Archive for March, 2012

Critical Security Update for Adobe Flash Player

March 28, 2012

Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws  in Adobe Flash Player and earlier versions for WindowsMacintoshLinux and Solaris, and Adobe Flash Player and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating.

Here’s how Adobe describes the updates to its updater:

The new Adobe Flash Player background updater updates all instances of a release version of Adobe Flash Player for all Web browsers on a computer. Previously, users had to perform separate updates for each Web browser running on their system.

With the introduction of the new background updater, Windows users have the option to download and install updates for Adobe Flash Player automatically (when available), without user interaction. After a successful installation of Adobe Flash Player 11.2, users are presented with a dialog box to choose an update method. The following three update options are available to users:

§  Install updates automatically when available (recommended)

§  Notify me when updates are available

§  Never check for updates (not recommended)

Additionally, the user can change his update preferences at any time via the Flash Player Settings Manager, which for Windows users can be accessed via the Control Panel > Flash Player. In the Flash Player Settings Manager, the update preferences can be found and selected in the “Advanced” tab under “Updates.”

Want to learn which version of Flash you have on your system? Visit this link. Updates are available via theAdobe Flash Player Download Center. Google’s Chrome browser usually auto-installs Flash updates, often before Adobe even publicizes them. But this is the second time Chrome has fallen behind on that front: My installation of Chrome still shows version 11,1,102,63.

Sadly, Adobe’s fancy new updater doesn’t go beyond Flash itself. If you have Adobe Air installed (that means you, Tweetdeck users), Air will need to be updated as well to accommodate these Flash fixes. For more on how to do that, see these instructions.


Set Up an Automated, Bulletproof File Back Up Solution

March 27, 2012

More and more, the fragments of your life exist as particles on a disk mounted inside your computer—disks susceptible to temperature changes, power surges, fire, theft, static, and just plain wear and tear. Hard drives fail. It’s a fact of computing life. It’s not a matter of whether your computer’s disk will stop working; it’s a matter of when. The question is how much it will disrupt your life—and it won’t, if you have a backup copy.
Backing up your data is the dullest but most indispensable thing you do on your computer. Here’s how to automate regular backups for your computer, both on-site (to an external hard drive or another computer), and off-site (to the internet). This system can even email you if something goes wrong, so it’s the ultimate set-it-and-forget-it situation. After you get this up and running, you’ll never have to worry about losing data again.

Local Backup vs. Online Backup, and Why You Should Have Both

Local external drive backups are great for quick recovery when you’ve accidentally deleted a file, or if your computer’s internal hard drive crashes. But what if your house burns down or gets burglarized-including your backup drive? Hurricane Katrina victims can tell you that no matter how diligently you back up your computer to a local hard drive, you will still lose your photos, documents, and other important files if you don’t keep a copy off-site, preferably out of state. Some users keep an extra hard drive with a copy of their important files at the office or at their mother’s house in case of theft or fire. But that requires manually transporting your hard drive back and forth on a regular basis, and you want to set it and forget it.

What You Need

A Windows, Mac, or Linux PC
CrashPlan: Available as a free download for all three platforms.
An external hard drive or second computer for local backup. You can either purchase an external hard drive to back up to or use CrashPlan to back up your files to another computer on your local network. When deciding capacity, go for 10 times the amount of data you want to back up. For example, if the size of your My Documents folder is 10GB, then look to purchase a 100GB hard drive. (If a drive the size you need isn’t available, calculate the size of your home directory without space-hogging subdirectories, such as My Music, My Videos, and My Pictures. You have the option to reduce the number of copies you keep of those large files to save space.)
A CrashPlan+ account for off-site backups. In addition to local backups, CrashPlan can also back up your files off-site to their servers (which they call CrashPlan Central). As of this writing, unlimited backup at CrashPlan costs $5 per month per computer, or $10 per month for a household of two to ten computers (if you pay for a year in advance). You can compare your CrashPlan options here. You don’t strictly have to pay for CrashPlan+ (you can still back up off-site to a friend’s computer), but I’d strongly recommend doing so for your off-site backups.
Note: As we’ve pointed out before, there are no shortage of tools available offering unlimited off-site backups. Having examined the options myself, Crashplan’s my favorite tool for the job. $10/month will give you unlimited backup for a whopping 10 computers, which is a better prices than a lot of services offer for one computer. I actually went ahead and bought four years, which brings the price down to an extremely reasonable $6/month.
Configure Your Backup System

The first time you install the CrashPlan software, you also need to register for an account. (You have to register whether you’re going to pay for off-site back up with CrashPlan+.)

