Web services and network managers nearly always require a minimum degree of password difficulty to prevent standard password-cracking techniques from guessing them quickly. We’re also cautioned not to reuse the same passphrases on different sites and are routinely blocked from recycling the passwords we’ve used previously.

Considering the number of times PC users sign into a service or network each day, we may need to remember a half-dozen hard-to-guess passwords, not to mention the various sign-in IDs we use along with the passwords (full name or first initial-last name? Case sensitive? An e-mail address?). Many computer professionals need access to dozens of secure systems, which stretches the limits of anyone’s memory.

Your three options are to use a password-management program, to write your passwords down on paper (or record them in an encrypted text file), or to devise a method for memorizing hard-to-guess passphrases. While no single technique is right for everyone, here’s why I suggest the memorization approach.

The pros and cons of password managers
For many people, the best way to protect their data and identity is to use a password manager, which either stores your passwords in the cloud or on a local drive–often a USB thumb drive or other portable storage device. The obvious risk is that the vendor’s server is hacked or you lose the drive that stores your passwords.

Last May, the LastPass password-management service reported a breach that may have exposed users’ passwords, although LastPass CEO Joe Siegrist stated that people who used strong master passwords were not threatened.

Other password managers work without storing your passwords on a Web server. The Tech Support Alert site recently compared several free password-management programs, including LastPass, RoboForm, and KeePass.

The hard-copy approach to password management
If you forgo the password-manager route, your options are to write your passphrases down or to memorize them. Whenever you record your passwords on paper–even if you record only a mnemonic that reminds you of the actual characters–you’ve made your accounts a little more susceptible to unauthorized access.

That hasn’t stopped computer experts from recommending that users jot down their passwords and keep the paper in a secure location. Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is using the same password at multiple sites, setting your software to remember passwords, failing to change passwords frequently, using an easy-to-guess password, and reusing past passwords.

Likewise, computer expert Bruce Schneier reiterated on his Schneier on Security blog the advice of Microsoft executive Jesper Johansson to record your passwords on paper to encourage use of strong passwords.

The obvious downside of the paper approach is that someone will find the paper taped to the bottom of your keyboard or tucked into your wallet and access your private data before you’re able to take preventive measures. Or you may simply lose the paper and have to do the recover-password-by-e-mail two-step for each network and service you need to access.

The wetware approach to password storage is still the safest
As you might have guessed, Mr. Schneier’s 2005 post recommending that you write down your passwords generated quite a few comments to the contrary. Most of the commenters suggested their own technique for remembering strong passwords.

Of course, the bad guys pay close attention to this information and will attempt to incorporate the approaches in their password-cracking efforts. The key is to get creative in altering something you’ve already memorized, such as song lyrics, family members’ first names, or place names from your past.

An alternative method leverages something nearby. For example, there may be a product near your workstation that has a prominent model or serial number, or a book within view of your seat has an ISBN number on the back cover. Rather than using the exact number, add or subtract two or three numbers or letters, so “1158748562″ becomes “3370960784,” or “BCGA1339″ becomes “DEIC3551.”

The only problem I’ve encountered with my own password-mnemonic creation is that some vendors require a mix of upper and lower case letters and numbers. I have become resigned to having to go through Apple’s “Forgot your password?” e-mail routine about every other week.

This is doubly upsetting because my system uses from 12 to 16 random alphabetic characters (found in no dictionary and following no discernible pattern). As the How Secure Is My Passwordsite indicates, the all-text, all-lower-case password I devised would take much more effort to crack than an eight-character password that meets Apple’s requirements.

Check the strength of your passwords at the How Secure Is My Password site, which indicates how difficult your password is to crack, and whether it’s on the site’s common-password list.(Credit: screenshot by Dennis O’Reilly)

Only time will tell whether PC users will ever be able to securely store their sign-in credentials in their systems’ software or on a service’s Web server. For most people, the safest approach to passwords is to rely only on their own personal gray matter. Let’s hope a secure alternative to passwords arrives before our memories give out.

 Dennis O’Reilly @ CNET

If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, “Ghost in the Wires,” and who serves as a security consultant, helping clients protect against privacy breaches such as this.

Phone hacking, also known as “phreaking,” is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I’m listening to a voice message a friend of mine left me last night that I hadn’t erased.

“See how easy it is?!” Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator’s equipment into registering the call as coming from the handset–basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I’m keeping some of the details sketchy to avoid providing a how-to for phreaking.)

“Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes,” Mitnick said. “If you’re not adept at programming, you could use a spoofing service and pay for it.”

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims’ voicemail accounts, assuming correctly that many people wouldn’t bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn’t address the fact that mobile operators don’t authenticate caller ID. “The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it,” Mitnick said. “Caller ID is automatically trusted.”

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won’t put an end to the practice.

by Elinor Mills @ cnet.com

That’s the message from the “November Threat Landscape Report” released yesterday by security vendor Fortinet.

Global spam levels ultimately fell 12 percent in November after Dutch authorities took down a large Bredolab network made up of 140 different servers. The Bredolab botnet was typically used by cybercriminals to send out spam selling fake drugs, according to Fortinet. Spam had actually fallen as much as 26 percent the week after the network was dismantled but was able to stage a bit of a recovery afterward.

(Credit: Fortinet)

The ever-present Koobface botnet, known for affecting Facebook users, also suffered a hit on November 14 when U.K. Internet service provider Coreix took down three of its central “MotherShip” servers. The perpetrators of Koobface use these MotherShip servers as their main command-and-control systems to direct the spread of the botnet and control infected PCs. The bad guys communicate with the MotherShip machines through intermediary servers.

Though the takedown of the MotherShip servers dealt Koobface a severe blow, the success was short-lived as the botnet operators were able to use stolen FTP accounts to hijack other servers, according to Fortinet.

“We confirmed that on November 14, when the primary servers were taken offline, the intermediary servers failed to proxy content, which effectively crippled the botnet,” Derek Manky, project manager for cyber security and threat research at Fortinet, said in a statement. “Unfortunately, we saw communication restored five days later on November 19th. This is likely due to the fact that Koobface contains an FTP harvesting module.”

Looking at other botnets, Fortinet found another prominent threat in November in the form of Sasfis, a botnet that infects PCs by using the standard port 80 reserved for HTTP traffic. Increasingly, botnets are using common ports to spread in an effect to blend in with normal traffic. Detections of Sasfis command-and-control servers were third on the top 10 attack list maintained by Fortinet.

Fortinet also discovered in November that the Hiloti botnet was using legitimate DNS queries to report back to its command-and-control servers, another example of a botnet trying to use standard protocols to avoid being detected.

Finally, zero-day vulnerabilities were found last month in Adobe Shockwave, Adobe Flash, Microsoft PowerPoint, Apple QuickTime, and Microsoft’s Internet Explorer. All of these weaknesses were cited by Fortinet as critical as they leave the applications open to attacks that are able to run code remotely.

In terms of sheer malware attacks among the top countries hit in November, the U.S. accounted for 35 percent, up from 32 percent in October. Japan took 22 percent of the total attacks, up from 16 percent the prior month. And Korea took the brunt of 12.5 percent of the world’s total malware attacks, up from less than 9 percent in October.

(Credit: Fortinet)

Read more: http://news.cnet.com/8301-1009_3-20024432-83.html#ixzz186DmrR3M

Lance Whitney, CNET

“The final version of Microsoft Security Essentials will be released to the public in the coming weeks,” Microsoft said in the note.

Microsoft first announced its plans for the product, then code-named Morro, last November, at the same time the company said it was scrapping its paid Windows Live OneCare product.

Public beta testing of Security Essentials started in June, with Microsoft reaching its goal of 75,000 testers just one day after it issued a call for them.

Ina Fried, CNet

The Intel “Clarksfield” Core i7 processor boasts four cores and is the chipmaker’s first mobile chip based on its new Nehalem microarchitecture. Most Intel processors will move to this design in 2010.

Dell is trying to take an early lead in embracing the new technology. Dell’s flagship product for the mobile Core i7 will be the 15-inch Alienware M15x gaming laptop. Dell is also offering the chip as an option on other laptop models worldwide, including the Studio 15 and Studio 17.

At the Intel Developer Forum today, David Perlmutter, executive vice president and co-general manager of Intel Corporation’s Intel Architecture Group, is discussing Intel’s mobile Nehalem platform that also includes a future chip codenamed “Arrandale,” which will integrate graphics into the CPU, or central processing unit.

The Core i7 is packaged with the Intel PM55 Express chipset–companion silicon that assists the processor in communicating with the rest of the system. Two features that differentiate Core i7 from Core 2 Duo processors (the most-widely-used chips in laptops today) is Turbo Boost and Hyper-Threading. Turbo Boost speeds up and slows down individual cores to meet processing and power-efficiency needs, respectively. Hyper-Threading can double the number of tasks–or threads–a processor can execute.

