Security

For about the 4,000th time in the last five years, I tried to sign up for a new Web service, but it wouldn't accept my proposed password. Apparently, the site operators decided that passwords should contain only letters and numbers. Aarrrrgh! This isn't the first time I've seen this idiocy, and it won't be the last. But it should be.

Guidelines on how to construct a strong password almost uniformly recommend using a mixture of upper and lower case letters, numbers, and symbols. Tools for generating passwords (for example, strongpasswordgenerator.com) encourage the use of symbols. There's even a mathematical formula that precisely calibrates how much more unguessable symbols make a password. So why don't sites support symbols in passwords? It makes no sense.

The strongest case against limited-character passwords isn't technical. It's not about "information entropy." It's about human factors and behaviors. Human factors dominate the success (or failure) of all information systems, including password systems. Humans are lousy at choosing random or quasi-random sequences--exactly the kind of high-entropy, hard-to-guess passwords that information security professionals think ideal. People are even worse at remembering said passwords.

So the pragmatic balance is a middle ground--passwords that are strong enough to thwart hackers' brute-force attacks and guessing algorithms, but easy enough that when someone is presented with a sign-in prompt, they're not stumped, frustrated, and ready to reset all their pass codes back to something like goofydog that easily lets hackers break into their account.

One good solution is using a password generator, such as PasswordMaker. Give it a Web site's URL, as well as a master password; it hands back a strong password such as Ga9i)t|Z that's unique to that site. A hundred different Web sites? No problem! A hundred different passwords, each of them very strong, yet the user has to remember just one (or for the very paranoid, a few) master passwords. For those using Firefox, there's even a plug-in; give it your master password once (per browsing session), and a single keypress automatically fills in the correct strong password whenever it's needed. It's not quite smart card or SecurID strong, but it's plenty strong for most uses, yet easy.

Sites that restrict the characters that can be used in passwords--they are the monkey wrench in this machine, the fly in this ointment. They don't accept the strongest of passwords, thus thwarting users' attempts to pragmatically balance password strength and ease by using password generators. This just encourages users to fall back to easy-to-remember, easy-to-hack passwords. Sigh. Sites that restrict password characters? You are doing it wrong.

While we're waiting for the laggard site operators to get passwords right, there is a good fallback: mnemonic abbreviations. Take a phrase you can easily remember, and turn it into an acronym. For example, "Coffee is my favorite beverage on Planet Earth" might become CimfboPE. You can spruce this up a little further, if you like, by doing letter-number substitution (e.g. 0 for o, 1 for i, 3 for e, and so on,). Hackers probably aren't going to guess C1mfb0PE any time soon, yet it's surprisingly easy to recall when it's needed. Farhad Manjoo's article "Fix your terrible, insecure passwords in five minutes" explains this technique well. For some, mnemonic abbreviations are a fallback; for others, they may be strong enough to use for all passwords. After all, anything's better than goofydog.

Red means danger. And orange offers plenty of risk, too. (Click for a larger view of the map.)

(Credit: McAfee)

You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.

McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.

The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health.

(Credit: McAfee)

Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most "spammy," with 17.2 percent of its sites generating junk mail.

On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year's riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country's aggressive steps to stop scam-related domain registrations.

(Credit: McAfee)

"This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."

Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.

McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.

The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.

The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.

The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.

The EFF needs access to the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections," the lawsuit said.

None of the agencies contacted had complied with the EFF's Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.

The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.

The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.

Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.

"Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends," he said. "Governments are using the sites but not in the way [citizens] expect when they sign up."

The government agencies could not be reached for comment Tuesday afternoon.

Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.

Updated 5:10 p.m. PST with information about later versions of the e-mail campaign directing to a landing page with hidden code that uses an Adobe exploit to try to download malware onto the system.

The e-mail appears to be from the CDC but directs people to a fake CDC site that serves up a Trojan.

(Credit: AppRiver)

You can ignore that e-mail that looks like it comes from the U.S. Centers for Disease Control and Prevention about creating a profile for an H1N1 vaccination program. It's a malware scam, according to security provider AppRiver.

The fake alert informs recipients that as part of a "State Vaccination H1N1 Program" they need to create a profile on the CDC Web site. The link in the e-mail goes to a fake CDC page where the visitor is assigned a temporary ID and a link to a vaccination profile that is actually an an executable file containing a copy of the Kryptik Trojan targeting Windows, according to an AppRiver blog post on Tuesday.

Once installed, "this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization," the post warns. "It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker."

AppRiver said it was seeing the fake CDC e-mails at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone.

The malware campaign apparently got more dangerous as the day wore on. In later iterations of the fake CDC e-mail, the landing page that the link led to contained a hidden iFrame that pointed to a site hosted in Ukraine, according to Symantec. In the background, the iFrame checks to see if the system is running an unpatched version of Adobe Reader, Acrobat or Flash Player and if so it uses an exploit to download a file to the system, the company said.

"During testing, our detections picked up the Adobe exploitation attempts using generic IPS and AV signatures," a Symantec spokesperson said.

This screen shot shows the fake CDC Web page that is distributing the Trojan.

(Credit: AppRiver)

IBM said Monday that it has acquired database security firm Guardium.

Guardium is a leading vendor in monitoring and protecting databases for large enterprises. In addition to securing the data and watching database activity, Guardium's technology can automate certain tasks to assist businesses with regulatory compliance, said IBM. Big Blue expects the acquisition to help its customers better shield their critical databases against both external and internal threats.

Guardium can check for specific patterns and anomalies when information is accessed, said IBM, allowing enterprises to maintain the integrity of their data. Guardium's technology can also detect fraud and unauthorized access to a database by way of an enterprise application, such as a company's ERP or CRM software.

"Organizations are grappling with government mandates, industry standards and business demands to ensure that their critical data is protected against internal and external threats," said Arvind Krishna, general manager of IBM Information Management, in a statement. "This acquisition is another significant step in our abilities to help clients govern and monitor their data, and ultimately make their information more secure throughout its lifecycle."

Guardium, a privately held company based in Waltham, Mass., will be integrated into IBM's Information Management Software portfolio.

Big Blue hasn't been shy about buying companies this year to increase the scope of its business services. In July, the company picked up analytics and information forecaster SPSS for $1.2 billion. With security a vital need for its customers, IBM also acquired security provider Ounce Labs around the same time.

Financial terms of the Guardium deal were not disclosed.

Microsoft has begun a campaign to actively urge users of its 8-year-old Internet Explorer 6 browser to upgrade.

After launching IE 8 in March, Micosoft has concurred with critics that IE 6 is outdated. Many people have dropped the older browser, but the remaining users are often the tough cases--those who don't have a choice because of corporate computing policy or who aren't tech-savvy enough to realize there's a reason to move on.

This eBay 'Web slice'--basically a live bookmark in Internet Explorer 8--is part of Microsoft's effort to get people to upgrade from IE 6.

(Credit: Screenshot by Stephen Shankland/CNET)

It's this latter population Microsoft is targeting with a campaign that runs through June 2010 that touts its own IE 8 as a better alternative. The campaign's first visible elements are a video aimed at online holiday shoppers and a Web slice to promote daily deals at eBay. Web slices are basically live bookmarks that can show miniature Web pages in the browser.

"What we're doing with the outreach is help users understand how to protect themselves against social engineering threats that exist and to help people understand how Internet Explorer 8 puts people in control of their own privacy online," said Ryan Servatius, senior product manager for Internet Explorer. Security was one of the big problems with IE 6, and Microsoft now boasts that security features in IE 8 block 2 million malware sites a day.

According to Net Applications' statistics, Internet Explorer 6 is still the most widely used browser, with 23.3 percent share of usage in October, followed by IE 7 at 18.2 percent and IE 8 at 18.1 percent. The newer browsers are gaining on IE 6, but so are rivals including Mozilla's Firefox, Apple's Safari, and Google's Chrome.

Web developers often gripe about having to support IE 6, which doesn't support many modern features for more sophisticated Web sites and even applications. Microsoft acknowledges that it's holding back development of the Internet, too.

"The best thing a user can do to advance the Web is to help move people off IE 6," Servatius said.

Of course, many will upgrade to IE 8 by buying Windows 7. IE 6 was the browser that shipped with Windows XP, which remains entrenched, but there are signs Windows 7 is a more compelling successor than Windows Vista. That could help the corporate customers move away from IE 6, Servatius said.

"As enterprises migrate from whatever operating system they're using today to Windows 7, that's going to help deprecate IE 6," he said. "What we're doing is working both with consumers worldwide and IT professionals to help them understand what the benefits of a modern browser are."

Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.

But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.

Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.

Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.

Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.

Look for trust seals, but verify they're legitimate

(Credit: BBBOnline)

It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.

When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.

If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.

Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.

Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.

It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.

Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.

Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.

Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."

Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.

As the World Trade Center and Pentagon were ablaze on September 11, 2001, the U.S. Secret Service's presidential protective detail was informed that a "Korean airliner has been hijacked" en route to San Francisco, prompting already-skittish agents to worry about another wave of terrorist attacks.

That morning and afternoon, Secret Service agents assigned to protect the president and his family found their pagers constantly buzzing with alerts both true and false. There was a false alarm about a car bomb in downtown Washington, D.C., a report of "two Arab males detained" after asking for directions to the presidential retreat at Camp David, and reassurances that "Twinkle and Turq"--code names for the Bush daughters--were safe and accounted for.

This unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet on Wednesday, via WikiLeaks.org....

Read the full story of "Egads! Confidential 9/11 Pager Messages Disclosed at CBSNews.com.

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.

(Credit: Google)

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.