Keep Your Passwords Private--and Handy--With LastPass

This fall, more than 20,000 stolen usernames and passwords for such Webmail providers as AOL, Gmail, Hotmail, and Yahoo appeared on Pastebin.com, a programmer's Website. Dixon removed the stolen info, which Microsoft and some security researchers theorize was gathered through phishing attacks. The Webmaster, Paul Dixon, wrote that "for reasons unknown," some "miscreants" posted the data on his site. A researcher at ScanSafe argues that the data may have come from password-stealing malware, not phishing.

They also want access to your Webmail. Either way, crooks clearly aren't after only bank accounts and other financial log-ins. But why? After her Hotmail account was hacked, every message she sent included an unwelcome advertisement. A friend of mine was recently hit by a scam, and her experience helps answer that question.

Crooks have also begun using stolen Webmail and Facebook accounts to send pleas supposedly from a victim to friends or contacts. Don't Pass the Password To guard against password thieves, I use LastPass. Some bogus messages claim the sender is stranded overseas and needs an urgent wire transfer of funds. The tool offers a free password-managing add-on for Firefox on Windows, Linux, or Mac OS X; Internet Explorer on Windows; and Safari on Mac OS X. An add-on for Google Chrome is under development. And because you don't type your password, keylogger malware can't capture your keystrokes and nab your password. LastPass fills in your username and password for verified sites that match a real URL; phishing scams that use similar but fake Web addresses won't deceive it.

Other apps, like Password Hash, offer similarly worth­while protection, but LastPass stores all of your data on its servers (using 256-bit AES encryption) as well as on your PC. Since the company never has the software decryption key or your password, nobody at LastPass can get to your info. Even without the add-on, you can log in to LastPass's site to get to your information. Because your data is stored centrally, you can use the add-on with any browser, log in with your LastPass master account info, and access all of your passwords. That means you should create a fairly complex master password for the LastPass site, but it also means you have a de facto backup if your PC goes kaput. For instance, it normally keeps you logged in to your LastPass account for two weeks, even if you close and re-open the browser; to prevent someone from sitting at your desk and accessing your accounts, click Preferences and check Automatically logoff after idle. Instant Entry The handy add-on can automatically log you in to sites and can fill in forms, but for better security you should change some of its default settings.

I set mine to log off my LastPass account after an hour. You can enable this when the add-on automatically asks if you want to save a newly entered password. It's also smart to require a password reprompt for sensitive accounts; the app will ask for your master password before filling in the username and password, even if you're already logged in. LastPass offers applications for the iPhone, BlackBerry and other mobile devices, too, but those will cost you $12 per year.

Check Point tackles Web 2.0 apps and social-site widget control

Soon businesses that run Check Point security tools will be able to understand how thousands of Web applications and Web 2.0 widgets are used, giving executives better control over what employees do with their computers at work. 12 tips for safe social networking The company is developing a software blade that customers can buy to address use of social Web sites and Web applications. With the blade, due out next year, businesses could see not only that employees use Facebook, but also whether they are participating in Facebook groups or playing games available through the site, for example. Check Point has licensed extensive libraries from FaceTime that identify 4,500 Web applications and more than 50,000 Web 2.0 widgets.

Or they could keep an eye on applications that do file transfers, Check Point says. Initially, Check Point plans to incorporate the libraries in a blade that is just a monitoring tool, but later it will incorporate them in a firewall to create an access-control blade that can enforce restrictions on the use of applications and widgets. Business use of Web 2.0 sites brings its own security concerns and can run afoul of regulations from governmental agencies and business consortiums. Later still, the company says it will incorporate the libraries into IPS and QoS blades. For instance, customers might buy firewall, intrusion-detection system and antispam software blades and run them on a single hardware chassis.

Under Check Point's software blade architecture announced earlier this year, customers can buy individual security tools to create packages of custom security features. Before, Check Point sold monolithic multi-function unified threat management platforms that might include more functions than customers wanted. The libraries support FaceTime's own Unified Security Gateway product.

Gmail, Yahoo Mail join Hotmail; passwords exposed

Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC. Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail. The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC . "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network. The latter two are major U.S. Internet service providers. "As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them." Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users.

Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live blog . Microsoft posted an online form where users who have been locked out of their accounts can verify their identity and reclaim control, and also pointed users to a support page from October 2008 that spells out steps users can take if they think their accounts have been hijacked. Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC. "Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services." Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their usernames and passwords. After a slump earlier this year, phishing attacks are on the upswing, according to the Anti-Phishing Working Group (APWG). Its most recent data - for the first half of 2009 ( download PDF ) - noted that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since the industry association started keeping records. Yesterday, Dave Jevans, the chairman of APWG, called the Hotmail phishing attack one of the largest ever, but cautioned that the usernames and passwords may have been harvested over several months, and not by a single, defined attack.

Users nervous about Oracle's acquisition of MySQL

The European Union is not the only one antsy about Oracle taking possession of the open source MySQL database should the commercial database giant's merger with Sun Microsystems get final approval. On its Web site, Oracle merely notes that "MySQL will be an addition to Oracle's existing suite of database products." "I wish that Oracle would broadcast its intentions a little bit more" on the Sun acquisition, says Duane Kimble, a Linux technologist who works in the banking industry. So are MySQL users. (The E.U.'s executive arm has held up approval of the merger, fearing that Oracle's acquisition of MySQL could reduce competition in the database market, as well as harm the open source nature of MySQL. Sun's stockholders and the U.S. Justice Department have approved Oracle's $7.4 billion acquisition of Sun.) "We've got a fair number of databases and Web applications that use those databases in MySQL. If Oracle does something that sort of makes it look like MySQL's days are numbered or something is going to change that we don't like, we'll probably look at alternatives," says Ernest Joynt, a contractor for the National Oceanic and Atmospheric Administration. [ Relive Sun's storied history in InfoWorld's slideshow "The rise and fall of Sun Microsystems." | Learn why attendees at the JavaOne conference were skeptical of Oracle's buyout of Sun. ] Anand Babu Periasamy, CTO of clustered storage technology company Gluster, expresses doubts that Oracle would add enterprise capabilities to MySQL. "I hope that they will retain MySQL. [But] I am doubtful [that] they will ever improve MySQL to take it mid-enterprise level, but at least it will help them compete with Microsoft SQL Server on the low end," he says. (Gluster uses MySQL for its Web site operations.) Thus far, Oracle has said little about its intentions for MySQL and declined to discuss the issue with InfoWorld. For him, Oracle's ownership of MySQL is a specific cause for caution.

His firm has begun looking at other enterprise-scale open source databases such as EnterpriseDB's Postgres database in case it has to replace MySQL. Standing to reap a harvest from unease about the Oracle-MySQL pairing are open source database vendors EnterpriseDB and Ingres. MySQL users start looking at alternatives A key issue is that Oracle is a main competitor to MySQL, notes Timothy Dion, CTO of mobile and Web apps builder Sensei. "I'm very concerned about what that means," he says. EnterpriseDB, which builds its products on the PostgreSQL open source database, has been hearing from concerned MySQL users, says Larry Alston, EnterpriseDB's vice president of product management and marketing. "They're telling us that they're nervous" about the future of MySQL, he says. Doubts remain over the fate of other Sun technologies Users remain concerned over the fate of other Sun technologies such as Java and Solaris, not just of MySQL. "We are rethinking our Solaris deployments," says Linux technologist Kimble. "We are moving swiftly toward more of an AIX and Linux environment, depending on the size or the scale of the project." Although Kimble notes it is "too early to say whether we'll move off [Solaris] or not," he does say his employer is rethinking its Solaris commitment: "Certainly, we're not going full-bore with Solaris as we were before the merger." Kimble does see a positive side to the Sun acquisition: "I think it kind of simplifies the platform offering somewhat. Ingres also sees opportunities. "The phones ring a lot," says Ingres CEO Roger Burkhardt. Oracle is a strong company and if they keep Sun Java, which I'm sure is what they bought [Sun] for, I think it will make Java a better product." But Bryce Pier is not so sure.