Choose the Files and Folders You Want to Back Up

After you registered, the software scans your system, suggests which directories it should back up, and lets you know how much space those files will use in the Files section of CrashPlan’s Backup window. If you don’t want to go with CrashPlan’s suggestions, you can manually choose which files and folders it backs up. To do so, click the Change button.

Choose Your Backup Destinations

You have four Destination options to which you can back up your files, all of which are accessible through the Destinations tab in the CrashPlan desktop application. You can back up your files to any combination of those destinations. You can choose simply to use CrashPlan to back up files to an external hard drive (choose the Folders option), to another computer on your home network (choose Computers), to a friend’s computer over the Internet (choose Friends), or to CrashPlan’s servers (choose Online). CrashPlan is completely free to use with every destination but Online, which requires a paid CrashPlan+ account. To achieve both on-site and off-site backups, you should strongly consider backing up to a local drive and to CrashPlan’s servers with a paid CrashPlan+ account.

Tip: If you don’t want to pay for your off-site backups, CrashPlan has a clever trick up its sleeve: It enables you to back up to a friend’s computer across the internet. Your friend needs CrashPlan installed and hard drive space to accommodate you, but it’s a handy option if you’re not backing up a lot of files.
Choosing your backup destinations is simple: Click the Destinations tab, click the type of destination you want to set up, and point CrashPlan to the appropriate hard drive, folder, computer, or CrashPlan+ account you’re setting up.

Set Your Preferences

CrashPlan’s Settings also contain preferences for your automatic backup schedule. By default, CrashPlan backs up files every 15 minutes, so you’re always backed up (you can change it to as often as every 1 minute), but if you’d prefer to schedule your backups less often-for example, when you’re away from your computer or not using the Internet. You can adjust the settings by following these steps:

Click the Backup tab.
Select Between Specified Times from the Backup Will Run drop-down menu.
Set your preferred backup times. From the Settings panel, you can also adjust how it should notify you and how much bandwidth and computer power it should use to get its job done.
After you configure CrashPlan’s Settings the way you want, click the Save button.
Start Your Backup

After you configure CrashPlan to your liking, click the Backup tab, and click the Start Backup button; then click the Start button to the left of the progress bar. (It looks like a Play button.) Your first backup can take a long time depending on how much data you back up and, if you back up off-site, how fast your Internet connection is. On a laptop, CrashPlan estimates it will take days to complete a backup to CrashPlan’s servers. For a local backup, it’ll take just a few hours.

CrashPlan does differential—or incremental—backups; that is, it backs up only portions of your files that have changed since the last time they were backed up, so while your initial backup may take a long time, subsequent backups will take significantly less time, so don’t let the first backup discourage you.

What a CrashPlan+ Account Adds to Your Backup Plan

The main benefit of a paid CrashPlan account is that it’s a reliable, off-site storage option. If someone stole both your laptop and your external drive, for example, you could still recover all your backed up files from CrashPlan’s servers. As mentioned above, CrashPlan does allow you to back up to a friend’s computer (provided that friend is also running CrashPlan on her computer); while that’s better than no off-site backup, it’s not as solid as using CrashPlan’s servers.

CrashPlan’s backup process encrypts the files on your computer using either an encryption key it chooses or your own private key. CrashPlan uses stronger encryption algorithms with its paid accounts than it’s free account (though both are encrypted), so you don’t have to worry about anyone intercepting your files when they’re transferred over the Internet.

If you delete a file on your computer, CrashPlan marks it as deleted on their servers but holds onto a copy on its side forever—unless you tell it not to. That way, you can recover a deleted file no matter how much time has passed.

Restore Files Backed Up with CrashPlan

After you complete at least one backup with CrashPlan, you can restore files copied to its servers or to your other backup destinations in one of three ways:

Open the CrashPlan software on your computer, click the Restore tab, select the backup destination you want to restore from, and pick and choose the files you want to copy back to your system from your backups. Click the Restore button.
On the CrashPlan website, from the My Account page, click on Computers, and then click the Restore button next to the computer you want to restore files on. You can browse your backup, tick the check box next to files you want to restore, and then click Restore.
If you’re not using the computer with the CrashPlan software installed, you can download the restored files as a ZIP archive. This feature is only available for paid CrashPlan accounts.
For a detailed guide to all the ins and outs of CrashPlan, see the official CrashPlan documentation.

