot that there is nothing more important than adding length. Check the password guidance page attached to the MS password checker. I think I was pretty clear about it there. Pass phrases can be very strong, if you have a big enough vocabulary and use enough words, but I think you have to be very conservative in any recommendation and assume the bad guys will use pass phrase attack tools should pass phrases become common enough. Overall, I think we really are in pretty violent agreement."
He shared with me a few things he and Microsoft are working on regarding password strength that will end up in future products. I can only say that his work is one of the few looking at the problem in depth, mathematically and in practice, and the outcome will lead to much stronger default passwords that are appropriate for the businesses being protected.
Also, if you haven't done so, yet, take a look at his article on Windows password hashes, authentication, and SMB in the latest issue of Microsoft's TechNet magazine. It's the most comprehensive and best researched article I've ever read.
Anything Dr. J writes should be a must read for Windows administrators.
Posted by Roger Grimes on July 27, 2006 06:37 AM
July 26, 2006 | Comments: (0)
IE 7 to be pushed in Automatic Updates
Microsoft plans to push IE 7 out as a high-priority update using Automatic Updates in 4Q 2006.
Yes, Microsoft will offer a software option toolkit to stop the automated download.
Posted by Roger Grimes on July 26, 2006 03:21 PM
July 26, 2006 | Comments: (0)
IE 7 to be pushed in Automatic Updates
Microsoft plans to push IE 7 out as a high-priority update using Automatic Updates in 4Q 2006.
Yes, Microsoft will offer a software option toolkit to stop the automated download.
Posted by Roger Grimes on July 26, 2006 03:21 PM
July 25, 2006 | Comments: (0)
Comments on my Password Length column
I've received nearly a 100 emails regarding my password length column.
I'll post the most interesting ones.
------------------
Hi Roger,
While there are a lot of arguments about length vs. style, and you
should hear lots of them, here's the issue for most public corporations:
Password complexity, uniqueness-over-time, etc. are determined by
whatever auditor was hired for Sarbanes-Oxley compliance. As long as we follow the recommendation of this, probably security-inexperienced (at least at first) auditor, the top managers stay out of jail. On the other hand, if we followed your thinking, and got hacked (because a user can't remember a 31-character password, one of several that change every 90 days or so), the top managers may go to jail.
I guess it's corporate security vs. the management's personal security.
I think I'd choose the same way most companies do.
Regards,
Jim Hendrickson
----------------
Posted by Roger Grimes on July 25, 2006 05:12 PM
July 19, 2006 | Comments: (0)
Citrix's Response to Unauthorized Applications Article
I was waiting for this email.
------------
From: Allison Kohn [mailto:Allison.Kohn@citrix.com]
Sent: Wednesday, July 19, 2006 2:31 PM
To: roger_grimes@infoworld.com; letters@infoworld.com
Subject: Citrix Response to Unauthorized Applications Article
Dear Roger,
Recently I read your article entitled, "Unauthorized applications (still) a bad idea." Indeed, encrypting all confidential data is important to maintaining high levels of security. In fact, Citrix Online has gone to great lengths with Citrix GoToMyPC to offer a robust and encompassing security model, including true end-to-end 128-bit encryption. May I arrange a security briefing?
GoToMyPC includes a number of state-of-the art security features, such as an SSL-encrypted Website; end-to-end 128-bit encryption of the data stream, file transfers, keyboard and mouse input; multiple passwords, including an access code that only resides on the host computer and is never transmitted or stored on GoToMyPC servers; and notification when the PC is accessed. Additional features include mouse and keyboard locking, inactivity timeout and screen blanking of the host computer.
In addition, the Corporate version includes real-time user control, feature access control, user PC limit, password change enforcement, failed log-in lockout protection, one time passwords and RSA SecureID integration. Organizations in security conscious industries, including those in healthcare, finance and law, choose Citrix GoToMyPC Corporate for its robust security features. The service complies with government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act (GLBA).
Unlike many free screensavers and games, GoToMyPC is a secure tool that is enhancing everyday productivity for professionals and lowering costs for businesses in numerous industries. Please let me know your availability for a briefing. Please also visit https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Corporate_Security_FAQs.pdf
Thank you,
Allison Kohn | Public Relations Specialist
Citrix Online Division
Citrix Systems, Inc.
5385 Hollister Avenue
Santa Barbara, CA 93111 USA
www.citrix.com
Posted by Roger Grimes on July 19, 2006 07:09 PM
July 19, 2006 | Comments: (0)
More WROX books for cracked passwords!
A friend from WROX wrote today:
Hi Roger. As the publisher here at WROX, I'd like to help you raise the ante on this.
Contestants, be sure to read the additional prize you qualify for if you're one of the three winners to Roger's password challenge contest. See my blog post at http://jwikert.typepad.com/the_average_joe/2006/07/wrox_author_con.html.
Roger, let me know what additional WROX books the winners choose and I'll be sure to get them to you.
Posted by Roger Grimes on July 19, 2006 06:47 PM
July 19, 2006 | Comments: (0)
Great NIST paper on calculating password strength
Written by Bill Burr of the NIST, it's a PDF document, but in PPT format. Quick read.
http://csrc.nist.gov/pki/twg/y2003/presentations/twg-03-05.pdf
Thanks to Chris Calabrese for the heads up.
Posted by Roger Grimes on July 19, 2006 05:57 PM
July 18, 2006 | Comments: (0)
Microsoft buys Sysinternals.
One of my most beloved companies and Web sites.
