If you are still running these at your business or at home, an upgrade is called for as soon as possible.

I applaud this move toward security and productivity. I don’t think it will be a easy task for Google, but I believe it will be worth the effort in the long run.

Does your company need to consider switching away from Windows?

First off, what if I had a very simple security fix, requiring no new software to be purchased or installed, and with minimal configuration changes, that could block 64% of all Microsoft vulnerabilities reported in 2009? Would you be interested? What if I told you we had a fix that could also prevent 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009? How about blocking 100% of Microsoft Office vulnerabilities reported in 2009? Still not enough? How about blocking 90% of critical Windows 7 vulnerabilities reported to date?

As you should have guessed by now, the fix for all of these is the same: removing administrative rights from end users over their PCs.

While there are still some (poorly written) desktop applications which require administrative rights to run, I have found these to be relatively few in number these days, and once the initial configuration has been done, most programs run just fine as an ordinary user. Despite the additional configuration required by some programs, including hardware drivers, that needs to be done by an admin, the cost of setting these up the right way is generally far less than recovering from the damage caused by a serious malware outbreak.

The press release and the complete report are available from BeyondTrust’s website.

While these sites had no intention (or maybe even knowledge) of this, it goes to underscore a point that, while you may trust Google, Yahoo!, Fox, Facebook, eBay, etc., as trustworthy sites, the bulk of the content that these sites serve up is not coming from them – it’s coming from third parties, such as ad networks, which you don’t necessarily trust, or even know.

To protect yourself from this sort of attack, I recommend the following:

• Limit unnecessary web surfing, especially at work and doubly so for machines and networks which handle sensitive information. If you don’t go to the site in the first place, you can’t get infected.
• Make sure you are using a recent “alternative” browser, such as Firefox or Chrome. While this is no guarantee of safety, Internet Explorer is still the main target for browser-based attacks. Using an alternative platform may lower this risk by lowering your profile.
• Run extensions such as Adblock Plus and NoScript. These disable active programming on websites by default. Note: This does mean more work for you, as the bulk of websites you hit will not work until you enable the scripting components on the pages. However, you are much, much safer from this type of attack.
• Keep your operating system and all other software on your computer patched and up to date. Many of these sorts of attacks rely on flaws in software installed on your computer. If the flaws are patched, then you are less vulnerable to the attack.
• Know what your anti-malware program and operating system alerts look like. Many of these “drive by downloads” rely on tricking the user into installing malware by popping up fake notices telling them that their system is infected, and needs to be scanned. What they are really doing is tricking the user into running the malware in the first place! Don’t be fooled! Learn what your software really is likely to say in the event of malware detection, and how to respond appropriately. If you have any questions, contact your IT staff before taking any action, including clicking on links or closing windows.
• As always, drop those admin rights.

4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above
Answer:  (d) – The more complex a password is, the harder it is for a
person to guess it.  Some systems and websites may not allow you to use
all of the punctuation symbols, but most allow some of them.

5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter
Answer: It depends! For technical reasons, a minimum length of 8
characters is recommended. But not all eight-character passwords are
equally strong. For example, “football” wouldn’t be hard to guess, but
guessing the 8 characters of 7xkM*vh$ presents a real challenge.

6.  Now that you are an expert, choose the strongest password from this list:
a) Mickey.Mouse
b) M1ck3y.m0u53
c) 3.1416**
d) Ad@46-Hiz
e) Aristotle
Answer: (d) – (a) is obviously easy to guess, even though it’s long
enough; (b) is “hacker-speak” for Mickey Mouse – a bad idea; (c)
contains no letters – and it’s the approximate value of Pi; and (e) is
a proper name.

Strong password checklist

• at least 8 characters
• at least one number
• at least one uppercase and one lowercase letter
• at least one symbol (examples: &, !, @, #, $, ^, *)
• no proper names or words (English or otherwise)
• no personal information, like your SSN, phone number, or date of birth
• no repeating characters
• no easy-to-guess patterns like 123qwerty
• no well-known mathematical values (like Pi) or equations (E=mc2)

Tips

• Treat passwords like your toothbrush: Choose a good one and replace it regularly.
• Change your passwords at least every 30 days.
• Use a passphrase. Choose an easily remembered phrase like “Liberty and Justice Forever” and use the first one or two letters of each word with some punctuation and numbers in between. Example: Li.an1Ju*Fo.
• Use a password pattern. Pick a starting point on the keyboard, trace out an easily remembered pattern, and add some twists. Example: The eight-character pattern 1qscvhU* describes a “V” on your keyboard starting with the number 1 key, with the added twists of an uppercase U and an asterisk.
• Use a password manager.  If you use Firefox, for example, you can have your browser remember your passwords. Then be sure to set a strong master password in Firefox to protect your “remembered” passwords.
• Other versatile, no-cost or low-cost password managers include Roboform and KeePass.

