MY PROFILE | PRIVACY 

Vol. 16, #46 - November 21, 2011 - Issue #855

Nightmare: Remembering 50 Or 60 Userid And Password Combos

  1. Editor's Corner    
    • Nightmare: Remembering 50 Or 60 Userid And Password Combos
    • The US Stop Online Piracy Act: A Primer
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Webinars & Seminars
    • VIPRE Antivirus Business Product Demonstration - 12/6, 12/13
    • Free Desktop Virtualization Seminar
  4. Tech Briefing
    • Microsoft: We Won't Update Others' Windows Apps 
    • Top-Secret Google X Lab Rethinks The Future 
    • Warn Your Users: 4 Spear-Phishing Hooks For The Holidays
    • 11 Cool Robots You May Not Have Heard Of
  5. Windows Server News
    • Five Quick Links: Understanding Cloud Security Risks 
    • Overcoming Hyper-V Live Migration Limitations 
    • How Server Manager Will Impact Workflow In Windows Server 8
  6. Third Party News
    • For Small And Medium-Sized Firms, Ignorance Is Not Bliss
  7. WServerNews FAVE Links
    • This Week's Links We Like. Tips, Hints And Fun Stuff.
  8. WServerNews - Product of the Week
    • Centrify DirectAudit - Finally. A Better Way to Audit Activity on Any Server.

 

Finally. A Better Way to Audit Activity on Any Server.

Centrify DirectAudit records and replays privileged user sessions on UNIX, Linux and Windows. There's never been a better way to know if your IT contractors and outsourcer staff are solving problems?or creating them.

Download Free Trial!

 

 

 

Editor's Corner

Nightmare: Remembering 50 Or 60 Userid And Password Combos

Hi All, I got this detailed feedback from a WServerNews subscriber and decided to print it in its entirety, because I thought you might find it interesting and I'd like your feedback on this idea, so please let me know what you think? Here goes:

"Hi Stu, regarding your recent password article. Many users use lots and lots of different computers on a daily basis ? with many different login systems, passwords etc. Now I am fairly intelligent and have a good memory ? but remembering 50 or 60 userid and password combinations is a nightmare.

Single user login is a good idea but it only works to a point. A better idea for IT security folk to consider is making the login process more standard. If the rules for secure passwords were standard then users could create a smaller password set that they could more easily remember. That way passwords could be remembered rather than committed to paper and security would be improved.

Why do some systems demand passwords less than 8 characters while others want more than 8? Some want an initial alpha and others want numeric. Some will not allow multiple uses of the same character and others will not allow dictionary words (how that helps is beyond me since words can be more easily memorized than random character sequences). It is crazy.

The most secure login systems I have come across use challenge devices based on the mag stripe, or chip-based, corporate ID card and a small device like a calculator. You put the card in the device and it demands a PIN (just like using a debit card). The device then generates an 8-digit number, which is your password for the session. The technology is complex but the use is simple and just requires the user to remember a 4-digit PIN and have their ID card to hand. They login with their name and the 8-digit response code. You cannot software hack the encryption system used in the process any more than you can hack SSL encryption ? so security relies on the user having the physical ID card (which they likely have to use regularly to get into secure areas of the site) and knowing the associated PIN (which is the same level of secondary security that is good enough for bank transactions). If a user loses their ID card then a single adjustment to the challenge directory cancels it and issues a new one ? without the need for IT to manually adjust every system.

It seems to me that IT needs to address the issues behind the complexity of multiple logins, different password standards, different expiry dates etc. We would not secure a house by putting password locks on every door and demanding different passwords for each, changed on different days of the month etc. Why do we do it for computer systems?

Question to ponder ? is it more secure to have a single complex password that can be remembered, or several dozen more basic passwords that get written down (because of information overload)?

I don?t personally have a problem remembering lots of information. Where I do have a problem is where that information changes every few weeks and is not easy to word-associate or use other memory tricks to help.

Some security "experts" consider that having "standards" defeats the security gained by having a unique login. Hence, when companies access IT systems of other companies as part of their daily work they encounter different security regimes. This shows how the problem is much more widespread than just working out a domain-based security system for a company. Perhaps it is time someone considered how to offer access security as an external service ? like PayPal. Each computer system could have a list of valid ID numbers (like credit card numbers ? unique around the world) and the login process could be a 2-part activity. First the ID number would be entered as the "user name" equivalent. If the number was valid for access to this system then the user would be passed to the external authentication service (just like PayPal) where a challenge/response process would be run using the ID number provided and the hardware I mentioned earlier. If the challenge / response succeeded then the authentication service would return an approval code to complete the login.

