Time to Flee Windows XP

Microsoft and the IT community have been talking about it for months (if not years), but the time is almost here where Windows XP will no longer be supported by Microsoft.  This means no new security updates or patches will ever be created – the final and last set of updates will be coming out on April 8, 2014.  At that time, no official support will be provided to problems with Windows XP, and any vulnerabilities discovered will remain unfixed until the end of time.  This is bad news, as any remaining XP systems could be easily exploited by attackers intent on stealing your data or controlling your computer.

If you have a computer that is still running Windows XP, please finalize any plans to upgrade or replace it during the next month.  Information regarding some of your options can be found here:

http://windows.microsoft.com/en-us/windows/end-support-help

Official publications regarding this situation can be found here:

https://www.us-cert.gov/ncas/alerts/TA14-069A-0

Trouble sending email from Wayne Connect to Hotmail?

If you have sent an email from your Wayne Connect account to a Hotmail, MSN, or Live.com email address within the past week, you probably had it bounce back as “undeliverable.” That’s because these email providers have flagged Wayne Connect as a source of spam.

How did this happen? It’s the result of a long chain of events:

  1. Spammers send phishing messages to Wayne Connect accounts. Some users — even a handful– take the bait and send in their AccessID and password
  2. Or, the spammers used passwords from LinkedIn accounts to break into a Wayne Connect account — because the Wayne Connect user’s passwords were identical on both systems
  3. Spammers use the compromised AccessIDs to send millions of spam messages
  4. Spam recipients report spam to Real-Time Blackhole List (RBL) services such as SpamCop
  5. Multiple reports to the RBL service “confirm” that Wayne Connect is a spam source, and it is placed on the RBL.
  6. Email providers check the RBL to make a quick decision about an incoming message that originated from Wayne Connect. If Wayne Connect is on the RBL, they bounce the message and send some cryptic info mentioning SMTP Error 550.
  7. Wayne Connect support staff is alerted about the RBL status; locate the compromised Wayne Connect accounts and close them down; then contact the RBL services to remove Wayne Connect’s entry.
  8. The RBL services wait several days to process the request, to make sure that the spam has truly stopped.
  9. Email resumes flowing again after Wayne Connect is removed from the RBL services.

As you can see, even if just a few people are victimized by spammers, it can spell trouble for many other Wayne Connect users.  You can help by being vigilant when handling your email. Here are some good tips to remember (adapted from Microsoft’s Safety & Security Center):

  • Before you click, preview a link’s web address. Move your mouse pointer over a link without clicking it. The address should appear on the bottom bar of your web browser. Official Wayne State web addresses always end in wayne.edu
  • Check the spelling. Spammers often use deliberate, easily overlooked misspellings to deceive users. Examples that we have seen include wanye.edu and waney.edu
  • Carefully evaluate contact information in email messages. Watch out for spelling errors or if no phone number provided. One recent phish used the non-existent email address customerservice@wayne.edu — which looks legitimate, but no phone number was provided.

If you have found a phish — report it! Just follow these simple instructions on WSU’s IT Knowledgebase.

If you’re in doubt, just leave the email message alone and contact the C&IT Help Desk 313-577-4778.

If you want to learn more ways to identify phish, check out our Is an email legitimate? guide.

Got questions? Post them below!

Building Better Passwords

Making good passwords can sometimes be a challenge.  On the one hand,  you want something that will be relatively easy for you to recall so that you can access your account. On the other hand, you need a password that is strong enough to withstand guessing or “cracking” attempts that often occur on the Internet.  I freely admit that it’s a balancing act, and not an entirely pleasant one.

For me, probably the *single* most frustrating aspect of creating a strong password is that each system uses different rules for what is required and prohibited in passwords.  The rules enforced for your AccessID password are different from your accounts that you use for your online banking, Amazon, iTunes, your household utilities, credit cards, etc.

When creating or changing a password, look out for the following “gotchas”:

  • What is the maximum number of characters it can use?
  • Can I use special characters or punctuation?
  • Am I required to use numbers or uppercase letters?  How many?

While using the same password for all of your online accounts is bad, creating some sort of pattern or schema for how you create your passwords is actually one of the recommended ways on how you can keep your online identities secure.  In the end, you need to create a password that is meaningful to you, while meaningless to everybody else.

  • Avoid using a single common word.  Attackers frequently use lists of words from the dictionary when trying to brute-force their way in.
  • The longer the password, the better!  Even adding 3 characters to your password can make it over 140,000 times harder to guess if you are using uppercase and lowercase letters.
  • Stay a little abstract.  For example, say you enjoy birdwatching, and want to incorporate that meaning into your passwords.  Don’t use “birdwatch” or anything similar to that.  Instead, think of a place or a time in which you had a really good time birdwatching.  Then, recall an object or a thing that stuck out in your mind at that time.  Use that final idea as part of your password pattern.
  • Use more than just lowercase characters, if the system allows it.  You do not need to go overboard, but simply having a single instance of a number, an uppercase character, and a special character increase your security by several orders of magnitude.  Doing this also helps protect your password from dictionary attacks.
  • DON’T simply add a number to the end of your current password.  All the bad guys know you do this, and alter their attacks slightly to compensate.