Another large company buying another large company reduces competition," he says. The senior systems engineer at Target sees no benefits of the buyout - at least not yet. "I'm not really certain that it's going to be good for anybody. Pier expects the acquisition to cause Target to move away from Solaris to Red Hat's Linux over time. Oracle, said Craig Muzilla, Red Hat's vice president for middleware, was very active in the Java Community Process for updating Java and has strived for openness in Java. "We don't see anything from Oracle that [would indicate that] they would do anything" that would differ with the past, he said. One reason is the uncertainty: "We're just not sure what Oracle's commitment is going to be to the Java stack and to maintaining it as an open source project." Another is Oracle's reputation for extracting revenues from customers: "We certainly fear that all of the subscription fees are going to change for everything from Sun." At its recent conference, Red Hat sought to reassure customers about the continued openness of Java-based JBoss technology, which Red Hat owns, now that Oracle is buying Java founder Sun.

Microsoft Internet Explorer SSL security hole lingers

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason.

Apple has fixed the problem for Safari for Macs. Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time." The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to. Black Hat's most notorious incidents: a quiz "Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Current versions of Safari for Mac, Firefox and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders. In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks.

For instance, someone might register www.hacker.com. In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. An attacker could exploit the weakness by setting up a man-in-the-middle attack and intercepting requests from vulnerable browsers to set up SSL connections.

Browsers without the flaw correctly identify the root domain and sign or don't sign based on it. If the attacking server picks off a request to bestbank.com, it could respond with an authenticated x.509 certificate from bestbank.com\0hacker.com. The user who has requested a session with bestbank would naturally assume the connection established was to bestbank. The vulnerable browser would interpret the certificate as being authorized for bestbank.com and set up a secure session with the attacking server. Once the link is made, the malicious server can ask for passwords and user identifications that the attackers can exploit to break into users' bestbank accounts and manipulate funds, for example, Marlinspike says. These certificates use an asterisk as the sub-domain followed by a null character followed by a registered root domain.

In some cases attackers can create what Marlinspike calls wildcard certificates that will authenticate any domain name. A vulnerable browser that initiated an SSL session with bestbank.com would interpret a certificate marked *\0hacker.com as coming from bestbank.com because it would automatically accept the * as legitimate for any root domain. Such a wildcard will match any domain, he says. This is due to "an idiosyncrasy in the way Network Security Services (NSS) matches wildcards," Marlinspike says in a paper detailing the attack. The differences between what users see on their screens when they hit the site they are aiming for and when they hit an attacker's mock site can be subtle.

A Microsoft spokesperson says Internet Explorer 8 highlights domains to make them more visually obvious, printed in black while the rest of the URL is gray. "Internet Explorer 8's improved address bar helps users more easily ensure that they provide personal information only to sites they trust," a Microsoft spokesperson said in an e-mail. The URLs in the browser would reveal that the wrong site has been reached, but many users don't check for that, Marlinspike says. Marlinspike says the null character vulnerability is not limited to browsers. "[P]lenty of non-Web browsers are also vulnerable. Outlook, for example, uses SSL to protect your login/password when communicating over SMTP and POP3/IMAP. There are probably countless other Windows-based SSL VPNs, chat clients, etc. that are all vulnerable as well" he said in an e-mail.

Ncomputing kit talks to virtual desktops over USB

Ncomputing is launching a device that can be used to add a virtual client to a host PC via a USB connection. Multiple U170 boxes can add extra users to a host machine, which can be cheaper than buying separate machines, said Carsten Puls, vice president of strategic marketing at Ncomputing. The U170 can run full multimedia applications when it is connected to a host machine's USB port. The device has a video port, audio port and two USB ports for the keyboard and mouse. "The only thing you have to connect back to the PC is a single USB connection," Puls said.

Users must still buy a monitor and peripherals to complete a workstation. The device is priced at US$99 and will be available by the end of the year, Puls said. Beyond reducing the need for a PC, the device also helps reduce energy costs, Puls said. Virtual desktop software from Ncomputing called Vspace on host machines sets up individual desktops as new U170 boxes are connected. It draws about 2 watts of power, Puls said, far less than a full clients PC. In this case, the USB cable takes the place of the Ethernet cable for a client to communicate with a host machine. One host PC can support up to four boxes.

The typical USB cable extends up to five feet, but USB extenders can lengthen that. Vspace is compatible with multiple versions of Windows, including Microsoft's upcoming Windows 7 OS. The company is targeting small-and-medium businesses with the device. The company has set up configurations where the device connects to PCs from up to 50 feet. The company has other products that let users access host PCs over Ethernet. USB has advantages as the ports are included on most PCs, but over longer distances it may be better to use Ethernet, Puls said.