Fast Forward to today and the “Morto” internet worm is spreading via RDP.  We don’t have any RDP hosts local that are open to the dangerous world we know as the internet but I can’t vouch for the other dozen sites that are connected at the other end of our MPLS.  Now, most of our PC’s don’t have RDP enabled, but PC’s used by management and more importantly the majority of our servers may be susceptible if one PC out of thousands are infected.

I realize more security means more administrative overhead and makes admin jobs harder, but what happens when something like this hits and all of these machines are infected?  how much work is that going to take to remedy?

So, what are your thoughts?  How far do you go to keep your infrastructure safe?

Unless you have been hiding under a rock you have heard about Sony’s PSN getting hacked.  Apparently I was hiding under a rock yesterday as LastPass, a cloud password storage company, also had a possible security breach and I didn’t hear about it until about late yesterday evening.

I am not going to act tough, although at first I freaked out a little bit.  Immediately rushing to conclusions, imagining all the passwords I would need to manually go through and change. Fortunately after reading their blog post and Last Pass CEO’s interview with PC World I felt a little more at ease.  I used a strong master password so I should be OK.  I am very impressed at how they handled the situation  and how open they were from the beginning.  I think I will be keeping the majority of my passwords with them.

It seems like every other day there is another company sending out emails notifying their customers that their personal information may have been compromised.  All of this has gotten me to think, with the growing number of companies learning everything it possibly can (looking at you Facebook and Google) is any information we give out on the computer really safe?  Do these cyber crimes continue to rise because the consumer is more at ease to post their private lives and information on the net?

Google has now set the bar a little higher for Internet account security. Now the super-paranoid (like yours truly) can further secure their Gmail through the use of Google’s new two factor authentication system.

While not as cool as as using YubiKey for LastPass you can now use your phone to generate a one time password to gain access to your Google account. As I’ve covered before, you shouldn’t be using the same password for multiple online accounts, but you really shouldn’t be using your main email password for anything else, as it is the go-to place for account recovery. But even if you are, this additional layer of security will make compromising your account nearly impossible.

Over the next couple days, all Google account users should see the Account Settings page get updated with a “Using 2-step verification” link. Google Blog explains the process:

Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you’ll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we’ll have a pretty good idea that the person signing in is actually you.

If you’re using chat clients, or ActiveSync on an iPhone that isn’t web based to verify the second one time password, you can also set up one-time application-specific passwords to sign in to your account. This means each device will have a specific access code, further decreasing the ability to compromise your account if that password is stolen.

While I do not currently have access to 2-step on my account, Frank activated it on his and said the process can be a bit daunting for the “average” user… but none of our visitors are average, so knock yourself out!

If the recent Gawker password breach (re)taught us anything, it’s the old and valued lesson of “don’t use the same password everywhere” — but as often as I repeat that phrase and cringe a little bit when I find out someone else did it, I’ve been just as guilty of this cardinal sin of network security myself… from time to time. It’s hard not to.

When you’re as active on the Internet as I am, it’s impossible to resist the urge to duplicate passwords, especially if you’re against writing them down. So you’re left to memorize them all, hope you don’t forget, and hope that you can later rely on the splendid password reset via email later on.

All of the Gawker fun also taught (or should have taught) website administrators like myself to take better care of their users. Gawker fouled up in a huge way (beyond simply exposing user data) by not taking proper steps to secure the information in their database once it was exposed. Gawker used an easily crackable cipher system (DES) which was depreciated by a new industry standard (AES) long ago.

Since the launch of this site, we’ve relied on third parties to act as the gatekeepers for user interaction. (First using JS-Kit/Echo and now Disqus) For you it has the benefit of not having to remember yet another password or create another account just to comment here. On the back end it allows us to focus on delivering content and less on keeping a database of user information secured. We’re relying on people with bigger and better security resources (Disqus, Open ID, Twitter or Facebook) to secure your presence on our site.

But what about every other site (or even the four mentioned above) … where you have to register a username, create a password, and keep it safe and secure. Remembering unique passwords for every site is impossible, using the same one is a no-no, writing them down and keeping them in your desk drawer isn’t practical or secure. What do you do with those passwords?

Password Management

Who hasn’t seen the Internet Explorer password prompt at least 10,000 times in their lives? Or the similar prompts from Firefox, Safari, Chrome, Opera, etc. Almost every browser created in this decade has included some sort of password manager, and almost anyone who has used them will tell you they’re all crap.