My CrashPlan Setup

As mentioned at the start of this guide, CrashPlan is far from your only option for backing up your files. Aside from some of the other unlimited backup tools, many people are perfectly happy backing up only their most important files using the popular sync-and-then-some tool Dropbox. It’s really a matter of preference.

With my laptop, for example, I use Dropbox for important documents in addition to CrashPlan (maybe I’m a bit of a redundancy nut). Using CrashPlan, I back up to a Windows desktop on my network as well as to CrashPlan’s servers with a CrashPlan+ unlimited account. The local backup (to my Windows computer) happens very regularly while I’m on my home network—something like every couple of minutes, which is reassuring. I’ve set my off-site backups to CrashPlan’s servers to run whenever my laptop is idle for 15 minutes. If you wanted, however, you could set CrashPlan to send backups as often as once per minute. I don’t do this because I’ve got Dropbox there for more instantaneous backups.

The upshot: I have very few worries about losing an important (or, frankly, not that important) file. It takes a little time, effort, and yes, occasionally some money to set up, but for me, the peace of mind is very worth it.

How to Speed Up, Clean Up, and Revive Your Mac

March 27, 2012

The weather’s turning warmer in our neck of the woods, which means it’s time to start thinking about spring cleaning. While you’re emptying your closets, decluttering, and getting rid of the bloat in your life, why not do the same for your Mac? Here are some simple, easy to follow tips to give your trusted Mac a little spring cleaning of its own.

How to Speed Up, Clean Up, and Revive Your Mac

Clean It Out

Let’s start with the outside of your system. Turn it off, unplug everything, and move it out from where you normally have it set up. Give the area around your Mac, whether it’s an iMac on your desk, or a Mac Pro under your desk, a good cleaning—there’s probably dust and grime built up around it. Apple has specific guidelines to cleaning your gear, and while each system is a little different, it’s always a safe bet to take a microfiber cloth to the surface of your device to wipe away the dust and any smudges or oils that may be lingering on your screen or case. Apple suggests a damp, lint-free cloth to do the job, but even a dry microfiber cloth will get he job done—especially on displays and screens where you absolutely don’t want to use harsh chemicals of any kind.

Even though it’s not officially recommended by Apple, a little compressed air will go a long way towards getting the dust out of the cracks, crevices, and exhaust vents. If you have a Mac Pro, you can crack the case open and attack the inside with the same cloth and compressed air, but be careful—if you have an AppleCare Protection Plan, opening the case will void your warranty.

If your case or keyboard are seriously gunky, we highly recommend attacking the filth with a Mr Clean Magic Eraser, but keep in mind that they—and other melamine sponges—are slightly abrasive, so you may be rubbing away grease and dirt, but if you keep scrubbing you can wear away the top layer of the finish as well.

Tame Your Cable Clutter

Before you set your Mac back up, go ahead and take some time to tame the cable clutter that may have accumulated under your desk over months of use. Now is a good time to learn how to organize those cables so they don’t take up so much space, or order some velcro cable ties, twist ties, or zip ties to help you keep everything coming out of the back of your computer neat and tidy, and maybe even label them with milk jug labels or bread tags. If it’s really bad, you can always repurpose a rain gutter use a flower pot, or find another container to keep the cables and their slack out of sight.

How to Speed Up, Clean Up, and Revive Your Mac

Get Up to Date

If you’re setting some time aside to tidy up your Mac for the spring, the first thing you’ll want to do is make sure you have all of the latest patches, security updates, and application updates available via Software Update. If you’re running a really old version of Mac OS and you’ve been thinking about upgrading, there’s no time like the present to get on board with OS 10.7 “Lion.” OS X 10.8 “Mountain Lion” is coming this summer, but you’ll probably have to have Lion in order to upgrade, so unless you don’t plan on upgrading past Snow Leopard, it’s worth considering. Even if you stick to Snow Leopard, or newer verisons of Mac OS aren’t supported on your hardware, it’s worth using Software Update to make sure your system is as up to date as it can be.

