Microsoft password research has fatal flaw

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

I wrote yesterday about a report from Microsoft researchers, which goes against established password security best practices. The new guidance from the Microsoft researchers makes sense to me, because it fits how I handle password management already. However, at least one security expert feels that there is a fatal flaw that makes the new password advice impractical: You.

Almost every aspect of computer security and privacy seems to come back to that one fundamental issue. You—the user—are the weakest link in the security chain. No matter how effective a security process or tool has the potential to be, user error can undermine the whole thing and render the security useless.

In a nutshell, the Microsoft researchers assert that the default advice to use unique, complex passwords for every site and service you use doesn’t work. Users can’t remember that many complex passwords, so instead they opt to ignore the advice entirely and use the same often ridiculously simple password everywhere, increasing their exposure to risk and compromise. What the Microsoft researchers propose is that people group credentials based on their importance or access to sensitive data and feel free to re-use simple passwords for accounts that don’t really matter.

Read more »

9

Microsoft researchers: Use simple passwords for most of your accounts

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Stop me if you’ve heard this one before: You should use unique, complex passwords for every login you have to manage, and you should employ a password management utility to keep track of it all. That is the prevailing advice, but a couple Microsoft researchers have come to the conclusion that it might be the wrong approach.

Two Microsoft researchers, Dinei Florencio and Cormac Herley, in partnership with Paul C. van Oorschot from Carleton University in Ottawa, Canada, have published a paper titled “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.” The team set out to determine why it is that so many users ignore the established best practices for passwords and whether or not those best practices really make the most sense.

At face value, the guidance makes sense. If you use strong, complex passwords composed of random strings of characters for your logins, and you use a unique password for each site or service, the odds of a password getting cracked or compromised are greatly diminished, and the potential fallout of a password compromise would be limited to that one site or service. It is difficult to remember 10 or 20 or more random strings of complex characters, so using a password vault or password management utility lets you keep track of them all. Simple enough.

Read more »

8

The game isn’t over yet for Gameover malware

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

In early June the U.S. Department of Justice revealed that the Gameover Zeus (GOZ) botnet had been disabled thanks to the success of a joint effort dubbed “Operation Tovar.” The celebration appears to have been premature, though, as security researchers have already discovered a resurgence of Gameover malware infections.

While the Gameover botnet has lain dormant since the takedown, a new massive spam campaign has Sophos Labs researcher James Wyke concerned the threat has returned. A blog post reveals details of why it seems to be part of the same malware family.

piracy malware

According to Sophos Labs, Gameover malware is back to play again.

Read more »

1

Internet Explorer is still the star of Patch Tuesday

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

It’s déjà vu all over again. After a mind-blowing 59 separate vulnerabilities were patched in Internet Explorer last month, the Microsoft Web browser is hogging the spotlight again in July.

As predicted last week, Microsoft published six new security bulletins for the July Patch Tuesday, and only two of them are rated as Critical. There are also three Important, and one Moderate security bulletin this month. The two Critical security bulletins are a cumulative update for Internet Explorer and a patch for an issue with Windows Journal that could allow an attacker to execute malicious code remotely on the vulnerable system. The Important security bulletins address flaws with the on-screen keyboard, ancillary function driver (AFD) and DirectShow, and the Moderate security bulletin deals with a potential denial of service vulnerability in Microsoft Service Bus.

Patch Image: Shutterstock

Microsoft released six new security bulletins for the July 2014 Patch Tuesday.

Read more »

2

Microsoft plans six security bulletins for July Patch Tuesday

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

As much of the workforce in the United States coasts through the rest of the day looking forward to an extended weekend to grill hot dogs and drink beer—I mean, celebrate the nation’s independence—Microsoft released its advance notification for next week’s Patch Tuesday. The six security bulletins include two ranked Critical, three Important, and one listed merely as Moderate.

Six security bulletins is fewer than usual—with 106 security bulletins in 2013, the average has been just under nine security bulletins per month. But it’s still enough to keep IT admins busy.

One of the two Critical security bulletins is related to Internet Explorer. It is most likely a new cumulative update patch. Ross Barrett, senior manager of security engineering at Rapid7, said, “It will be interesting to see just how many CVEs are in this round after the 59 patched in MS14-035. Rather than 59 being the new normal, I expect this round will return to the 8-12 CVEs addressed per IE patch standard.”

Read more »

1

CosmicDuke will steal your login data and own your network

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

All malware is bad, but some malware is more insidious than others. That seems to be the case with CosmicDuke. According to a new white paper from F-Secure, CosmicDuke meshes elements of two notorious malware threats—MiniDuke and Cosmu—to form a potent new attack.

MiniDuke is an APT (advanced persistent threat) Trojan that was uncovered in early 2013. It was used in targeted attacks against NATO and various European government agencies.

According to a blog post from F-Secure, researchers found a variant in April of this year that used some of the same code as Cosmu—a malware known for stealing sensitive information. The resulting threat is a combination of the loader from MiniDuke and the payload from Cosmu, creating an APT Trojan designed to steal sensitive login information that F-Secure dubbed CosmicDuke.

Read more »

4

OneDrive or Drive for Work: Choosing the best cloud storage option

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

If you want to store your photos, music, videos, or other personal data online, there is certainly no shortage of available cloud storage choices to pick from. As Microsoft and Google battle for cloud storage supremacy, the customers win, but you have to do a little homework to determine which service is the right one for you.

Microsoft recently raised the bar again for its OneDrive cloud storage. It bumped the free OneDrive capacity from 7GB to 15GB, and announced that all Office 365 consumer accounts will receive 1TB of OneDrive storage, just as it announced in April for Office 365 business accounts. The move basically catches Microsoft up with where Google already was. Google provides 15GB of free Google Drive storage, and users can buy up to 1TB of storage for $10 per month.

onedrive logo

Microsoft is providing 1TB of OneDrive storage for all Office 365 accounts. 

Read more »

4