For one thing, they only work with one browser. For another, they’re almost as secure as the previously mentioned notebook of passwords. Last, they’re not really designed to keep you secure, they’re designed to be a convenient way to re-access commonly used websites.

Most of the time, I turned the feature off. The idea of using a password manager, until recently, seemed less secure than trying to just remember them all myself. That all changed recently.

LastPass

After previously being quite inefficient about password management for the past… well, ever… I decided it was time to get serious about securing my online life and in turn taking the burden of remembering all of the passwords myself. I started using LastPass a few months ago (before the Gawker breakdown) and had slowly begun the process of migrating my passwords into it. Originally I wanted to give it a chance to earn my trust before jumping feet first into the pool of letting someone else get all my passwords.

I selected LastPass after evaluating many alternatives. KeePass, 1Password, Roboform were among some of the ones I looked at. All great options, but not the one I went with in the end. Here’s why:

1. LastPass runs on anything, everything, and it syncs all of the resources together. Windows, Mac, Linux, Internet Explorer, Firefox, Safari, Chrome, iPhone, Android, Blackberry, Windows Mobile, Windows Phone (just announced), even Symbian. Basically anything I could touch, had to give me the ability to access my passwords. LastPass has their competition beat there. Noticeably absent is Opera from the supported list. I don’t use Opera myself, but my guess is now that they have true plugin support the LastPass crew will probably add them to the list shortly.
2. No password manager is perfect, but LastPass is close. It’s excellent about knowing what to fill in, what to save, what not to save, and when to step in and help.
3. It’s free, for 95% of the service. However, as I usually do, I suggest shelling out the ridiculous $12 a year to get the premium version. Why? Because you get my next two important points…
4. Mobile access. LastPass will work in any browser for free, but if you want to run it on your iPhone, Android, etc, you’re going to need the premium account. The app itself though, is free.
5. Multifactor authentication through YubiKey. The free version will allow you to build your own key for multifactor, but if you really want to get serious about security you’re going to want to do it through a YubiKey. (Of course that key will also set you back $25)

Browser Integration

Having tested LastPass in both Google Chrome (10) and Mozilla Firefox (4), I can say that the Firefox version is superior, but not by much. When I initially tested LastPass, I did so through Google Chrome. The installer rounded up all of the passwords stored in the default password managers of Internet Explorer, Firefox and Google Chrome that were installed on my system and put them into LastPass. This made the initial learning curve very easy as I didn’t have to go through and train it for every single one I was already allowing the browsers to remember.

After my desktop, when I setup LastPass on my laptop it also sucked up the local cache and avoided duplicates of already integrated passwords.

There are a few key benefits that LastPass does that none of the integrated password managers will do, to save you time.

1. When I create new accounts, LastPass will automatically detect it and offer to generate a random password for me based on my complexity requirements. It automatically fills in the data and saves it for future use. This works 99% of the time and normally requires little input or assistance from me.
2. When ever I change my password on a website, LastPass will not only know my old password, offer a new password, it automatically saves the change in it’s cache.
3. It syncs all the data across multiple browsers. It’s no longer a massive headache to test new browsers. Moving from Chrome to Firefox to IE and back again is painless (well, except for using Internet Explorer itself) — changes made in one browser migrate to all the other browsers.

Security

But putting all this data into the cloud must be insecure! And if may be… if you were using another provider.

LastPass, despite syncing all this information into the cloud, actually stores the password database itself on your local system. What LastPass has on its servers are one-way salted hashes, with all your real data stored locally in an AES-256 encrypted database. Your passwords are encrypted and decrypted on your local machine, not on their servers. What all this means is if someone were to hack LastPass and get your salted hashes, they’d be about as useful as a pile of salted meat. Without computing horsepower beyond what the top government security agencies of the world have, and a limitless amount of free time, it’s all worthless without your master password.

Which by the way, LastPass doesn’t have any idea what your master password is because they never have it. If you change it on your account, LastPass has to re-encrypt all the data and resend the hashes to their servers.

They also use SSL to further encrypt all of the already AES encrypted traffic between your system and their servers. However, the amount of data being sent back and forth is so small that there is little if any performance loss in your browser and your system hardly notices what’s going on.

Once the salted hashes of your password reaches their servers, when they go to back it up (which they do daily to Amazon’s S3 service) and store it offsite they further encrypt that data using GPG.