How to Speed Up, Clean Up, and Revive Your Mac

Uninstall Unnecessary Apps

After you’ve made sure your system is all up to date, it’s time to dig into your Applications folder and start uninstalling programs that you know you no longer need. In most cases, uninstalling a Mac app is as simple as dragging the app to the trash, but doing just that can leave orphaned preferences files from those uninstalled apps on your computer. We’d suggest using an actual uninstaller, like our current favorite,AppCleaner, which is completely free. If you’re willing to spend some coin ($13, to be exact), AppZapper has a prettier UI and a few more options, but in the end they both do the same thing. If you use one of these apps to remove those unwanted programs from your system, you can be sure you’re getting rid of all of their associated files as well. Finally, head into System Preferences, click on Accounts, and clean out the Login Items tab of any applications that you don’t want to run on startup. Sometimes even uninstalled apps leave entries behind, and it’s a good idea to tidy up your startup items anyway.

How to Speed Up, Clean Up, and Revive Your Mac

Reclaim Hard Drive Space

If you’ve been following along, you’ve cleaned up your Mac on the outside, your Mac is up to date, and you’ve uninstalled the programs you no longer use or need on your system. Now it’s time to finish cleaning your Mac up on the inside and get back the hard drive space that’s probably being wasted by old VirtualBox images, video game screenshots, or other assorted files you didn’t know were lurking on your system.

The venerable Disk Inventory X is a great tool that will scan your drives and show you what’s eating up all of your space in an easy to understand view, and it’s completely free. Alternatively, $10, if you have it to spend, will buy you a copy of Daisy Disk, an app that many of you preferred because it allows you to not just see the contents of your drive in multiple views, but go ahead and delete, compress, and organize your drive quickly—and automatically, without you having to lift a finger. Just make sure you empty your trash when you’re through with everything to really get the space back.

How to Speed Up, Clean Up, and Revive Your Mac

Do Some Maintenance and Optimize Your System

Now that you’ve cleaned out the mess from your Mac, it’s time to give OS X a little TLC. Head into Disk Utility and click “Verify Disk.” It shouldn’t take too long, and if you see any errors, wait for it to finish and click “Repair Disk.” It’s always a good idea to verify your disk every few months, just to make sure you’re not missing some creeping issue with your hard drive or your OS X installation. You may also notice that you can verify or repair disk permissions. It doesn’t hurt if you do it, but whether or not it’s actually useful as a troubleshooting step is hotly debated. All-things-Mac writer John Gruber says it’s voodoo, and honestly, he’s right—it’s not very useful for regular troubleshooting. However, Dwight Silverman says it’s saved his bacon, although he had to dig deeper to fix his issue. Apple still reccomends repairing permissions for specific issues and references it in its knowledge base. Your mileage may vary.

Beyond Disk Utility , you may also want to look into a system optimization utility like Onyx, our favorite system cleaner for Mac. Alternatively, perviously mentioned cleaning utility iBoostUp does a great job of tidying up your system, as does the newly released CCleaner for Mac.

How to Speed Up, Clean Up, and Revive Your Mac

Back Up Your Refreshed Mac

These steps are all well and good to keep your Mac running smoothly, and even for periodic cleanups like these to get everything back in top shape. That said, they’re all but wasted if you’re not backing up your system. If you need help getting started, here’s how to set up a bulletproof backup system using our favorite tool, CrashPlan. I use it personally to keep both my Mac and Windows systems backed up, and once it’s set up, it really is fire and forget—and you get to sleep at night knowing all of your data is safely backed up to another computer, external drives, or—if you have the money to spend—an offsite location.

You may also consider taking a disk image of your freshly tidied Mac in case you need to restore later after a hard drive upgrade or replacement. You can do this in Disk Utility, but our favorite Disk Cloning tool for Mac is Carbon Copy Cloner, which is a bit more robust and reliable.

That’s all there is to it. Macs usually don’t need much in the way of maintenance, but they can definitely use some cleanup from time to time, especially after heavy use. Apple doesn’t ship too much in the way of tweaking or optimization tools for your Mac, but there are plenty out there for all versions of Mac OS, so don’t be shy when it comes to giving your ailing Mac a tune-up. After all, it’s spring, and now’s the perfect time to declutter and clean up your Mac as well as the rest of your life.
Do you have any spring cleaning tips that we left out? Share your tips—and suggestions—in the comments below.

