I’m on pretty much every major IM program, and have been since introduced to ICQ way back in the 90s. I have multiple accounts on most of them, too, some of which are rarely used and then only for spam. I get the usual dating and pr0n spam, but every once in a while, I get something new.
One of the things that I do as a penetration tester is crack passwords. It’s usually not difficult, but this post isn’t about that anyway. What this post is about concerns the contents of the passwords and what it might suggest about the users.
What if I told you that my shortest important passwords are in the neighborhood of 20-25 characters? Would you think to yourself, “You’re insane!” Some of you would, because some have said it out loud to me when they see me typing in my passwords. My secret for many of them is to use a pass phrase. This is easy for me to remember and so complex that it’s almost impossible for a computer, or even a lot of computers, to get through it.
These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future. I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!” But if none of the following makes sense to you, that’s probably a good path to follow just in case.
Notes and Observations
- Twelve bulletins were released covering 57 vulnerabilities.
- This isn’t quite as bad as it sounds (but you should still patch them all). One of the vulnerabilities, MS13-009, addresses more than a dozen vulnerabilities in Internet Explorer and should be patched pretty much immediately. Another, MS13-016, addresses 30 in the kernel-mode driver, but these are tricky race conditions that allow privilege escalation and don’t worry me all that much.
- However, MS13-010 is being used to some extent in the wild. There is a component of the vulnerability that can be used for information disclosure. This may be why Microsoft issued two patches for IE instead of one. If you can’t install -009, at least install -010.
- The apparent focus du jour for vulnerability researchers is the Use After Free vulnerability. I’ll admit that I’m not up to date on this particular one, but I’ll see what I can come up with in the near future.
- There’s a patch for an Exchange Server vulnerability that involves viewing Paradox database files in Outlook Web Access. I haven’t seen mention of Paradox in years. But I mention this not just for the historical oddity. There really is the ability to view such files, and Microsoft admits that it’s not documented. Be aware of this not just with Microsoft, but with other companies that can read many file formats. They have to have parsers, and they’re often not as good as the original vendor’s (and some of them aren’t that good, either).
- Nevertheless, I grouped it as one of two items to patch sometime in the next 90 days. I’m really not that concerned that someone is going to try to craft a Paradox DB file for this when there are better ways to attack the user. The other one I’m not worried about is a Network File System (NFS) issue since almost no one uses it in this context.
Over the last year, we’ve seen news stories of sites getting hacked and passwords getting stolen and we’ll doubtless see more in the future. These range from the relatively irritating to the level of possible identity theft. In every case, especially when the passwords have been published, we see the usual advice from the experts: use complex passwords, don’t share your passwords, don’t use the same password on multiple sites… It’s basically the same list trotted out all the time, but I see few explanations of why people should do these things. It’s not bad advice at one level, but doing something out of blind obedience has actually made security worse on occasion, and passwords are part of that mess.