So make your master password strong, but something you can remember. A great website for coming up with new passwords is howsecureismypassword.net – it will literally tell you how long it would take someone with a desktop computer to brute force your master password. This is all assuming they gain access to your local database, etc. Want to know my master password? Too bad. I will tell you though, it would take you 564 billion years to crack it.

But, computing horsepower gets more powerful all the time. Brilliant programmers, hackers, and engineers come up with new ways to make them faster, string them together and take that 564 billion year number down a notch. Even with all this advanced encryption an enterprising hacker could still manage to get a key logger on your system and record your master password.

So what is a paranoid person like myself going to do to even the odds? Multifactor authentication.

YubiKey

Something you know, and something you have.

There are a lot of multifactor authentication methods out there. I won’t get into all of them, because in this case, LastPass really works best with only one. The YubiKey by Yubico.

The YubiKey is a small USB token about the size of a door key. It comes in any color you want as long as it’s black, or white, and there is just a one time cost of $25 for Yubico to send you the token. It’s tough, and easy to use. It’s crush proof and water proof, has no battery or moving parts. Just plug it into any USB slot on your computer and it’ll be recognized as a USB Input Device. Because of this there are no drivers required and it works on Windows, Mac or Linux automatically.

Once you receive your YubiKey the process of associating it with your LastPass account is straight forward and simple. When you load your browser, after entering your master password you get the prompt for your YubiKey. Touch the green button and away you go. It only adds a second to the authentication process and infinitely decreases your chances of having your account compromised.

But what about key loggers? Since this is just a fancy keyboard with only one key, can’t they log that? Sure. Here’s the problem.

YubiKey generates a random 44 character one time passcode that changes every time you generate it.

Each generated passcode is actually a AES-128 bit block containing an obfuscated unique secret ID for your YubiKey, a session counter, time stamp, session token, random values and a CRC-16 checksum. To sum it all up, a bunch of random stuff further encrypted into more random stuff.

What it amounts to, is that without both your master password and your YubiKey, no one is getting access to your accounts.

Strong Passwords per Site

But all this work is futile if you continue to use the same passwords as before, or allow the same passwords to be used on multiple websites or systems. Thankfully, LastPass provides an interesting tool called the Security Challenge that will locally decrypt and analyze your passwords, look for weak passwords and let you know what duplicates exist. I was shocked the first time I ran the analyzer, but now I work to squeak out every last bit to raise my score each week.

At this point I’m regularly generating 12-16 character random and complex passwords for every site I have accounts on. According to the latest score I’m among the top 1000 users of the tool ranking 942nd overall. Look out 941, I’m R*HaVn87V@aefzw@-ing for you.

The point is that I don’t know what any of my site passwords are, but each is unique and almost impossible to brute force in a reasonable amount of time (3 quadrillion years for the one mentioned above) — while it doesn’t make the chances of my Facebook account being compromised impossible, it significantly reduces the risk of such an event taking place. By the time someone tried it only a few times, Facebook would (should) lock them out and the chances they’ll guess correctly on the first try even knowing all the exact complexity requirements used is almost infinitesimal.

Conclusion

Is your LastPass master password truly the last password you’ll ever need? No. Your system password is still important to have and keep strong, I encourage people to encrypt their local disks (especially laptops) and use a unique and long passcode/PIN for decryption along with a TPM or USB key using something like BitLocker (which I’ll be covering in a future article) — this way to even get to your database the number of steps required are so many and complex I’d venture to say it’s bulletproof.

But if I can use LastPass to narrow down the number of passwords I’m required to recall on a daily basis down from the hundreds to around 5, and make the ones I don’t even want to remember anymore so complex that I couldn’t even if I tried, then I think it’s more than worth it.

Further Reading & Downloading

• LastPass
• YubiKey
• How Secure Is My Password
• AES – Advanced Encryption Standard (Wikipedia)
• DES – Data Encryption Standard (Wikipedia)
• GNU Privacy Guard (Wikipedia)
• Salted Hashes (Wikipedia)
• One Time Passwords (Wikipedia)

After Thought

Last night I stumbled on a deal where you can get a Yubikey and one year of LastPass for only $30, this normally would be $37. Nice little chunk of change. The even better deal is you can get two Yubikey and one year of LastPass for only $45. This is a $62 value. You can associate multiple Yubikeys with your account and then in the event your primary one is lost or stolen, you can dig your reserve key out of a safe location and remove the lost key, and then later replace the key.