New Java Attack Rolled into Exploit Packs

March 27, 2012

If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

The exploit targets a bug in Java (CVE-20120-0507) that effectively allows the bypassing of Java’s sandbox, a mechanism built into the ubiquitous software that is designed partly to blunt attacks from malicious code. Microsoft’s Malware Protection Center warned last week that new malware samples were surfacing which proved highly effective at exploiting the flaw. Microsoft says the samples it saw loaded the ZeuS Trojan, but thieves can use such attacks to install malware of their choosing.

According to posts on several underground carding forums, the exploit has now been automatically rolled out to miscreants armed with BlackHole, by far the most widely used exploit pack. An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed, and Java is almost universally the most successful method of compromise across all exploit kits.

According to software giant Oracle, Java is deployed across more than 3 billion systems worldwide. But the truth is that many people who have this powerful program installed simply do not need it, or only need it for very specific uses. I’ve repeatedly encouraged readers to uninstall this program, not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

Case in point: On at least two Underweb forums , there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java. I have not seen firsthand evidence that proves this 0day exploit exists, but it appears that money is changing hands for said code.

If you do not need Java, junk it; you can always re-install it later if you need to. If you need Java for a specific Web site, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

The Java latest versions (which patch the CVE-2012-0507 hole) are Java Version 6 Update 31, or Java 7 Update 3, released on Feb. 15, 2012. Please note that if you disable the Java plugin from a browser, the next time you update the program, you may need to disable it again, as Java tends to re-enable itself with every security update.

Rogue anti-spyware programs

March 22, 2012

First seen in December 2010, Security Shield has since continued to have strong distribution through 2011 and into 2012. Recently rebranded as Security Shield 2012, the Security Shield computer infection is one of the longest running rogue campaign that uses the same name and belongs to the same family. The only other rogue that has had a longer distribution was Security Tool, which lasted for about 18 months.

Security Shield 2012 Screen Shot
For more screen shots of this infection click on the image above.

It is important to note that when we call a program a rogue, we are referring to one that is an actual computer infection and not one that is just misleading or does a bad job cleaning. These infections display the typical fake alert and scan results, but also take your computer hostage, change system settings, terminate processes, create fake files, or are installed by malware. Security Shield is one of these types of infections as it bundled with other malware, displays false alerts, false scan results, terminates processes, and hijacks Internet Explorer.

Rogue anti-spyware programs are normally broken up into families, with each rogue in the family essentially being the same program but with a different user interface and name. Security Shield is part of the Rogue.WinWebSec family of rogues that includes other heavy hitters such as Security Tool, System Tool, and MS Removal Tool. With over 760 rogues cataloged in our virus removal section, we have learned that you can determine how strongly a particular rogue is being distributed by the amount of views that the particular rogue’s removal guide receives. In terms of total views, the Rogue.WinWebSec family is by far the most prolific with a total of 5,795,128 views for this family. The second largest are the rogues that are part of the Rogue.FakeXPA, which includes XP Antivirus, that have 4,429,320 combined guide views.

Though Security Shield is not the largest campaign from this family by any means, it still has had a strong distribution with over 600 thousand views of its removal guide. As you can see from the list below, this rogue family typically releases one heavy hitter every 6 months to a year, which gets large distribution. The family then releases a couple more variants throughout the same year, which do not get nearly the same amount of play.
Security Shield’s largest distribution was when it was first released in December 2010. Then from March 2011 through December 2011 there was a lull in distribution. In January of this year, though, we are seeing a large increase in search queries related to this rogue, which has now been rebranded as Security Shield 2012. The amount of page views for the Security Shield removal guide has also increased dramatically here at BleepingComputer, which corroborates what we are seeing in the Google Trends’s chart for the search phrase “Security Shield”.

Google Trends Chart for
Google Trends Chart for the Security Shield Search Phrase

Even though Smart Fortress 2012, the latest Rogue.WinWebSec variant, is still being promoted, it appears that the developers behind this family are continuing to strongly pushSecurity Shield. Whether they will continue to distribute Security Shield is unknown at this point. What we do know, is that Rogue anti-spyware programs are making a comeback and are unfortunately here to stay. They are just much too profitable for the criminals to abandon this type of cybercrime.

To protect yourself, make sure you never click on pop-ups stating that you are infected, have all your Windows updates installed, and make sure all your computer programs are up-to-date by using a program like Secunia PSI. Just these three steps will dramatically reduce your exposure to these types of infections.

