Microsoft Blogger: Replace Windows Passwords With Passphrases

Posted on by admini

In a blog post titled “Why you shouldn’t be using passwords of any kind on your Windows networks”, Robert Hensing argues that the inclusion of password-cracking tools in recent worms and trojans illustrates the need for sturdier authentication schemes.

Hensing notes that Windows 2000 and Windows Server 2003 support passphrases of up to 127 characters, including spaces and unicode characters.

Some older Unix versions using the Data Encryption Standard (DES) only support passwords up to eight characters, or ignore any characters after the first eight.

Epps suggests an alternative method: select a passphrase, type out the first letter of each word, and any numbers and punctuation that come out of it.

Even longer passphrases are not immune to crackers who are persistent with dictionary attacks, powerful processors and social engineering, as noted in the passphrase FAQ, which emphasizes that good passphrases should be obscure. “The short version on common phrases is don’t use them ever,” it advises.

Microsoft will have more to say on passphrases, according to Hensing, whose blog post has been widely discussed on mailing lists in recent days.

http://news.netcraft.com/archives/2004/10/21/microsoft_blogger_replace_windows_passwords_with_passphrases.html

Read more

Ex-staff pose threat to data

Posted on by admini

The survey of 1,400 IT professionals shows that email access is the business tool most at risk when it came to ex-employees trying to access information remotely.

But confidential company documents, contact databases and administration systems were also at high-risk. ‘Firms need to build in rules saying what people can and can not access from the corporate network,’ said Thomas Raschke, IDC’s programme manager for European security products and strategies.

‘Access management is often an overlooked part of the business.’

http://www.vnunet.com/news/1158871

Read more

ATMs in peril from computer worms?

Posted on by admini

Trend Micro and Computer Associates have both identified this niche, but some rivals question the immediate need for content filtering on cash points.

The new generation of Automatic Teller Machines (ATMs) are migrating from the IBM OS/2 operating system to Microsoft Windows and IP networks. This saves costs and enhances customer services. But it also means that ATMs are now at risk from computer worms, according to Trend Micro. “Previously isolated cash machines can now be infected by self-launching network viruses via the banks’ IP networks. Infections have the potential to bring down ATM machines, incurring downtime, customer dissatisfaction and increased costs fixing infected machines,” it warns.

Last August, the Nachi (Welchia) worm contaminated the cash machines at two financial institutions. When the Slammer virus hit the back end systems of the Bank of America in January 2003, 13,000 US ATMs became unavailable.

But never fear, Trend Micro is on hand to offer assistance. The Japanese-based firm is launching hardware-based network worm filtering technology specially designed for ATMs at a conference later this month. As well as launching its Network VirusWall 300 hardware, Trend will also be exhibiting at the annual ATM security conference (ATM Sec 4) in London on 25 and 26 October. Raimund Genes, European president of Trend Micro, said that 70 per cent of ATMs are based on either XP or embedded XP. “That’s the way manufacturers are taking the ATM and ticketing machine market,” he said.

Computer Associates offers a software development kit that can be applied to systems based on embedded XP.

Genes argued that producing AV systems for embedded XP terminals is far from straightforward: using existing enterprise content filtering gateways to protect ATMs would be “overkill”. Hardware-based network worm filtering, such as Trend intends to launch offers a better approach, he argued.

But other security vendors question the need for the technology.

Nigel Hawthorn, of security appliance firm Blue Coat Systems, said that ATMs commonly operate on a separate physical network, which is closed. “Sasser hit the back-end systems of banks, not ATM machines,” he said. David Emm, senior technology consultant at anti-virus supplier Kaspersky, agrees. “The threat to ATMs is related to how closely they are integrated with the outside world. Normally ATMS are kept on separate systems. Online financial (ebanking) systems are far more at risk,” he said.

