Passwords are a way of life for nearly everybody who uses any kind of software. No viable alternative is imminent: fingerprint readers, retina scanners, voice identification, and USB tokens all have limitations. Nothing is as simple and inexpensive as an old-fashioned string of keystrokes.
Web services and network managers nearly always require a minimum degree of password difficulty to prevent standard password-cracking techniques from guessing them quickly. We’re also cautioned not to reuse the same passphrases on different sites and are routinely blocked from recycling the passwords we’ve used previously.
Considering the number of times PC users sign into a service or network each day, we may need to remember a half-dozen hard-to-guess passwords, not to mention the various sign-in IDs we use along with the passwords (full name or first initial-last name? Case sensitive? An e-mail address?). Many computer professionals need access to dozens of secure systems, which stretches the limits of anyone’s memory.
Your three options are to use a password-management program, to write your passwords down on paper (or record them in an encrypted text file), or to devise a method for memorizing hard-to-guess passphrases. While no single technique is right for everyone, here’s why I suggest the memorization approach.
The pros and cons of password managers
For many people, the best way to protect their data and identity is to use a password manager, which either stores your passwords in the cloud or on a local drive–often a USB thumb drive or other portable storage device. The obvious risk is that the vendor’s server is hacked or you lose the drive that stores your passwords.
Other password managers work without storing your passwords on a Web server. The Tech Support Alert site recently compared several free password-management programs, including LastPass, RoboForm, and KeePass.
The hard-copy approach to password management
If you forgo the password-manager route, your options are to write your passphrases down or to memorize them. Whenever you record your passwords on paper–even if you record only a mnemonic that reminds you of the actual characters–you’ve made your accounts a little more susceptible to unauthorized access.
That hasn’t stopped computer experts from recommending that users jot down their passwords and keep the paper in a secure location. Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is using the same password at multiple sites, setting your software to remember passwords, failing to change passwords frequently, using an easy-to-guess password, and reusing past passwords.
The obvious downside of the paper approach is that someone will find the paper taped to the bottom of your keyboard or tucked into your wallet and access your private data before you’re able to take preventive measures. Or you may simply lose the paper and have to do the recover-password-by-e-mail two-step for each network and service you need to access.
Of course, the bad guys pay close attention to this information and will attempt to incorporate the approaches in their password-cracking efforts. The key is to get creative in altering something you’ve already memorized, such as song lyrics, family members’ first names, or place names from your past.
An alternative method leverages something nearby. For example, there may be a product near your workstation that has a prominent model or serial number, or a book within view of your seat has an ISBN number on the back cover. Rather than using the exact number, add or subtract two or three numbers or letters, so “1158748562″ becomes “3370960784,” or “BCGA1339″ becomes “DEIC3551.”
The only problem I’ve encountered with my own password-mnemonic creation is that some vendors require a mix of upper and lower case letters and numbers. I have become resigned to having to go through Apple’s “Forgot your password?” e-mail routine about every other week.
This is doubly upsetting because my system uses from 12 to 16 random alphabetic characters (found in no dictionary and following no discernible pattern). As the How Secure Is My Passwordsite indicates, the all-text, all-lower-case password I devised would take much more effort to crack than an eight-character password that meets Apple’s requirements.
Check the strength of your passwords at the How Secure Is My Password site, which indicates how difficult your password is to crack, and whether it’s on the site’s common-password list.(Credit: screenshot by Dennis O’Reilly)
Only time will tell whether PC users will ever be able to securely store their sign-in credentials in their systems’ software or on a service’s Web server. For most people, the safest approach to passwords is to rely only on their own personal gray matter. Let’s hope a secure alternative to passwords arrives before our memories give out.
Global spam levels ultimately fell 12 percent in November after Dutch authorities took down a large Bredolab network made up of 140 different servers. The Bredolab botnet was typically used by cybercriminals to send out spam selling fake drugs, according to Fortinet. Spam had actually fallen as much as 26 percent the week after the network was dismantled but was able to stage a bit of a recovery afterward.
The ever-present Koobface botnet, known for affecting Facebook users, also suffered a hit on November 14 when U.K. Internet service provider Coreix took down three of its central “MotherShip” servers. The perpetrators of Koobface use these MotherShip servers as their main command-and-control systems to direct the spread of the botnet and control infected PCs. The bad guys communicate with the MotherShip machines through intermediary servers.
Though the takedown of the MotherShip servers dealt Koobface a severe blow, the success was short-lived as the botnet operators were able to use stolen FTP accounts to hijack other servers, according to Fortinet.