Mozilla will start Firefox silent updates in June

March 16, 2012

Mozilla yesterday reiterated that it’s still working on silent updates for Firefox, and said it should have the Chrome-like service in place by early June. In a sweeping summary of 2011’s accomplishments and an outline of plans for 2012, Robert Nyman, a Mozilla technical evangelist, listed silent updates as one the projects the company will finish this year. “Updates will now be downloaded and installed silently in the background,” wrote Nyman in a Wednesday post to the Hacks Mozilla blog. “Silent updates are currently planned to land in Firefox 13.”

Mozilla unloads a Firefox upgrade every six weeks — it launched Firefox 11 just two days ago — and has Firefox 13’s release on the calendar for June 5, 2012.

Full story at Computerworld here:

Posted in Uncategorized | Leave a Comment »

New study: Passwords are still the weakest link

March 15, 2012

The latest review of security issues and trends is out, and we’re sorry to say, folks: The rampant use of weak passwords still presents a serious security problem to end users and companies alike.

The recently-published Trustwave 2012 Global Security Report details the current threats to user data and identifies the vulnerabilities that persist within organizations. The statistics were generated from their investigation of about 300 breaches across 18 countries. They also analyzed the usage and weakness trends of more than 2 million real-world passwords used within corporate information systems. The verdict? After an initial foothold in a system (via malware and other threat vectors), 80% of security incidents were due to the use of weak administrative passwords.

Yes, that’s correct: 80 percent. From weak passwords.

“The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation,” the report comments. “This is true for both large and small organizations, and largely due to poor administration.”

They found that writing down passwords is still prevalent in the workplace, particularly in organizations that implement complexity requirements, password expiration cycles, and password histories to prevent recycling of old passwords. While these policies are often implemented to improve password management, the reality is that increasing password complexity directly corresponds with a decrease in memorability, hence the insecure practice of writing down passwords. The report found that in 15% of the security tests performed, written passwords were found on or around user work stations.

What’s even more astonishing is that rather than find a tool that can help with the password problem, users are getting creative in overriding the policies meant to enforce the use of strong passwords. They exploit loopholes such as:

  • Setting usernames as the password when complexity requirements aren’t forced
  • Adding simple variations to fit complexity requirements, such as capitalizing a letter and adding an exclamation point to the end
  • Using dictionary words or applying simple modifications

Default and shared passwords are also a massive point of failure. Companies assign poor default passwords such as “changeme” and “welcome” but don’t later enforce an update of those defaults. Applications and devices that are shipped or installed by default on company systems also utilize default passwords that are rarely modified, a particularly dangerous situation for applications accessible from the Internet. The result: they found a proliferation of simple combinations such as “administrator:password”, “guest:guest”, and “admin:admin”.

In another alarming example, the report highlights Active Directory’s policy of password complexity, which states that a password is required to have a minimum of eight characters and three of the five character types (Lower Case, Upper Case, Numbers, Special, Unicode). Guess what meets those requirements? “Password1”, “Password2”, and “Password3”, the first being the most widely used across the pool of two million passwords studied in the report.

The top 10 passwords identified by the study were:

  1. Password1
  2. welcome
  3. password
  4. Welcome1
  5. welcome1
  6. Password2
  7. 123456
  8. Password01
  9. Password3
  10. P@ssw0rd

Variations of “password” made up about 5% of passwords and 1.3% used “welcome” in some form.

Other keywords included:

In some ways, we’re impressed by the creative effort people put into avoiding strong passwords while still operating within the “complexity requirements” imposed on them.

However, moving forward into 2012 and beyond, it’s clear there are steps both end users and businesses should be taking to change their password habits, prioritizing:

  • Education of employees on basic security practices
  • Tracking of company data and pinning it to an individual every time
  • Standardizing implementation across all platforms and devices

and, most importantly:

  • The implementation of a password management tool that makes it easy to maintain high security standards.

For as long as we force people to create their passwords and remember them, we’ll be stuck with bad passwords. Recognizing the prolific use of poor passwords is one thing – empowering people to act on these recommendations, in a way that doesn’t inconvenience them or tax their memory, is the true source of change. Only with password management solutions like LastPass and LastPass Enterprise will we enable people to follow best security practices.


The LastPass Team

Posted in Uncategorized | Leave a Comment »

If you use Avast’s Antivirus software you should be aware!!!

March 15, 2012

by BrianKrebs

The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support.

A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support contracts.

 Adam Riley, Avast’s third party support manager, wrote in a post on the company’s blog that “during the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam.  Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from ‘Avast customer service’ reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.”

