- Private emails should always be encrypted
- Password Recovery Speeds
- Trojan Horses
- Why do I need security?
- How to change your Windows 98 password
- Password FAQ
- Setting a BIOS Password
- Physical Security
- Guidelines for choosing a good password
- Security News
- Site Information
- Software Vulnerabilities
Dan Goodin at Ars Technica has a helpful article about keeping your passwords safe:
“I recently checked in with five security experts to learn about their approach to choosing and storing crack-resistant passwords. They include renowned cryptographer Bruce Schneier, who is a “security futurologist” at BT and recently joined the Electronic Frontier Foundation’s board of directors; Adriel T. Desautels, CEO of Netragard, a firm that gets paid to hack large companies and then tell them how it was done; Jeremiah Grossman, founder and CTO of WhiteHat Security; Jeffrey Goldberg, “defender against the dark arts” at AgileBits, a company that develops the popular 1Password password manager; and Jeremi Gosney, a password security expert at Stricture Consulting.”
These are extra steps everyone should take at least once a year, or during situations where an account may be compromised:
Bruce Schneier has posted some interesting thoughts (well, everything he posts is interesting, but this is especially so to me) about passwords and their role.
“[...]As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second.[...]“
“[...]My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence – something personal.[...]“
“After a week of extensive testing, the CRN Test Center found that users of Windows Vista and Windows XP are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP.”
“What do you do if you forget the password to your OpenOffice.org files? The simplest solution is to download OOo Password Cracker, a macro for opening protected documents in any OpenOffice.org application. Using a brute force dictionary attack, OOo Password Cracker provides a slow but reliable method of document recovery. However, the macro requires some preparation if you want to use it effectively.”
Read the full article at Linux.com
From The Register:
“Just after vbootkit takes control, it hijacks the interrupt 13, then searches for Signature for Vista OS. After detecting Vista, it starts patching Vista, meanwhile hiding itself (in smaller chunks at different memory locations). The patches includes bypassing several protections such as checksum, digital signature verification etc, and takes steps to keep itself in control, while boot process continues to phase 2.
Phase 2 includes patching vista kernel, so as vbootkit maintains control over the system till the system reboots. Several protection schemes of Vista were analyzed such as the famous PE header checksum (every Windows EXE contains it), the Digital Signature of files.”
From The Register:
Developers have discovered that the name given to a Vista executable affects whether or not it will require admin rights to run.
From Zero Day:
“Despite all the anti-malware roadblocks built into Windows Vista, a senior Microsoft official is lowering the security expectations, warning that viruses, password-stealing Trojans and rootkits will continue to thrive as malware authors adapt to the new operating system.”
From PC World:
Hackers can trick Windows Vista’s User Account Control to hide malware, researcher found.
The process to spoof a UAC dialog is roundabout, but doable, said Whitehouse. It would start with a user falling for any one of the current hacker tricks. “The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser,” he said in an interview.
From The Register
So, what have we got here? An adequately secure version of Windows, finally? I think not. We have got, instead, a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they’ve been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on. But MS has, in a sense, shifted the responsibility onto users: it has addressed numerous issues where too much was going on automatically and with too many privileges. But this simply means that the owner will be the one making a mess of their Windows box.