If we can do it for worldwide banking, why can we not do it for a worldwide IT login? Of course if you want to start a cloud venture as a login service provider then I would appreciate a cut of the profits.

It seemed to me to be a logical step to try to get a common login process across different computer systems ? after all the payment-by-proxy model works securely enough for PayPal so why not the same for login-by-proxy? Have a great day". -- Peter Aggus

Email me what you think about this idea at [email protected]

The US Stop Online Piracy Act: A Primer

You should be aware of this. People will start asking what you think about it.

"IDG News Service - The Stop Online Piracy Act, the subject of a hearing before the U.S. House of Representatives Judiciary Committee Wednesday, has generated heated debate since lawmakers introduced it on Oct. 26.

The bill, called SOPA, would allow the U.S. Department of Justice and copyright holders to seek court orders requiring online advertising networks, payment processors and other organizations to stop payments to websites and Web-based services accused of copyright infringement.

Supporters of SOPA argue that U.S. law enforcement officials need new tools to fight websites, particularly foreign sites, that sell infringing products, including music, movies, clothing and medicine. Some infringing products are dangerous; others cost U.S. companies billions of dollars a year, supporters say: 
http://www.wservernews.com/go/1321784789343 

Warm regards,
Stu Sjouwerman

Quote of the Week

"It is a wise man who said that there is no greater inequality than the equal treatment of unequals." - Felix Frankfurter

Warm regards, and thank you for being a WServerNews subscriber. No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced. Please tell your friends about us. They can subscribe here:
http://www.wservernews.com/go/1307096257843

Stu Sjouwerman
email me: [email protected]

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

With Centrify's detailed recordings of privileged user sessions, you've got a better way to see if outsourced IT staff are acting like insiders?or outsiders. View Demo:
http://www.wservernews.com/go/1321881031728

mPowerTools - an AD Admin essential!  200+ reports, bulk import/export, scheduling, GPO/File Share Reports. Eliminate scripting! ONLY $1,299 for limited time!
http://www.wservernews.com/go/1321881203737

Tired of your Active Directory management tools? Centralize and simplify all Windows and AD management without scripting.
http://www.wservernews.com/go/1321881271625

Orion IP Address Manager - Get detailed visibility into IP address space usage and prevent IP address conflicts from taking down network devices.           
http://www.wservernews.com/go/1321881343794

Did you know there is a very handy website that warns you when Redmond put a new entry in their Knowledge Base, separated by products you use?
http://www.wservernews.com/go/1321784890203

Free Service: Email Exposure Check. Find out which addresses of your organization are exposed on the Internet and are a phish-attack target:
http://www.wservernews.com/go/1321784906046

 

Webinars & Seminars

VIPRE Antivirus Business Product Demonstration - 12/6, 12/13

Looking for a security solution that doesn?t slow you down? VIPRE Antivirus Business combines antivirus and anti-spyware technologies into one powerful security solution for total protection with low resource usage. New VIPRE features include scalable multisite tiering and role-based access control. Join us as we demonstrate the many features of VIPRE Antivirus Business.

Register today!

Dec 6 at 2pm ET:
http://www.wservernews.com/go/1321784999515

Dec 13 at 11am ET:
http://www.wservernews.com/go/1321785015062


Free Desktop Virtualization Seminar

Coming to a city near you, independent expert and desktop virtualization guru Brian Madden will update you on where the desktop virtualization market is in 2011, focusing on what?s real and what?s not. Spend just a few hours out of the office to take advantage of a live Q&A, peer networking opportunities and tons of valuable information.