I’d first heard about the issue when a reader wrote in to say he’d received complaints from his clients about calls from someone claiming to represent Microsoft and requesting remote access to user computers to help troubleshoot computer problems.

I decided to investigate iYogi myself, and created a fresh installation of Windows XP on my Mac, using the free virtual machine from Virtualbox. I wanted to see whether I, too, would receive follow-up sales pitches. I also wanted to see for myself if there was anything to the claims on Avast’s user forum that iYogi was using support requests to push expensive “maintenance and support” packages.

A call to the support number listed on Avast’s site put me through to a technician named Kishore Chinni; I told Mr. Chinni that I had just installed a copy of Avast, but that I couldn’t be certain it was updating correctly. He asked for a phone number and an email address, and then said the first thing he needed to do was take remote control over my system. He directed me to use Internet Explorer to visit a Web site that requested permission to install two ActiveX add-ons. Those add-ons installed a remote control client called Bomgar Support.

Chinni asked if I had previously installed any antivirus software, and I said I wasn’t sure (I hadn’t). He then fired up the Windows Registry Editor (regedit), poked around some entries, and then opened up the Windows System Configuration Utility (msconfig) and the Windows Event Viewer. Chinni somberly read aloud a few of the entries in the event viewer marked with yellow exclamation points, saying they were signs that my computer could have a problem. He then switched over to the “services” panel of the system configuration tool and noted that the “manufacturer” listing next to avast! antivirus read “unknown.”

“When it says unknown like that, these are warnings that there could be an infection running on the computer,” Chinni explained. He proceeded to install an iYogi “tune up” tool called PCDiagnostics, which took about 60 seconds to complete a scan of my system. The results showed that my brand new installation of Windows had earned a 73% score, and that it had to detected 17 registry errors and a problem with Windows Update (this was unlikely, as I had already enabled Windows Update and Automatic Updates before I made the support call, and had installed all available security patches). Chinni explained that the “antispyware” warning generated by the PCDiagnostics scan was an indication that a previously installed security software program had not been cleanly removed and was probably causing problems with my computer.

He said another technician could help me with these problems if I wanted. When I inquired whether it would be free, Chinni told me that the company sells support packages for one- to three-year durations, and that the starting price for a support package was $169.99.

I politely declined the offer, but said he still hadn’t helped me resolve the question that prompted my support call: Was Avast updating correctly? Here’s what he told me:

“Avast is going to take time. It’s going to take one week’s time to update. There is a problem on the Avast itself. The reason is there is a problem on the Avast free. If you [garbled] the free, you wait a week for the updates. If you pay for it, it can be done.”

I’ve frequently recommended AVAST! antivirus software to those seeking a free alternative. But I can’t understand why a company like this would risk its reputation by partnering with a support organization whose sales tactics are practically indistinguishable from those employed by peddlers of fake antivirus software or “scareware.” What’s more, iYogi’s implied response to my initial support request was to inform me that Avast’s free software wasn’t working, and that in order to be fully protected against the latest malware threats, I needed to upgrade to the paid version of the software.

Update March 15, 8:36 a.m. ET: A previous version of this story incorrectly stated that iYogi also provides official third party support for AVG.

Update, March 15, 10:34 a.m. ET: Citing my investigation, Avast CEO Vincent Steckler just posted a blog entry saying Avast will suspend its support relationship with iYogi.

Posted in Uncategorized | Leave a Comment »

Adobe Patches Critical Flash Flaws

March 5, 2012

 For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The patch addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.

The fixes being released today address a pair of critical bugs that are present in Adobe Flash Player and earlier versions for WindowsMacLinux and Solaris, Flash Player v earlier versions for Android 4.x, and Flash Player and earlier versions for Android 3.x and 2.x. Adobe says both flaws in today’s release were reported by Google security researchers.

For Windows, Mac, Linux and Solaris users, the newest version is, and is available through the Player Download Center. To find out which version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted.

Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome normally auto-updates Flash – often hours or days before the fixes are publicly released for download — although for some reason I still had the vulnerable version installed when Adobe’s security advisory was released today. According to the Chrome Releases blog, Google began pushing out an update last night that includes the new Flash version.

Today’s update comes close on the heels of a critical Flash patch that closed at least seven security holes, including one that was at the time already being exploited to break into vulnerable systems (that one, also, was reported by Google).

Posted in Uncategorized | Leave a Comment »