Google has now set the bar a little higher for Internet account security. Now the super-paranoid (like yours truly) can further secure their Gmail through the use of Google's new two factor authentication system. While not as cool as as using YubiKey for LastPass you can now use your phone to generate a one time password to gain access to your Google account. As I've covered before, you shouldn't be using the same password for multiple online accounts, but you really shouldn't be using your main email password for anything else, as it is the go-to place for account recovery. But even if you are, this additional layer of security will make compromising your account nearly impossible.

Read the rest of this post »

If the recent Gawker password breach (re)taught us anything, it's the old and valued lesson of "don't use the same password everywhere" -- but as often as I repeat that phrase and cringe a little bit when I find out someone else did it, I've been just as guilty of this cardinal sin of network security myself... from time to time. It's hard not to. When you're as active on the Internet as I am, it's impossible to resist the urge to duplicate passwords, especially if you're against writing them down. So you're left to memorize them all, hope you don't forget, and hope that you can later rely on the splendid password reset via email later on. All of the Gawker fun also taught (or should have taught) website administrators like myself to take better care of their users. Gawker fouled up in a huge way (beyond simply exposing user data) by not taking proper steps to secure the information in their database once it was exposed. Gawker used an easily crackable cipher system (DES) which was depreciated by a new industry standard (AES) long ago.

Read the rest of this post »

You know you're probably doing something right when three of your biggest competitors start acting like the world has come to an end. In this case, it's Microsoft versus the anti-virus world. While we like to stress the importance of anti-virus products on all platforms, they're sort of like insurance companies. Their products are usually expensive and bloated, and when you really need them most of the time they're not that effective. Microsoft's Security Essentials product is arguably one of the best anti-virus products on the market, and it's free, and it's got traditional vendors like Symantec, McAfee and Trend Micro scared. Even more so now that Microsoft has begun distributing the software to users directly through it's Microsoft Update service.

Read the rest of this post »

So the US Department of the Interior decides that it wants a new email system, and after consideration decides it wants to use Microsoft's hosted Exchange platform. Pretty straight forward, right? Well, until Google decides that the DOI should have used Google Apps instead, and goes to sue the government for wanting to use Microsoft's products. Nevermind the fact that Google doesn't even have a GSA contract and cannot actually sell products to the federal government without one. Google's case makes it sound like they're trying to protect the government from disaster by going with Microsoft's product, providing a filing full of reasons why their platform is superior and Microsoft's is run by idiots. Nevermind the fact that Google Apps has had it's fair share of issues in the last few months (even in the last week) and that they're constantly adding/changing/removing features that would probably not be welcome in a government setting. via TechDirt

Read the rest of this post »

I’m not sure I would have paid $29 for a copy of McAfee, but Intel decided it was wise to go all in and spend almost $8 billion to acquire them. Of all the security companies out there Intel had their choice of, they picked one of the most bloated and ineffective scanning engines, and the one that has one the worst track record when it comes to false positives that eat your computer alive. I can say that having spent almost 4 years managing their corporate suite, and having their software updates crash my systems (I eventually dumped their software for Microsoft Forefront) and rebuild my configuration multiple times, I’m not looking forward to them integrating their technologies on Intel chips. (McAfee Press Release)

The number of businesses still using Internet Explorer 6 is painful to see. Coupled with the fact that all of them are on Windows XP or Windows 2000, it turns from pain into terror, especially when it comes to security. For a lot of system administrators, the reasons to stay outweigh the reasons to upgrade. Websites that break, plugins that won't load, old software that isn't updated anymore.Trust me, I've been there.

However, a lot of it boils down to lazy and poor practices of system administration. Yes, you're lazy and you're bad at your job. Internet Explorer 6 was released in 2001. Yes, 2001, most of us don't even drive cars that old, let alone unleash people on the "information superhighway" with a browser that old. It was designed at a time when security was not the issue it is today. It was designed to work on operating systems like Windows 98 and Windows ME. Would you let people use Windows ME on your network? No! So why are you letting them use a browser that was built for it?!

"But it's not our fault, we don't write the bad software, or the non-compliant websites."

You're right, you don't. But you have the responsibility and the power to keep your network, and the rest of the Internet safe. The replacement for IE6 has been out now for just under 4 years. Actually, the replacement for it's replacement has been out almost a year. Meaning all you lazy administrators had two chances to migrate your systems over to an updated browser. Yes, you're lazy. If you have applications that "require" Internet Explorer 6, the decision should have been made to dump them or upgrade them long ago.

A line in the sand should have been drawn that said you were not willing to support such an old and insecure piece of software. Why is this such a big deal? Because security threats targeting users of Internet Explorer 6 continue to threaten the security of the Internet, and of your own network. Just this week, Microsoft admitted that IE6 was one of the vectors used to attack companies like Google. Why is Google still using Internet Explorer 6? Or I guess a better question is, why is Google even using Internet Explorer at all, when they develop Chrome?

Either way, it's disappointing to see that a company like Google, who tends to be on the bleeding edge of updates, is doing something stupid like running a almost decade old browser. The most recent threat, has no effect on users of Internet Explorer 7 or 8, even on Windows XP. Actually, Jonathan Ness over at MSRC Engineering put together a nice little chart explaining what browsers and operating systems are at risk with the latest attack vector.

The short of it, if you're still running Windows 2000 on workstations, you should be fired. If you're running Windows XP and Internet Explorer 6, you should march into your CIO's office on Monday and demand that you at least figure out how to migrate to Internet Explorer 7 ASAP, meanwhile worry that your network isn't the next one to be attacked by these unpatched exploits. If you're running Internet Explorer 7, you should turn DEP on to prevent future threats, or see if migrating to Internet Explorer 8 is possible. But really, for the small group who has already migrated to Windows Vista or Windows 7, enjoy your weekend. To all my fellow sysadmins out there: Stop being lazy, and start securing your networks.