Register today!
http://www.wservernews.com/go/1321785070734

 

Tech Briefing

Microsoft: We Won't Update Others' Windows Apps

Microsoft on Tuesday slammed the door on updating third-party software via Windows Update in the upcoming Windows 8. One security expert said the company was missing a big opportunity to improve the overall security of Windows PCs. The new operating system will not update non-Microsoft software, said Farzana Rahman, the group program manager for Windows Update, in a blog post:
http://www.wservernews.com/go/1321785146046

Top-Secret Google X Lab Rethinks The Future

Google is running a secret research lab in the San Francisco area where they're building robots and re-imagining the future, the New York Times reported yesterday. Read More:
http://www.wservernews.com/go/1321785184515

Warn Your Users: 4 Spear-Phishing Hooks For The Holidays

Expect some of the typical phishing lures to be cast this year, but more targeted 'spear-phishing' twists raise the potential for damage. The CSOwebsite warned about this: "Cybercriminals are increasingly abandoning the technique of casting a wide net by blasting thousands of email accounts with a phishing scam. That's not nearly as lucrative as a spear-phishing attack, which might take more work, but has the potential for a much bigger payoff, according to Rohyt Belani, CEO of phishing-awareness-training company PhishMe.

"The kind of phishing attacks that are working now involve targeting specific employees at an organization," said Belani. "Every major breach we have heard about this year has been initiated by a targeted phishing attack?be it RSA, Epsilon, numerous defense contractors, Oak Ridge National Laboratory and on and on.

Here are the headlines, the details are in their story:

  1. Kick off your holiday shopping with this 10% off coupon for any store at [your local mall]"
  2. "[Your company] thanks for your hard work this year and invites you to enter our holiday raffle"
  3. "A year-end inspection has turned up mold in offices in our building at [your work address]"
  4. "[Your company] is migrating its payroll system before the end of the year. Please enter your updated information to avoid interruption of your direct deposit."

More:
http://www.wservernews.com/go/1321785285421

11 Cool Robots You May Not Have Heard Of

What do Mars, the Terminator, an ostrich and hair-washing have to do with each other? Ask the robots, some with artificial intelligence and complex software, are handling some pretty cool and in some cases dangerous missions for their human overlords. Here we have a mix of robots that have flown under the radar and some that you'll likely be hearing more about in the very near future:
http://www.wservernews.com/go/1321785325937

 

Windows Server News

Five Quick Links: Understanding Cloud Security Risks

Do the challenges of public or private cloud security outweigh the benefits? It?s important to stay informed about existing security concerns, how your enterprise can avoid them and what security practices you should have in place. These five quick links will help you navigate the concerns surrounding cloud security and the basics of protecting your cloud. (RR)
http://www.wservernews.com/go/1321785426078

Overcoming Hyper-V Live Migration Limitations

With Windows Server 2008 R2, Microsoft lessened the feature gap between Hyper-V?s Live Migration and competitors?, but it still has some limitations. Thankfully, you can work around the shortcomings in Hyper-V Live Migration using Windows PowerShell cmdlets. Learn how in this expert tip: (RR)
http://www.wservernews.com/go/1321785470671

How Server Manager Will Impact Workflow In Windows Server 8

The Server Manager console has been completely redesigned in Windows Server 8. While this will have positive effects on productivity, it could also cause some headaches. Gain insight into the impact this console will have on your Windows Server 8 workflow in this popular tip: (RR)
http://www.wservernews.com/go/1321785512296

 

Third Party News

For Small And Medium-Sized Firms, Ignorance Is Not Bliss

Symantec Security Response recently did a survey with some very interesting results. They confirm what I have been saying here for a while now.

"Small and medium-sized businesses (SMBs) do not consider themselves targets of cyberattacks, and thus are not implementing safeguards to protect their information, a Symantec survey concludes. The survey of 1,900 firms found that half of SMBs think that because they are a small company, they are not in danger from cyberattacks.

"Most SMBs don?t believe they would be targets of attacks, that it is something that would happen to large enterprises", said Kevin Haley with Symantec Security Response.

However, according to data from Symantec.cloud, since the beginning of 2010, 40% of all targeted attacks have been directed at companies with fewer than 500 employees, compared to only 28% directed at large enterprises.

Because SMBs do not see themselves as targets, many of them are failing to take basic precautions to protect their information, the survey found. While two-thirds restrict who has login information, 63% do not secure machines used for online banking and 9% do not take any additional precautions for online banking.

The only thing I can do here is quote a golden expression from our beloved Benjamin Franklin: "By failing to prepare, you are preparing to fail."
http://www.wservernews.com/go/1321785601531

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

 

WServerNews - Product of the Week

Finally. A Better Way to Audit Activity on Any Server.

Centrify DirectAudit records and replays privileged user sessions on UNIX, Linux and Windows. There's never been a better way to know if your IT contractors and outsourcer staff are solving problems?or creating them.

Download Free Trial!