It will be interesting to see what happens to the great, free programs, but my guess would be that Microsoft will continue the same great licensing scheme for exisiting programs. New programs, we'll have to see. Microsoft has a long history of giving away free useful programs.
Posted by Roger Grimes on July 18, 2006 11:45 AM
July 17, 2006 | Comments: (0)
Win money and books for cracking my Windows password hashes!
$100 plus several of my books if you can crack my Windows password hashes.
I've been participating in an online thread discussing password complexity versus length. I say forget complexity and go for length. Many others feel complexity is the way to go. So to put my money where my mouth is, I'm sponsoring a contest:
CHALLENGES:
Let's do a test, with three challenges:
Challenge #1 (Complexity at 10 characters) for the first person to email me the plaintext equivalent to the following NT hashes:
Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04
Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based upon two words that have been "license-plated" (i.e. hybrid attack is needed)
3. Moderate complexity, but nothing beyond alpha letters and numbers.
Prize for Challenge #1:
1. Your name in my InfoWorld column
2. A free copy of my book, Honeypots for Windows (Apress, 2005)
---
Challenge #2 (15 characters long, no complexity) for the first person to email me the plaintext equivalent to:
Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F
Clues Normal Password Cracker Would Not Have:
1. It's exactly fifteen characters long
2. Contains one or more words contained in the English dictionary
3. Absolutely no complexity.
Prize for Challenge #2 for the first person to email me the plaintext equivalent
1. Your name in my InfoWorld column
2. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006)
---
Challenge #3 (15 characters or longer, some complexity) for the first person to email me the plaintext equivalent to:
Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81
Clues Normal Password Cracker Would Not Have:
1. It's fifteen characters or longer
2. Contains one or more words contained in the English dictionary
3. Some minor complexity.
Prize for Challenge #3 for the first person to email me the plaintext equivalent
1. Your name in my InfoWorld column
2. $100 out of my pocket (my wife is going to love me)
3. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006)
4. A free copy of my next sole author book, Windows Vista Security: Preventing Malicious Attacks (Wiley, 2007), when it comes out.
(or you can substitute any of these books for my latest co-author book, MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it comes out.
------
Rules:
1. I solely determine winners and all rules
2. You can only claim one challenge prize. Send me the passwords if you break them, but if you win both challenges #1 and #2, I'll give you all the prizes listed in #2, but I'll give prizes in #1 to the next closest winner.
All password hashes can easily be cracked with the right tool and dictionary. I expect the first challenge to be cracked first. I suspect all three can be cracked. In the real world, the attacker would not be given the clues I have given. But I want readers to understand how hard this would be to do even if you had all the clues a real cracker would need to begin the attack.
This is proof of concept of password length over complexity. If someone breaks Challenges #2 or #3 before #1, I'll know I'm wrong.
Have fun and enjoy.
Posted by Roger Grimes on July 17, 2006 05:54 PM
July 14, 2006 | Comments: (0)
Excellent intro to Honeyclients
PDF Intro to Honeyclients
Robert Danford recently presented this excellent introduction on honeyclients to SANS.
http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf
Posted by Roger Grimes on July 14, 2006 06:54 AM
July 03, 2006 | Comments: (0)
One new browser bug a day to be released in July
Metasploit will release one new browser bug a day in July.
HD Moore of Metasploit wants to spotlight browser-based bugs. He claims, whether tongue-in-cheek I do not know, that he has enough bugs to release one a day for the next two and half years.
http://metasploit.blogspot.com/2006/07/month-of-browser-bugs.html
Normally, I like Metasploit, but I strongly disagree with anyone who releases exploit code to the public before patches are available.
Either way, this is not good news for system admins and security folks.
There is no safe Internet browser. I frequently tell my students that once you have decided to let a workstation run an HTML browser and connect to the Internet, you have accepted a much higher risk of attack and exploitation. IE, Firefox, Safari, Netscape, Opera, Mozilla...they are all very hackable. Even Lynx (a command-line, highly unfunctionaly browser) has been exploited several times.
(Thanks to my MVP friend, Susan Bradley, for the heads-up.)
Posted by Roger Grimes on July 3, 2006 06:54 AM
July 02, 2006 | Comments: (0)
Stolen data was actually encrypted
I'm on the ground: The stolen data was actually encrypted!
Kudos to the Red Cross. A laptop containing confidential donor information was stolen out of file cabinet, and surprise, surprise, the data was encrypted.
http://www.msnbc.msn.com/id/13657607/
Way to go Red Cross.
I'm not sure how it was encrypted or any of the other relevant facts of this case, but this is the first time I've read that the data stolen was encrypted. Other than being glad to read that some company or entity actually did what they are supposed to in protecting our confidential data, I'm sorry the Red Cross even reported it.
Posted by Roger Grimes on July 2, 2006 05:56 AM
July 01, 2006 | Comments: (0)
New host-based firewall is giving ZoneAlarm a run for its money.
Several readers are saying the Comodo Personal Firewall 2.0 is as good as the ZoneAlarm firewall, and it's free. I haven't personally tested it myself, but you may want to.
http://www.personalfirewall.trustix.com/
Posted by Roger Grimes on July 1, 2006 01:35 PM
TOP STORIES
IBM boosts BlackBerry accessIntel to develop PC with Alibaba
Adobe refreshes Flash Player
Cybercriminals can rent a botnet
Comcast to buy Plaxo social network
Rootkit for Cisco routers
Leopard interface tweaks
Icahn to launch proxy fight
Office VBA and Mac IT
Test your Geek IQ
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