The Alienware M15x configurations include the Intel Core 920XM CPU and 1GB NVIDIA GeForce GTX 260M graphics chip.

The Dell Studio 17 will feature the Intel Core i7 720QM 1.6GHz processor, a 1GB ATI Mobility Radeon HD 4650 graphics chip, 17.3-inch HD+ (1600×900) display, and 9-cell battery.

The Studio 17 starts at $1,099.

Dell will also offer the Studio 15 with Core i7. Configurations include Core i7 720QM 1.6GHz, 512MB ATI Mobility Radeon HD 4570 graphics chip, and 4GB of memory. Pricing start at $999.

And the Dell Studio XPS 16 will come with a Core i7 option, with a starting price of $1,249, Dell said.

Brooke Crothers, CNet

And even if there is malware involved, it’s almost certainly not a virus.

The word virus refers to a very specific way that malware spreads from one PC to another. A computer virus infects an executable file, like a program, the way a biological virus infects a cell. When it gets the chance, it infects another file, and thus spreads.

Or perhaps I should say used to spread. Over the last few years, rogue programmers have found better ways to infect your computer, more suited for the Internet and email age. For instance, Trojans–programs that trick you into opening them, and infect your computer when you do–are quite popular among the tech-savvy criminal set.

Yet the word virus stays around. Why?

Because viruses were the most prominent form of malware when large numbers of people finally figured out that this was something to worry about. Everyone was talking about viruses in the 1990′s. One of them destroyed an evil corporation in seconds, and another saved the world from alien invasion. (And no, I’m not going to tell you what movies I’m talking about; that would be spoiling.)

Thus, to the uninformed, the word virus came to mean any malicious computer program. It’s like using the name Frankenstein to refer to the monster rather than the monster maker.

So check yourself before you tell someone your computer has a virus. You’re probably admitting your own ignorance.

Lincoln Spector, PCWorld

(Why did I just put the word viruses in quotation marks? Anything that infects your PC today is almost certainly not, technically, a virus. But the word has become a common term for any malicious software, whether it spreads like a virus or not. See Is It a Virus? for details.)

What are some of the signs that you may have an infection?

* Your home page keeps changing, or web searches keep taking you to the wrong page.

* Software that should protect you, like your anti-virus program, can’t update or no longer works properly.

* Common programs you can use to configure your system, such as msconfig or System Restore, stop working.

* Your computer accesses the Internet a lot when you’re not using the Internet.

* Your security software tells you that you have an infection, but can’t get rid of it.

If you think you have an infection, try the following four fixes, in this order. And use them all, even if the second one solves the problem.

1) Accept that your anti-virus program has failed. Don’t be too hard on it; you just had the misfortune to get the malware before the update that would have protected you from it. But until everything else is fixed, your current software probably isn’t working.

2) Restore the system. Select Start, All Programs, Accessories, System Tools, System Restore. Follow the prompts to restore from a time before you starting having the problem. If you don’t have a restore point that old, go on to step 2. If System Restore fails to work, reboot into Safe Mode (reboot, then press F8 before Windows starts loading (it may take a few tries to get the timing right) and try System Restore there.

3) Get a second opinion from another security program. I recommend the free version of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware. Download the program, install it, and have it scan your hard drive and eliminate what it finds.

4) Get a third opinion. Repeat with the other of those two programs.

If you’re not satisfied that you’re now clean, download and install another free program: Trend Micro’s HijackThis. This one doesn’t actually fix anything, but it gives you a very thorough, and for most people, thoroughly unreadable report. But someone who knows what they’re doing can study this report and figure out what your problem is and what you can do about it.

Lincoln Spector, PCWorld

Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.

Trading tracking for services

That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but you “pay” for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.

What spyware does

Other kinds of spyware make changes to your computer that can be annoying and can cause your computer slow down or crash.

These programs can change your Web browser’s home page or search page, or add additional components to your browser you don’t need or want. They also make it very difficult for you to change your settings back to the way you had them.

Know what you’re installing

The key in all cases is whether or not you (or someone who uses your computer) understand what the software will do and have agreed to install the software on your computer.

A common trick is to covertly install the software during the installation of other software you want such as a music or video file sharing program.

Whenever you install something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes the inclusion of unwanted software in a given software installation is documented, but it might appear at the end of a license agreement or privacy statement.

There are a number of ways spyware or other unwanted software can get on your computer. To learn more about spyware, read How to help prevent spyware.

Microsoft