Frank also pointed out to me last night something I neglected to mention. You can also deactivate the Yubikey requirement from a trusted computer such as your primary system that is in a secure location. A trusted system would obviously be one you’ve configured to bypass all of the security checks for your account. Right now I don’t have any systems where I bypass all of the checks, so I forgot to talk about it.

Something else I forgot to say, was that you can also disable the Yubikey through an email verification, but if your email password is protected by LastPass that may be harder to do. My LastPass account is on my iPhone as well so I could go that route to gain access to my passwords in the event of a failure. Again I forgot to mention it in the article but since you obviously can’t hook a LastPass USB token into an iPhone, you can setup pre-authenticated mobile devices to only require a passcode to unlock. Combined with a security lock on the phone, the phone itself becomes a sort of “token” you have to have to get in.

There are also other ways to perform multifactor against LastPass that don’t involve a YubiKey, including your own preconfigured key like what I mentioned, as well as a paper card you create that is unique to your account. I just think the YubiKey is the easiest and more secure way to go.

You know you’re probably doing something right when three of your biggest competitors start acting like the world has come to an end. In this case, it’s Microsoft versus the anti-virus world.

While we like to stress the importance of anti-virus products on all platforms, they’re sort of like insurance companies. Their products are usually expensive and bloated, and when you really need them most of the time they’re not that effective. Microsoft’s Security Essentials product is arguably one of the best anti-virus products on the market, and it’s free, and it’s got traditional vendors like Symantec, McAfee and Trend Micro scared. Even more so now that Microsoft has begun distributing the software to users directly through it’s Microsoft Update service.

But Trend, McAfee and Symantec (and others who have yet to chime in) should really talk less and instead focus on their own products. Instead of getting their panties in a bunch prematurely, they should take a step back and look at the facts.

1. The product is delivered through Microsoft’s optional Microsoft Update service, which, while tied into Windows Update requires users to opt-in to receiving.
2. The product is only available to users who don’t already have an anti-virus program reporting in Windows. There are people who aren’t using other products as it is.

But instead of trying to make their own products better, or more attractive, they’re using hyperbole and crying “antitrust” to get people angry. In most cases, it’s only making people angry and them.

Trend Micro:

“Commercializing Windows Update to distribute other software applications raises significant questions about unfair competition,” said Carol Carpenter, the general manager of the consumer and small business group at Trend Micro, on Thursday.

“Windows Update is a de facto extension of Windows, so to begin delivering software tied to updates has us concerned,” she added. “Windows Update is not a choice for users, and we believe it should not be used this way.”

Symantec:

“It’s clear that today’s threat landscape requires more comprehensive protection than what Microsoft Security Essentials offers,” said Symantec in a statement. “From a security perspective, this Microsoft tool offers reduced defenses at a critical point in the battle against cybercrime.”

McAfee:

“Options that provide an elementary level of security, including Microsoft Security Essentials, mostly rely on traditional protection mechanisms,” McAfee said. “McAfee products offer not only more features but most importantly, McAfee products offer real-time protection using cloud-based intelligence to combat even the most sophisticated threats.”

Again, these vendors talk a good game, but a lot of it is just that. Talk. The truth is Security Essentials has been sufficient for most everyone I’ve ever given it to. These other companies would be wise to learn a thing or two from Microsoft instead of trying to just look superior.

I run Security Essentials on anything I have a choice to. You couldn’t force me to install anything from Symantec, McAfee or Trend Micro… nor would I recommend it.

via InfoWorld

So the US Department of the Interior decides that it wants a new email system, and after consideration decides it wants to use Microsoft’s hosted Exchange platform.

Pretty straight forward, right?

Well, until Google decides that the DOI should have used Google Apps instead, and goes to sue the government for wanting to use Microsoft’s products. Nevermind the fact that Google doesn’t even have a GSA contract and cannot actually sell products to the federal government without one.

Google’s case makes it sound like they’re trying to protect the government from disaster by going with Microsoft’s product, providing a filing full of reasons why their platform is superior and Microsoft’s is run by idiots. Nevermind the fact that Google Apps has had it’s fair share of issues in the last few months (even in the last week) and that they’re constantly adding/changing/removing features that would probably not be welcome in a government setting.

via TechDirt

Google v US Complaint

At the Windows Team Blog Eric Foster is reporting about a trojan that takes a page from these other well known scams and puts it’s own twist on it.  It actually mimics Microsoft’s free AV Solution, Microsoft Security Essentials except it prompts the user to install other security software and requests a credit card number.