Knowing all of this, let’s break out a little math to show how much more important it is to add complexity into your passwords.  In the case of a 10 Character Password:

Character Sets Used in Password: Possible Combinations:
All Lowercase: 141,167,095,653,376
Lowercase & Uppercase: 144,555,105,949,057,024
Lower/Upper & Numbers: 839,299,365,868,340,224
Lower/Upper/Numbers & Special Characters: 59,873,693,923,837,890,625

Over 59 quintillion ways to create a 10-character password if you follow all of the rules above…wow!  Knowing all of this, what are some examples of good passwords?  Well, keeping in mind any possible restrictions that the password system may have, using the above principles you can generate passwords similar to these:

Steeple Gardens @August
Amaz!ngMonk3yAtTheZoo
R0tten Tree Stump Beneath The Wind0w

Lastly, never give up hope!  Many times I have sat on a password screen, desperately trying to come up with a good password that meets all of the inane requirements of their system. In the end, it IS worth it!  Having the peace of mind that your online identity is secure and is less likely to be hijacked by unscrupulous people is a good thing indeed.

 

Adobe Reader/Acrobat Security Update

Adobe has released a critical security update for the Adobe Reader and Acrobat products.  If you can view PDF files, chances are high you may be vulnerable.

To update your computer, check to see if there is a red Adobe icon down in the system tray by your clock.  It may already be trying to tell you to update! Double-click on the icon if it is there, and the following screen will appear:

Simply click “Download” or “Update”  and follow the prompts to keep your computer up-to-date.

If there is no red Adobe icon in your system tray, simply launch Adobe Reader or Acrobat, click on the “Help” menu, and select “Check for Updates…”.

When you are done with the update, you will be required to restart your computer.  Timing this with a lunch break (or any kind of break for that matter) is a good way to apply this update with the minimum amount of inconvenience.

A bug was identified where opening a specially crafted PDF file could crash your computer, or run programs without your knowledge.  Technical details regarding the vulnerability can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611

Averting a Disaster

I have been wrestling with an issue with our Internet firewall recently, and the culmination of troubleshooting efforts boiled down to a simple fact: a module inside the firewall would have to be rebooted.  This ends up being a big deal because while our firewall is rebooting, network traffic cannot pass thru it, effectively isolating WSU until the firewall properly initializes again.

While this is a minor annoyance when we have to do this at home with our Cable/DSL Modems, it has the potential of being something very nasty at an institution as large as Wayne State University.  That is all time that off-site students cannot access their Blackboard sessions, faculty cannot collaborate with other Universities, and prospective students cannot browse our webpages looking for that perfect program to enroll in.

Thankfully, in working with the Network Engineering group, the Information Security Office has multiple redundant systems setup for exactly this purpose.  With a few keystrokes, the Internet traffic was instantly rerouted thru our secondary Internet firewall, picking up the 161,000 network connections with ease.  Now that our troublesome firewall was “out of the loop”, we were able to run the diagnostic commands to restart certain modules without causing a moment of downtime.  This, in turn, helped resolve several production issues that have been growing over the past few weeks.

Exercises like this should be a reminder on how important it is to build redundancy in the systems that we create.  While the above was a controlled event, it as just as important to be ready in the case of an unexpected failure, such as a power supply failing or a backhoe digging up your fiber connection.  When dealing with large enterprise systems (including our Internet backbone), effective redundancy, Disaster Recovery, and Business Continuity Planning must be built into your methods and practices.  Without these things, it will be impossible to deliver the quality of services that our consumers live to expect!

 

Undergarments and Passwords

Passwords are like underwear:

  • Change them often;
  • Don’t share them with others;
  • Leaving them out in the open is something kids do;
  • It can be really hard to part ways with one you are used to.

Trust me, I feel the same pain and frustration when it comes to keeping track of all the passwords that I use for my work and personal lives.  Everyone has accounts for their desktop computers, for the servers they connect to, for the departmental applications they run, for the banks they do business with, for the utility companies for online billpay, and for the plethora of other online resources.  Keeping a handle on all of these electronic identities takes more time than it should, but it beats the alternative of having your identity stolen.

Changing your passwords once or twice a year is an excellent practice to get in to.  Consider doing it at the beginning and middle of each year – changing all your passwords is a New Year’s Resolution you can keep, and you can consider it your patriotic duty around the Fourth of July.  Why change your passwords with such frequency?  Two good reasons:

  1. It keeps reminding you about all of your electronic accounts so nothing slips thru the cracks, and
  2. In the event one of your accounts is compromised, it limits the amount of time bad things can happen.

When creating new passwords, an easy way to keep a handle on all of them is to create a simple password scheme that only you know.  A password scheme can consist of a base password combined with a little bit of information about the system or site you are logging in to.  For example:

Base Password: SkydivingMakesMe$ick

System Append Final Password
Desktop Login Windows SkydivingMakesMe$ickWindows
Work Login WSU SkydivingMakesMe$ickWSU
Banking Website money SkydivingMakesMe$ickmoney
Electric Utility Website Power SkydivingMakesMe$ickPower
Facebook Login FB SkydivingMakesMe$ickFB

 

By using this method, you create a simple phrase that you can easily remember.  This phrase is just a few words, and should contain a capital letter, a special character, or a number in it somewhere for added security.  Then you can just prepend or append a tiny word in relation to what you are accessing.  Congratulations!  In five minutes you have just created one of the most secure passwords and schemes known to man. Also, by doing this, you can abolish the need for writing down your passwords – another common way to get yourself into trouble.  It really is that simple!

Not sharing your passwords or account names would be a really good idea at this point.  You worked hard enough to create this amazing, easy way to remember all of this information – the last thing you want to do is make it all obsolete!  Do not disclose your username to any non-affiliated party, and NEVER disclose your password for ANY reason.  The moment you tell someone your password, your electronic life is now in their hands.  If an organization says that they need to know what your password is, discontinue using them immediately.  There are plenty of reputable organizations who will be more than willing to deal with you without violating your security.