EPC’s Computer Recyling Blog

Microsoft asks users to abandon IE6, kinda

Much has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).

In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.

	Windows 2000	Windows XP	Windows Vista	Windows 7
Internet Explorer 6	Exploitable	Exploitable (current exploit effective for code execution)	N/A (Vista ships with IE7)	N/A (Windows 7 ships with IE
Internet Explorer 7	N/A (IE 7 will not install on Windows 2000)	Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7)	IE Protected Mode prevents current exploit from working.	N/A (Windows 7 ships with IE
Internet Explorer 8	N/A (IE 8 will not install on Windows 2000)	DEP enabled by default on XP SP3 prevents exploit from working.	IE Protected Mode + DEP enabled by default prevent exploit from working.	IE Protected Mode + DEP enabled by default prevent exploit from working.

In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.

Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.

Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?

Tags: chrome, dep, google, internet explorer, microsoft, security

Dealing with password fatigue

How many passwords do you have? According to a study done by the NTA Monitor in 2002 the average computer user has 21 different passworded accounts. Twenty One! And that was before Facebook, Twitter, or any other social networking tool. I personally have well over 100 distinct account credentials on various websites and servers.

It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.

Password Managers

One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.

The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.

Password Schemes

An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be.  One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.

The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.

Choosing Memorable Passwords

A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.

One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’

While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.

How do you deal with the many passwords in your life?

Tags: computer security, Data Security, passwords, security

Quick Hits

Here are a few quick computer and security news articles from this week:

• Mother sues Apple over exploding iPod Touch Supposedly the iPod was in her child’s pocket in the off position. The kid felt a hotness from his pocket, looked down and was on fire. The mother is suing Apple and 10 Apple store employees for damages.
• Army database compromised The US Army discovered a possible security breach on a web application containing personal information of about 1600 soldiers
• Cyber crime goes SaaS Want to buy a toolkit for attacking computers? No problem? Don’t have the expertise to run it yourself? No Problem, they’ll host it for you! Seems like this would make it easier to shut the attackers down since they have a common source.
• Rigged podcasts can leak your iTunes username/password Hackers can create malicious podcasts to hijack usernames and passwords from Apple’s iTunes software. iTunes 8.1 fixes “feature”

Tags: apple, cybercrime, ipod, podcasts, quicklinks, SaaS, security