Has Microsoft reached general acceptance of their security suite, enough for malware writers to start exploiting the name and the design?  Should companies like McAfee be worried?  I think so.

I’m not sure I would have paid $29 for a copy of McAfee, but Intel decided it was wise to go all in and spend almost $8 billion to acquire them.

Of all the security companies out there Intel had their choice of, they picked one of the most bloated and ineffective scanning engines, and the one that has one the worst track record when it comes to false positives that eat your computer alive.

I can say that having spent almost 4 years managing their corporate suite, and having their software updates crash my systems (I eventually dumped their software for Microsoft Forefront) and rebuild my configuration multiple times, I’m not looking forward to them integrating their technologies on Intel chips.

(McAfee Press Release)

For a lot of system administrators, the reasons to stay outweigh the reasons to upgrade. Websites that break, plugins that won’t load, old software that isn’t updated anymore. Trust me, I’ve been there. However, a lot of it boils down to lazy and poor practices of system administration.

Yes, you’re lazy and you’re bad at your job. Internet Explorer 6 was released in 2001. Yes, 2001, most of us don’t even drive cars that old, let alone unleash people on the “information superhighway” with a browser that old. It was designed at a time when security was not the issue it is today. It was designed to work on operating systems like Windows 98 and Windows ME. Would you let people use Windows ME on your network? No! So why are you letting them use a browser that was built for it?!

“But it’s not our fault, we don’t write the bad software, or the non-compliant websites.”

You’re right, you don’t. But you have the responsibility and the power to keep your network, and the rest of the Internet safe.

The replacement for IE6 has been out now for just under 4 years. Actually, the replacement for it’s replacement has been out almost a year. Meaning all you lazy administrators had two chances to migrate your systems over to an updated browser. Yes, you’re lazy. If you have applications that “require” Internet Explorer 6, the decision should have been made to dump them or upgrade them long ago. A line in the sand should have been drawn that said you were not willing to support such an old and insecure piece of software.

Why is this such a big deal? Because security threats targeting users of Internet Explorer 6 continue to threaten the security of the Internet, and of your own network. Just this week, Microsoft admitted that IE6 was one of the vectors used to attack companies like Google. Why is Google still using Internet Explorer 6? Or I guess a better question is, why is Google even using Internet Explorer at all, when they develop Chrome? Either way, it’s disappointing to see that a company like Google, who tends to be on the bleeding edge of updates, is doing something stupid like running a almost decade old browser.

The most recent threat, has no effect on users of Internet Explorer 7 or 8, even on Windows XP. Actually, Jonathan Ness over at MSRC Engineering put together a nice little chart explaining what browsers and operating systems are at risk with the latest attack vector.

The short of it, if you’re still running Windows 2000 on workstations, you should be fired. If you’re running Windows XP and Internet Explorer 6, you should march into your CIO’s office on Monday and demand that you at least figure out how to migrate to Internet Explorer 7 ASAP, meanwhile worry that your network isn’t the next one to be attacked by these unpatched exploits. If you’re running Internet Explorer 7, you should turn DEP on to prevent future threats, or see if migrating to Internet Explorer 8 is possible.

But really, for the small group who has already migrated to Windows Vista or Windows 7, enjoy your weekend.

To all my fellow sysadmins out there: Stop being lazy, and start securing your networks.

The patch is considered critical for Windows 2000 users, and low for all other versions, and relates to a remote code execution venerability. Effected operating system versions include every currently supported edition both on the client and server side:

• Windows 2000 Service Pack 4 [Critical]
• Windows XP Service Pack 2 & Service Pack 3
• Windows XP x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2 (32-bit, 64-bit & Itanium)
• Windows Vista Service Pack 1 & Service Pack 2 (32-bit & 64-bit)
• Windows Server 2008 Service Pack 2 (32-bit, 64-bit & Itanium – except Server Core installs)
• Windows 7 (32-bit & 64-bit)
• Windows Server 2008 R2 (64-bit & Itanium – except Server Core installs)

Microsoft will still be releasing one or more non-security but high-priority update through Windows Update and Windows Server Update Services, but has not yet disclosed details.