“We confirmed that on November 14, when the primary servers were taken offline, the intermediary servers failed to proxy content, which effectively crippled the botnet,” Derek Manky, project manager for cyber security and threat research at Fortinet, said in a statement. “Unfortunately, we saw communication restored five days later on November 19th. This is likely due to the fact that Koobface contains an FTP harvesting module.”
Looking at other botnets, Fortinet found another prominent threat in November in the form of Sasfis, a botnet that infects PCs by using the standard port 80 reserved for HTTP traffic. Increasingly, botnets are using common ports to spread in an effect to blend in with normal traffic. Detections of Sasfis command-and-control servers were third on the top 10 attack list maintained by Fortinet.
Fortinet also discovered in November that the Hiloti botnet was using legitimate DNS queries to report back to its command-and-control servers, another example of a botnet trying to use standard protocols to avoid being detected.
Finally, zero-day vulnerabilities were found last month in Adobe Shockwave, Adobe Flash, Microsoft PowerPoint, Apple QuickTime, and Microsoft’s Internet Explorer. All of these weaknesses were cited by Fortinet as critical as they leave the applications open to attacks that are able to run code remotely.
In terms of sheer malware attacks among the top countries hit in November, the U.S. accounted for 35 percent, up from 32 percent in October. Japan took 22 percent of the total attacks, up from 16 percent the prior month. And Korea took the brunt of 12.5 percent of the world’s total malware attacks, up from less than 9 percent in October.
Here are two keys words for Microsoft Windows shops to remember come this Patch Tuesday: “six” and “restart.” Six is the number of a critical bulletins Microsoft will release on February 9 that affect all the currently supported versions of Windows on both the desktop and server. And a system restart will be required for these Windows patches, which will mean down time for servers. In fact, 10 of the record-tying 13 bulletins require a restart. In all, five are listed as critical, seven important and one moderate. Microsoft getting better at Patch Tuesday updates, experts say The last time Microsoft had so many bulletins was in October 2009. In the preliminary patch information issued Thursday, Microsoft does not say how many total vulnerabilities are in those 13 bulletins. In October, the number was 34. Experts say on average there are two vulnerabilities per bulletin. “Bulletin six is definitely key, we can see that both server teams and desktop teams are going to be impacted,” says Don Leatham, senior director of solutions and strategy for Lumension. Leatham says IT teams should look at their maintenance windows and see how and when they can get these critical patches out. “With bulletin six it might be worthwhile to move up the maintenance window if need be,” he says. Many organizations with patching policies time server maintenance with patch releases. Leatham says users should not wait to scramble on Tuesday but instead should start prepping as soon as possible. “Usually when there have been bulletins like this in the past that cover every single Windows platform it means it could be fairly low level in the OS,” he says. This month, the other trend is that there are fewer patches on the applications side. Only two patches address applications and both are for Microsoft Office. Microsoft had a single patch last month, which was in the font engine of Windows. Follow John on Twitter: twitter.com/johnfontana
I get a lot of email from people who believe their computer is infected by a virus. In most cases, it’s not infected at all–evil software designers are still outnumbered by incompetent ones.
And even if there is malware involved, it’s almost certainly not a virus.
The word virus refers to a very specific way that malware spreads from one PC to another. A computer virus infects an executable file, like a program, the way a biological virus infects a cell. When it gets the chance, it infects another file, and thus spreads.
Or perhaps I should say used to spread. Over the last few years, rogue programmers have found better ways to infect your computer, more suited for the Internet and email age. For instance, Trojans–programs that trick you into opening them, and infect your computer when you do–are quite popular among the tech-savvy criminal set.
Yet the word virus stays around. Why?
Because viruses were the most prominent form of malware when large numbers of people finally figured out that this was something to worry about. Everyone was talking about viruses in the 1990′s. One of them destroyed an evil corporation in seconds, and another saved the world from alien invasion. (And no, I’m not going to tell you what movies I’m talking about; that would be spoiling.)
Thus, to the uninformed, the word virus came to mean any malicious computer program. It’s like using the name Frankenstein to refer to the monster rather than the monster maker.
So check yourself before you tell someone your computer has a virus. You’re probably admitting your own ignorance.
Ineptitude and arrogance cause most PC problems, but vicious software designed to trick you, steal from you, and use your computer to hurt other people do the worst damage. After all, bugs aren’t designed to protect themselves, but “viruses” are.
(Why did I just put the word viruses in quotation marks? Anything that infects your PC today is almost certainly not, technically, a virus. But the word has become a common term for any malicious software, whether it spreads like a virus or not. See Is It a Virus? for details.)
What are some of the signs that you may have an infection?
* Your home page keeps changing, or web searches keep taking you to the wrong page.
* Software that should protect you, like your anti-virus program, can’t update or no longer works properly.
* Common programs you can use to configure your system, such as msconfig or System Restore, stop working.
* Your computer accesses the Internet a lot when you’re not using the Internet.
* Your security software tells you that you have an infection, but can’t get rid of it.
If you think you have an infection, try the following four fixes, in this order. And use them all, even if the second one solves the problem.
1) Accept that your anti-virus program has failed. Don’t be too hard on it; you just had the misfortune to get the malware before the update that would have protected you from it. But until everything else is fixed, your current software probably isn’t working.
2) Restore the system. Select Start, All Programs, Accessories, System Tools, System Restore. Follow the prompts to restore from a time before you starting having the problem. If you don’t have a restore point that old, go on to step 2. If System Restore fails to work, reboot into Safe Mode (reboot, then press F8 before Windows starts loading (it may take a few tries to get the timing right) and try System Restore there.
3) Get a second opinion from another security program. I recommend the free version of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware. Download the program, install it, and have it scan your hard drive and eliminate what it finds.
4) Get a third opinion. Repeat with the other of those two programs.
If you’re not satisfied that you’re now clean, download and install another free program: Trend Micro’s HijackThis. This one doesn’t actually fix anything, but it gives you a very thorough, and for most people, thoroughly unreadable report. But someone who knows what they’re doing can study this report and figure out what your problem is and what you can do about it.
Spyware is a general term used to describe software that performs certain behaviors, generally without appropriately obtaining your consent first, such as:
Collecting personal information
Changing the configuration of your computer
Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.
Trading tracking for services
That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but you “pay” for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.
What spyware does
Other kinds of spyware make changes to your computer that can be annoying and can cause your computer slow down or crash.
These programs can change your Web browser’s home page or search page, or add additional components to your browser you don’t need or want. They also make it very difficult for you to change your settings back to the way you had them.
Know what you’re installing
The key in all cases is whether or not you (or someone who uses your computer) understand what the software will do and have agreed to install the software on your computer.
A common trick is to covertly install the software during the installation of other software you want such as a music or video file sharing program.
Whenever you install something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes the inclusion of unwanted software in a given software installation is documented, but it might appear at the end of a license agreement or privacy statement.
There are a number of ways spyware or other unwanted software can get on your computer. To learn more about spyware, read How to help prevent spyware.
Oh, the deck is stacked. Don’t think for a minute it’s not. As a technology professional responsible for securing office networks, workstations, and servers from viruses, spyware, adware, Trojans, and other malware infections, I can tell you that the situation is only getting worse.
A Computer Economics report showed that annual worldwide malware expenses increased by $10 billion (to $13 billion) over a recent 10-year span. Google Research suggests that one in every 10 Web sites is infected with “drive-by” malware. In June 2009, the Windows Secrets e-newsletter reported that such seemingly safe Web sites as Coldwell Banker.com, Variety.com, and even Tennis.com were exposing Internet Explorer visitors to the Gumblar exploit, which threatens to compromise visitors’ systems in order to propagate.
IT professionals must encourage their users to follow several security practices to minimize virus, spyware, and malware exposure. But many computer techs are too busy to spread the word, or they don’t have the time to build an appropriate memo or handout.
With that in mind, here’s a handy reference list of 10 steps end users can adopt to avoid infection (including when using home systems to read and send work e-mail, create, edit, and distribute documents and spreadsheets, access the corporate VPN, and perform other office tasks). Post this list on your Intranet, distribute it in an e-mail, or download the PDF version and pass it along to end users. Just be sure the word gets out. Otherwise, you’re likely to find yourself losing precious time cleaning and repairing infected systems or entire networks.
1: Install quality antivirus
Many computer users believe free antivirus applications, such as those included with an Internet service provider’s bundled service offering, are sufficient to protect a computer from virus or spyware infection. However, such free anti-malware programs typically don’t provide adequate protection from the ever-growing list of threats.
Instead, all Windows users should install professional, business-grade antivirus software on their PCs. Pro-grade antivirus programs update more frequently throughout the day (thereby providing timely protection against fast-emerging vulnerabilities), protect against a wider range of threats (such as rootkits), and enable additional protective features (such as custom scans).
2: Install real-time anti-spyware protection
Many computer users mistakenly believe that a single antivirus program with integrated spyware protection provides sufficient safeguards from adware and spyware. Others think free anti-spyware applications, combined with an antivirus utility, deliver capable protection from the skyrocketing number of spyware threats.
Unfortunately, that’s just not the case. Most free anti-spyware programs do not provide real-time, or active, protection from adware, Trojan, and other spyware infections. While many free programs can detect spyware threats once they’ve infected a system, typically professional (or fully paid and licensed) anti-spyware programs are required to prevent infections and fully remove those infections already present.
3: Keep anti-malware applications current
Antivirus and anti-spyware programs require regular signature and database updates. Without these critical updates, anti-malware programs are unable to protect PCs from the latest threats.
In early 2009, antivirus provider AVG released statistics revealing that a lot of serious computer threats are secretive and fast-moving. Many of these infections are short-lived, but they’re estimated to infect as many as 100,000 to 300,000 new Web sites a day.
Computer users must keep their antivirus and anti-spyware applications up to date. All Windows users must take measures to prevent license expiration, thereby ensuring that their anti-malware programs stay current and continue providing protection against the most recent threats. Those threats now spread with alarming speed, thanks to the popularity of such social media sites as Twitter, Facebook, and My Space.
4: Perform daily scans
Occasionally, virus and spyware threats escape a system’s active protective engines and infect a system. The sheer number and volume of potential and new threats make it inevitable that particularly inventive infections will outsmart security software. In other cases, users may inadvertently instruct anti-malware software to allow a virus or spyware program to run.
Regardless of the infection source, enabling complete, daily scans of a system’s entire hard drive adds another layer of protection. These daily scans can be invaluable in detecting, isolating, and removing infections that initially escape security software’s attention.
5: Disable autorun
Many viruses work by attaching themselves to a drive and automatically installing themselves on any other media connected to the system. As a result, connecting any network drives, external hard disks, or even thumb drives to a system can result in the automatic propagation of such threats.
Computer users can disable the Windows autorun feature by following Microsoft’s recommendations, which differ by operating system. Microsoft Knowledge Base articles 967715 and 967940 are frequently referenced for this purpose.
6: Disable image previews in Outlook
Simply receiving an infected Outlook e-mail message, one in which graphics code is used to enable the virus’ execution, can result in a virus infection. Prevent against automatic infection by disabling image previews in Outlook.
By default, newer versions of Microsoft Outlook do not automatically display images. But if you or another user has changed the default security settings, you can switch them back (using Outlook 2007) by going to Tools | Trust Center, highlighting the Automatic Download option, and selecting Don’t Download Pictures Automatically In HTML E-Mail Messages Or RSS.
7: Don’t click on email links or attachments
It’s a mantra most every Windows user has heard repeatedly: Don’t click on email links or attachments. Yet users frequently fail to heed the warning.
Whether distracted, trustful of friends or colleagues they know, or simply fooled by a crafty email message, many users forget to be wary of links and attachments included within email messages, regardless of the source. Simply clicking on an email link or attachment can, within minutes, corrupt Windows, infect other machines, and destroy critical data.
Users should never click on email attachments without at least first scanning them for viruses using a business-class anti-malware application. As for clicking on links, users should access Web sites by opening a browser and manually navigating to the sites in question.
8: Surf smart
Many business-class anti-malware applications include browser plug-ins that help protect against drive-by infections, phishing attacks (in which pages purport to serve one function when in fact they try to steal personal, financial, or other sensitive information), and similar exploits. Still others provide “link protection,” in which Web links are checked against databases of known-bad pages.
Whenever possible, these preventive features should be deployed and enabled. Unless the plug-ins interfere with normal Web browsing, users should leave them enabled. The same is true for automatic pop-up blockers, such as are included in Internet Explorer 8, Google’s toolbar, and other popular browser toolbars.
Regardless, users should never enter user account, personal, financial, or other sensitive information on any Web page at which they haven’t manually arrived. They should instead open a Web browser, enter the address of the page they need to reach, and enter their information that way, instead of clicking on a hyperlink and assuming the link has directed them to the proper URL. Hyperlinks contained within an e-mail message often redirect users to fraudulent, fake, or unauthorized Web sites. By entering Web addresses manually, users can help ensure that they arrive at the actual page they intend.
But even manual entry isn’t foolproof. Hence the justification for step 10: Deploy DNS protection. More on that in a moment.
9: Use a hardware-based firewall
Technology professionals and others argue the benefits of software- versus hardware-based firewalls. Often, users encounter trouble trying to share printers, access network resources, and perform other tasks when deploying third-party software-based firewalls. As a result, I’ve seen many cases where firewalls have simply been disabled altogether.
But a reliable firewall is indispensable, as it protects computers from a wide variety of exploits, malicious network traffic, viruses, worms, and other vulnerabilities. Unfortunately, by itself, the software-based firewall included with Windows isn’t sufficient to protect systems from the myriad robotic attacks affecting all Internet-connected systems. For this reason, all PCs connected to the Internet should be secured behind a capable hardware-based firewall.
10: Deploy DNS protection
Internet access introduces a wide variety of security risks. Among the most disconcerting may be drive-by infections, in which users only need to visit a compromised Web page to infect their own PCs (and potentially begin infecting those of customers, colleagues, and other staff).
Another worry is Web sites that distribute infected programs, applications, and Trojan files. Still another threat exists in the form of poisoned DNS attacks, whereby a compromised DNS server directs you to an unauthorized Web server. These compromised DNS servers are typically your ISP’s systems, which usually translate friendly URLs such as yahoo.com to numeric IP addresses like 220.127.116.11.
Users can protect themselves from all these threats by changing the way their computers process DNS services. While a computer professional may be required to implement the switch, OpenDNS offers free DNS services to protect users against common phishing, spyware, and other Web-based hazards.
There’s no question that vocabulary is a problem in the antispyware business. The word spyware, which strictly speaking refers to programs that monitor user activity by logging keystrokes, sites visited, or other personal data, has come to encompass threats that don’t fall within those parameters. Adware, a class of software that delivers ads to users, is often subsumed into the spyware category, and the programs developed to fight spyware took on adware as well—in large part because the antivirus companies initially tended to ignore both. Further confusing the issue, antispyware programs also often tackle cookies, dialers, Trojan horses, and downloaders.
Each antispyware company has put forth definitions and standards indicating the types of programs it identifies and the actions it takes to deal with them. But such “proprietary” definitions have gotten companies in trouble, as in July when Microsoft reclassified several notorious adware programs to a less severe designation, asserting that its definitions required it. Under the new “low” threat rating for Claria’s GAIN, the recommended action would be to ignore the software rather than remove it. Microsoft’s published definitions aren’t detailed enough for third parties to verify or refute its claims, but users derided the reclassification.
This isn’t the first attempt to define spyware. An earlier industry consortium effort called COAST fell apart after it admitted an adware vendor. Almost all the same antispyware companies are part of ASC, but no adware companies are included yet.
So far, it’s hard to see what the ASC documents accomplish. Sunbelt Software stayed away from ASC because it argues that adware vendors have the most to gain from consistent definitions. The authors of adware and spyware are innovative and fast-moving, and they spend as much time trying to fool antispyware programs as they do trying to fool users. Giving them consistent definitions would help them work within the loopholes in those definitions.
Moreover, there’s a lot more to writing antispyware than just defining terms. Which threats, for example, should merit a default action of Remove? What language in end-user license agreements is proper? What information needs to be disclosed during installation? These are some of the important and difficult decisions in the antispyware business, and the ASC documents don’t address them at all.
The other potentially important ASC document describes a dispute resolution process for vendors who don’t like the way they’ve been classified. This process, however, also seems likely to be more useful to spyware vendors. And potential legal liability may dilute the way software is classified. For instance, faced with vendors who objected to having their products described as spyware or adware, the Internet security company McAfee created the term PUP (potentially unwanted program) to describe programs that aren’t exactly malware, but which users may download inadvertently and would probably avoid if they realized what was happening. Symantec entered the antispyware arena using a definition process that sounds more like a 12-step program.
So what do the ASC documents do for the poor end-user? Not a whole lot, it seems to us. Formalized definitions are more likely to constrain legitimate software than to limit the activities of spyware and adware vendors. In addition to relying on an antispyware vendor’s software and its judgments about the threat landscape, you should continue to cast a wary eye and be alert for signs that may indicate programs you’d prefer to avoid.
Windows XP/Vista store the DNS information of Web sites you’ve visited, to reach those sites faster each time you access them. The cache sometimes gets corrupted or stores a lot of unusable data, and that leads to slower Internet response times. To clear the cache, go to the command prompt and type ipconfig /flushdns. The command purges the DNS cache and restores your Internet access speed.