Somebody left the Windows open

So you thought you had locked down your Windows laptop/ desktop/ server by choosing a strong password that only you would know, right? Nice try but not quite…

What you might not have realized is that if an attacker can get physical access to your PC (either through theft or just using it while you’re away), they can reset that password to one of their own choosing, log on and have their way with your system. In fact, it’s quite easy to do if you have the right tools and said tools are readily available in both free and fee formats.

There are a number of variations on this theme but a common scenario involves booting from a Linux CD, mounting the Windows boot drive and then running a tool which overwrites the Windows Registry with the new password. The next time the system is booted, the new password is in effect. The whole process can be done with scary efficiency in about 2 minutes (give or take).

This technique works for accounts with administrator rights just as well as non-admin accounts, which means that the attacker can take complete control of the system at that point.

There are legitimate reasons to do all of this if you’re in Tech Support and a user has forgotten their Windows password (or you just happen to be the unpaid tech support for a friend or relative who has found themself in the same predicament) and there are commercial tools that simplify the process described previously (if you don’t enjoy fiddling with other OSs). So, in other words, like many things in IT Security, it can be used for good or bad.

How should you protect yourself from having this happen without your permission? One option would be to never stray more than about 18 inches from your laptop and guard it unceasingly.

That might work if you have no life, no friends and no significant other but a better option would be to opt for whole disk encryption. That way the hard drive can only be read (or booted) if you know the proper password. The techniques for overwriting the Windows Registry won’t work since even that is scrambled beyond recognition without the drive encryption password.

Of course, if you do this, then you’d better make sure you don’t lose the encryption password (or have a secure means of recovering it) or your could end up with an expensive paperweight…

By the time I get to Phoenix …

Actually the conference is in Scottsdale but Glen Campbell probably wouldn’t think that has quite the same ring to it, hence the poetic license.

Anyway, I’ll be presenting on the topic of “Creating an End-to-End Identity Management Architecture” at the IT Audit & Controls Conference on Oct 31, 2012. You can click on graphic below to view logistics and detailed agenda. Hope to see you there…

Nonstop pop-ups

Here’s a link to a Raleigh News & Observer Stump the Geeks column where I was asked to comment on a user’s recurring nightmare with pop-up ads.

For the most part, pop-ups of the sort described be the unlucky soul submitting this question are the result of downloading stuff you shouldn’t. A search bar, a freeware tool, an email attachment of dubious origins — any of these could result in a surreptitious placement of parasites on your computer that will nag you incessantly to visit some web site whose claims are best categorized with the 2:00 am infomercial ilk.

Ironically, many of these ads promise to speed up a lagging computer that is infested with spyware — the very stuff that likely caused the barrage of pop-ups in the first place. Best not to go down that rabbit hole …

Pass the salt please …

What do LinkedIn, eHarmony and Yahoo all have in common? Other than the fact that all three are popular web sites with millions of users, they also share the ignominious distinction of having recent security breaches where massive numbers of passwords have been compromised.

As I wrote here recently, LinkedIn, a professional networking site, had an exposure of about 6 million passwords. The good news was that the passwords were hashed, which means they were obscured using a special, 1-way encryption technique which can’t be easily reversed/decrypted, if done correctly. The problem is that the hashes weren’t salted, which makes them less delicious — I mean, less secure.

Salting involves adding a random number to the password so that when it is hashed the results will be more unpredictable. This makes life harder for crackers (no, not the edible kind but the ones who break encryption schemes), who then must try far more combinations in a brute force attack in order to find what they are looking for.

So, all that stuff you’ve been hearing about cutting back on salt may or may not be great advice from a medical standpoint (that’s a debate for another blog) but scrimping on the salt when it comes to password hashing is definitely bad for your online identity’s health.

Then along comes eHarmony who not only skipped the salt, they also chose a relatively weak hashing algorithm (MD5) and, if that weren’t enough, they converted all passwords to upper case before processing them, thereby reducing the duration of a brute force attack dramatically.

Not to be outdone, Yahoo Voices, which currently holds the lead in this race to the bottom, not only did away with the salt, they didn’t bother with hashing either. That’s right — the passwords were actually stored in the clear and, ultimately revealed to all.

Yahoo’s position that this really isn’t that big of a deal since most of the accounts were dormant misses the larger issue and that is that, human nature being what it is, people tend to opt for the path of least resistance and use the same password for many (if not all) of their online accounts. This means that if I know what your Yahoo, eHarmony or LinkedIn password is, I’ve got a pretty good idea what the password is to your Gmail account, your bank account and so on.

The lesson here is that everyone should be using some sort of single sign-on or password storage manager so that they can maintain a unique set of randomly chosen, hard to guess, passwords for every site they visit and if you are on the IT side of things maintaining a store of user passwords, by all means, don’t skip the salt…

Social Media Security Talk @ DM&IQ conference

For those of you in the London area (or those who would like to be), I’ll be presenting on the topic of social media security threats with a focus on identity management aspects at Data Management and Information Quality Conference Europe 2012 on 7 November. Please look me up if you are planning to attend.

 

Water is still wet

Here’s a good CNET article on the adjustment Apple made recently to their public statement regarding OS X and malware…

http://news.cnet.com/8301-13579_3-57460041-37/apple-adjusts-its-tune-on-security-in-os-x/

 

As I mentioned in a previous post, Apple has previously indicated that Mac users didn’t have to worry about viruses and implied that this was due to some basic invulnerability within the operating system. They have wisely started to back off of that position but may not have really gone far enough just yet.

Where they once used to say that:

“A Macisn’t susceptible to the thousands of viruses plaguing Windows-based computers”

a statement which is misleading since Macs are, in fact, vulnerable to other malware (albeit many fewer instances). Now the wording is:

“Built-in defenses in OS X keep you safe from unknowingly downloading malicious software.”

This is better but still leaves the impression that Macs are inherently safe, which they aren’t. In fact, no computer is.

As long as software contains bugs, a certain percentage of those bugs will be security-related and someone is bound to eventually discover these vulnerabilities and try to exploit them.

That was true then and it’s true now and it always will be regardless of which OS you choose to use.

And in other news, water is still wet …