Trend’s Genes said the barriers between the network used by ATMs and the wider Internet are been lowered as banks switch from older telecoms technologies to IP-based networks. He acknowledged that widely deployed AV technology alone is failing to protect enterprises from fast-spreading worms. But Trend’s worm filtering tech would prove far more successful in keeping cashpoints up and running in the face of viral onslaught, he says.

http://www.theregister.co.uk/2004/10/20/atm_viral_peril/

Read more

Microsoft delivers SP1 for Windows server

Posted on by admini

Amidst the typical collection of bug and security fixes, a new feature in SP1 is the Security Configuration Wizard, designed to help administrators define or redefine a specific role for a server, or a collection of servers that all do the same thing. “This utility can allow you to go in on a policy basis and turn off protocols, services, and features at a much more granular level than you can today,” a manager of Microsoft’s Windows Server products, said. “The cool thing about the wizard is once you have configured a very specific role for a server, you can take that XML-based configuration and use policy or another distribution method to do it to hundreds of servers that fit that same role.”

The other bug and security fixes in SP1 addressed many of the same problems that were addressed in the mammoth Windows XP Service Pack 2, although some of the security fixes in SP1 were tailored to address server-specific functions, DiStasio said.

In the preliminary testing Microsoft has done on SP1, DiStasio and other company officials said there had been marked performance gains including a 50 per cent performance improvement in SSL workloads and a 17 per cent gain in running 32-bit data base applications.

As part of the announcement Microsoft also said it remained on track to deliver Windows Update Services by the end of the first half of 2005, the first beta for which is expected in November, along with a version of Windows Server 2003 with 64-bit support. And still on track for delivery by the end of 2005 was the High Performance Computing edition of Windows Server 2003, Release 2 of the Windows Storage Server, and the first solid beta of the server version of Longhorn.

Taking out its marketing drum, Microsoft said that sales of Windows Server 2003 had now surpassed those of its Windows NT4 server base, and that new deployments of the server had grown by 375 per cent.

Company officials quoted market researcher IDC as predicting that Windows Server 2003 would overtake all other versions of Windows by the end of 2005.

http://www.arnnet.com.au/index.php/id;1773627278;fp;2;fpid;1

Read more

Traditional Anti-Virus Can’t Meet New Threats

Posted on by admini

“The need for security is expanding beyond the PC,” wrote Jonathan Singer, an analyst with the Yankee Group, in an e-mail to TechWeb. “Mobile devices such as smart phones and PDAs, which are often used for business purposes without security integration, are opening new avenues for malicious code,” he added.

Early efforts by hacker to engage these devices were relegated to using them as entry points for viruses and worms delivered via e-mail, but as networked handhelds proliferate, tactics have changed. As other devices become networked–such as printers and copiers–and as voice over IP (VoIP) hardware grows in popularity, they’ll be targeted too, or used to launch additional attacks.

“Look for these types of attacks to become pervasive in the next 12 to 24 months,” Singer said.

Behavioral-based anti-virus protection doesn’t rely on one-to-one signatures to match against known malicious code, but examines possible malware for characteristics common to viruses and worms. Among their advantages are a theoretical ability to recognize unknown viruses–thus providing a defense against so-called “zero-day” attacks–less frequent updating, and smaller size.

“In the next two to four years, anti-virus software will migrate from signature recognition to a hybrid of signatures and behavioral recognition,” predicted Singer.

Enterprises should set policies on PDA and smartphone use, said Singer, to protect the network first, make handhelds productive second.

http://story.news.yahoo.com/news?tmpl=story&ncid=1211&e=10&u=/cmp/20041020/tc_cmp/50500906&sid=95609566

Read more

New ways of measuring security

Posted on by admini

Officials at Addamark Technologies Inc. are delving deeper into the security information management arena with a revamped product and a new name, SenSage Inc.

Before refocusing, SenSage served as a repository for forensic analysis instead of gathering data in real-time like most security information management products, said Jim Pflaging, the company’s chief executive officer. For instance, someone within an agency who has valid access might be performing suspicious activities, or the systems administrator with privileges to many systems might create bogus accounts.

Meanwhile, officials at netForensics Inc. have released the nFX Open Security Platform, which supports the nFX framework, to help agency officials quickly identify and prioritize security issues to reduce threats and risks. Enhancements to the platform include greater fault-tolerance capability, custom agent software development and policy compliance integration.

New advanced threat visualization and analytics capabilities combine the visual tools with reporting and analytics so a security team can identify threats faster.

http://www.fcw.com/fcw/articles/2004/1018/web-secure-10-19-04.asp

Read more