This material is reprinted, with permission, from the February edition of the SANS Ouch! newsletter.

I’m reprinting the questions (with permission) in this post, and will post the answers in a subsequent post to let you rate your own password knowledge.

What’s your Password IQ?

1. How often should you change your password?
a) Every 30 days
b) Every 60 days
c) Every 90 days
d) When IT tells you to

2.  One of your co-workers is working on a critical report this weekend
and needs access to some of your files.  How should you give her your
password?
a) Send it in an email message
b) Call her on the phone and tell her the password
c) Don’t give it to her or anybody else
d) Write it on a piece of paper, seal it in an envelope, and mail it to
her

3.  What is the most common (and so the weakest) password used in 2009?
a) password
b) 123456
c) qwerty
d) abc123

4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above

5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter

6.  Now that you are an expert, choose the strongest password from this list:
a) Mickey.Mouse
b) M1ck3y.m0u53
c) 3.1416**
d) Ad@46-Hiz
e) Aristotle

The full SANS Ouch! newsletter, and others, are available at the SANS website.

In order to continue to improve our products and deliver more sophisticated features and performance… we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers.

It’s about time, and not just for those reasons.

Internet Explorer is arguably the most insecure web browser in current use today. It’s very old, in Internet terms, and really needs to be replaced. If you are still using Internet Explorer, you need to upgrade to IE 7 or IE 8, or switch to another browser like Mozilla Firefox (currently at version 3.6), Google Chrome, Opera, or Safari.

If you are one of those unfortunate folks who are required to use Internet Explorer 6 for a legacy web application, contact your vendor immediately and tell them that they need to change their application to support newer browsers. There is no excuse for continuing to use Internet Explorer when Microsoft itself has recommended that people discontinue its use.

The advice is to have a PC dedicated to online banking. If you weigh the convenience and cost savings of having access to online banking, versus time spent on the phone or traveling to and from a bank to conduct your business, the expense of a PC dedicated to this task, to continue to enable online banking, will likely be recouped within a matter of weeks, if not days.

The three arguments I’ve heard against this are:

• We don’t have enough money in the bank for anyone to want to hack it. (Or, “no one is interested in us because we’re too small.“)
  Then it sounds like you have everything to lose! Isn’t it more important to protect what assets you have, regardless of size?
• We’re protected by our bank’s security.
  No, you’re not. Bank websites get hacked frequently. Don’t believe me? Just do a Google search on the subject. Furthermore, the banks are not required to refund your money! You do not have the same protections as you do with credit cards on bank accounts. Finally, it’s not usually the bank that gets hacked – it’s your computer.
• We can’t afford the expense.
  The cost of a lightweight PC dedicated to this task is most likely lower than most of my clients’ electric bill, heating bill, or liability insurance for one month. You can afford the cost. But can you afford getting hacked and having your assets drained?

This is the same advice we gave on this blog last year. It’s sound. It’s simple. It’s cheap. Get a new netbook for a couple hundred dollars and use that for online banking. Is this not worth the risk of your business losing tens of thousands of dollars from its bank account? Please, if you do online banking at home or at work, at the very least, practice it from a non-Windows computer not running Internet Explorer. Better yet, prove me wrong and get a cheap PC and dedicate it to your online banking needs. Never go to any website other than your bank’s with it. Another alternative would be to boot from a live CD of your favorite Linux distribution, such as my favorite, Ubuntu.

References:

• http://lastwatchdog.com/american-bankers-associations-small-business-warning/
• http://itknowledgeexchange.techtarget.com/security-corner/aba-recommends-using-dedicated-pc-for-online-banking/
• http://news.softpedia.com/news/Small-Businesses-Should-Conduct-Online-Banking-from-Dedicated-Computers-131086.shtml
• http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=1#sID200
• http://content.usatoday.com/communities/technologylive/post/2010/01/online-banki
  ng-precaution-for-small-and-mid-sized-businesses-draws-attention-/1
• http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking
  /UPI-81761262329630/

Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary