A Strong Password Isn't The Strongest Security

Make your password strong, with a unique jumble of letters, numbers and punctuation marks. But memorize it, never write it down. And, oh yes, change it every few months. These instructions are supposed to protect us. But they don’t!

Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.

Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location.

“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics. He said antivirus software could detect and block many kinds of keyloggers, but “there’s no guarantee that it gets everything.”

After investigating password requirements in a variety of settings, Mr. Herley is critical not of users but of system administrators who aren’t paying enough attention to the inconvenience of making people comply with arcane rules. “It is not users who need to be better educated on the risks of various attacks, but the security community,” he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen’s College in Oxford, England. “Security advice simply offers a bad cost-benefit tradeoff to users.”

One might guess that heavily trafficked Web sites — especially those that provide access to users’ financial information — would have requirements for strong passwords. But it turns out that password policies of many such sites are among the most relaxed. These sites don’t publicly discuss security breaches, but Mr. Herley said it “isn’t plausible” that these sites would use such policies if their users weren’t adequately protected from attacks by those who do not know the password.

Mr. Herley, working with Dinei Florêncio, also at Microsoft Research, looked at the password policies of 75 Web sites. At the Symposium on Usable Privacy and Security, held in July in Redmond, Wash., they reported that the sites that allowed relatively weak passwords were busy commercial destinations, including PayPal, Amazon.com and Fidelity Investments. The sites that insisted on very complex passwords were mostly government and university sites. What accounts for the difference? They suggest that “when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.”

Donald A. Norman, a co-founder of the Nielsen Norman Group, a design consulting firm in Fremont, Calif., makes a similar case. In “When Security Gets in the Way,” an essay published last year, he noted the password rules of Northwestern University, where he then taught. It was a daunting list of 15 requirements. He said unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places that can be readily discovered.

“These requirements keep out the good guys without deterring the bad guys,” he said.

Northwestern has reduced its password requirements to eight, but they still constitute a challenging maze. For example, the password can’t have more than four sequential characters from the previous seven passwords, and a new password is required every 120 days.

By contrast, Amazon has only one requirement: that the password be at least six characters. That’s it. And hold on to it as long as you like.

A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. Florêncio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”

Roger A. Safian, a senior data security analyst at Northwestern, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesn’t lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victim’s account, “knowing that you won’t succeed, but also knowing that the victim won’t be able to use the account, either.” (Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)

Very short passwords, taken directly from the dictionary, would be permitted in a password system that Mr. Herley and Stuart Schechter at Microsoft Research developed with Michael Mitzenmacher at Harvard.

At the Usenix Workshop on Hot Topics in Security conference, held last month in Washington, the three suggested that Web sites with tens or hundreds of millions of users, could let users choose any password they liked — as long as only a tiny percentage selected the same one. That would render a list of most often used passwords useless: by limiting a single password to, say, 100 users among 10 million, the odds of an attacker getting lucky on one attempt per account are astronomically long, Mr. Herley explained in a conversation last month.

Mr. Herley said the proposed system hadn’t been tested and that users might become frustrated in trying to select a password that was no longer available. But he said he believed an anything-is-permitted password system would be welcomed by users sick of being told, “Eat your broccoli; a strong password is good for security.”

Facebook Bug: Decreases the Fan Counts!

Over the past few days many Facebook Page administrators have noticed their fan counts decreasing. If you’ve seen this happen, you are not alone. Facebook does not response on the issue, which means there is probably a bug which needs to be fixed. Unfortunately there hasn’t been any clarifications from Facebook, but don’t worry as many other people have noticed similar issues.

We watched our Facebook Page increasing in popularity earlier this week, however starting three days ago, the number of fans we have has decreased by over 400. Initially I thought that there had been a temporary surge in fans which was followed by a random mass “unfanning”, something that has never happen before. Even the top Facebook Pages, like Michael Jackson, have seen their fans decreasing.

So what on earth is going on? We have no idea to be honest but rather than not posting about the issue, we’ve decided to make it known that this issue appears to be happening to the vast majority of Facebook Pages. Don’t worry though, your fans should all be intact. We’ll definitely be sure to update this Page once we receive any information from Facebook, who has so far been quiet about the problem.

Facebook addresses this issue with the following statement: “There was a bug that caused an accounting error for the number of people who like a Page. We are working hard to fix this bug and restore the counts as quickly as possible. No fans or data was lost, and news feed distribution has not been affected.”

Five Reasons Why Android Will Beat iPhone and BlackBerry

While many iPhone users are reporting high satisfaction, it doesn't matter for the long term. The Android platform will crush all other smartphones in both its sheer number of users and vendors.

Neither Apple nor RIM will give up without a fight, but the writing is on the wall for business owners who don't want to be saddled with the 2013 version of the Sony Betamax. RIM is already facing big challenges from the countries like India and S Arabia.

1. Android Rules the Market by Numbers

Sure, Google CEO Eric Schmidt self-servingly told Reuters that 200,000 Android handsets were selling every day--but third-party surveys also routinely show that the platform's momentum is steadily increasing. Thirty-three percent of smartphones sold from April to June were Android handsets, and the system is outstripping RIM (at 28 percent) and iPhone (22 percent), according to the NPD Group. In other words, the American people are voting with their wallets and choosing Android handsets.

2. More Selection and Promotions

The top five Android phones--Motorola Droid, HTC Droid Incredible, HTC EVO 4G, HTC Hero, and HTC Droid Eris--have numerous carriers, including Verizon Wireless, AT&T, Sprint and T-Mobile, according to NPD. Because of the competition among carriers, promotions like Verizon's buy-one, get-one-free, and cut-rate prices will continue to play a significant role in the Android market. For a company having to buy a dozen or more smartphones, this means some serious savings.

3. More Room for Variety and Ideas

While iPhone applications are well-touted, many of Android's apps come straight from Google's gifted engineers, such as Google Goggles, which has image recognition software that can retrieve walking tours or menus. But its apps aren't limited to engineers. Google also developed the open-source App Inventor that allows anyone to create an application for Android. Scary? Perhaps, but the system is definitely open to new ideas--perhaps even one your business can create.

4. Android Is the Innovator

Since Android was developed by Google, many believe that it has a little more tech credibility than other operating systems, but that shouldn't be the only reason to buy an Android smartphone. The idea should be that Android is still relatively new and has some maturing and growing to do before it reaches its apex. Android is still not like the iPhone's walled garden, but it's becoming more functional and user-friendly.

5. Android 2.2 Froyo: A Gift to Your IT Department

No more worries about syncing with Microsoft Exchange, because it's all been ironed out with Android 2.2. The system's new security features, such as remote wipe for administrators, lock-screen timeouts, and minimum password settings, will put critics of previous Android handsets at ease.

While not everyone will love the Android platform, it will soon become the country's mobile OS of choice. You can either choose to embrace it or be prepared to defend why you're holding onto its less popular rival.

Microsoft confirmed another zero-day vulnerability!!!

Microsoft confirmed another zero-day vulnerability on Monday in a set of software components that ship in a wide variety of the company's products.

The vulnerability resides in Microsoft's Office Web Components, which are used for publishing spreadsheets, charts and databases to the Web, among other functions. The company is working on a patch but did not indicate when it would be released, according to an advisory.
"Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user," wrote Dave Forstrom, a group manager who is part of Microsoft's Security Response Center, in a blog post.

An ActiveX control is a small add-on program that works in a Web browser to facilitate functions such as downloading programs or security updates. Over the years, however, the controls have been prone to vulnerabilities.
The new flaw comes just a day before the company is set to release its monthly patches, including one for another zero-day vulnerability revealed earlier this month. That problem lies with the Video ActiveX control within Internet Explorer and is currently being used by hackers in drive-by download attempts.

In cases of especially dangerous vulnerabilities, Microsoft has deviated from its patching schedule and issued one out of cycle.

Microsoft said that the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer visits a malicious Web site, a hacking technique known as a drive-by download. Web sites that host user-provided content or advertisements could be rigged to take advantage of the vulnerability.

"In all cases, however, an attacker would have no way to force users to visit these Web sites," the advisory said. "Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site."

Microsoft issued a list of affected software, which includes Office XP Service Pack 3, 2003 Service Pack 3, several versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006, among others.

Until a patch is ready, Microsoft said one option for administrators is to disable Office Web Components from running in Internet Explorer and has provided instructions.

Accessing the Computer without an Administrative Password

We all eventually forget one password or the other and such a problem can be so irritating and unpredictable that it can make quite a huge impact. The problem is even more serious when we forget the administrative password to anything, especially our operating system. In most cases the regular user will choose to format the hard disk and then re-install the operating system in order to solve this problem and unfortunately, such an action usually means that some data will be lost along the way. Although it can be impossible at times to access the personal computer if the administrative password was loss, there are some actions you can take in some cases. You will basically need the computer (which really needs to have the possibility to support a bootable CD-ROM) and the Windows CD-ROM.

The first step you will need to take is to modify your personal computer’s BIOS in order to allow booting from the Windows CD-Rom. Next you have to insert the CD in the drive and boot up the PC. Just wait and when the "Press any key to boot from CD" message appears just press any key. Now go through the entire step by step process until you get to the setup screen. This is where you will have the option to repair or install the operating system. You will need to choose repair and Windows Setup will then start a check on your system and start copying files. After this you will notice that the PC will re-boot automatically.

The next step will depend on your operating system. You basically need to open a command prompt after the reboot and resume the setup process. If you have Windows 2000 you have to wait until the part where you see that the OS is registering components and press "Shift + F10". If you have Windows XP you will need to press the same key combination when "Installing devices" appears in the left hand side of your screen. Now we will have a command console open and you can gain access to the Control Panel. In Windows 200 you will need to type "control.exe" and in Windows XP "nusrmgr.cpl". Press the "Enter" key and we now have access to the control panel.

Now just used the tools that are provided in order to reset the password and if you are done just close the control panel by typing "Exit" and then pressing "Enter". Now we will need to allow the repair function to complete as usual. When the operating system starts again you can use the new password in order to log in. There are some circumstances in which you will not be able to access your personal computer but these are rare. If this happens we recommend that you take your hard drive and install it on another computer as slave so that you can save every piece of information you need and then format the entire hard drive. Then you will need to re-install the operating system.

By: Adrian Alexa

How do I get rid of viruses, adware, or spyware?

If you suspect that your computer is infected with a virus or other malicious software, remove it as soon as possible.

Unlike other software, malware can't be completely removed using your operating system's Add/Remove Programs feature. Some bits of malware may still be hiding on your hard drive, doing its damage behind the scenes. To get rid of malware, use software specifically designed to find and delete it.

Many solutions are available for ridding your computer of malicious software. You can find these programs by searching the Web for virus protection. I would advice Symantec Endpoint Protection as a good anti virus. Whatever software you choose, be sure to keep it up-to-date.

In some extreme cases, anti-virus programs may not be able to remove all malware. It may be necessary to reformat your hard drive and reinstall its operating system. If you're using a laptop computer, installing the operating system from the partition backup may not completely remove malware. Instead, be sure to get installation disks for your operating system from your hardware vendor and use those to reinstall your operating system.