Passwords...again

Last year I commented on the analysis of leaked passwords from hotmail, gmail and yahoo. The results were rather depressing.

The social networking site Rockyou.com was hacked late last year, resulting in the exposure of some 32 million passwords from their own site and from partner social networking sites such as MySpace and facebook. Rockyou's policies of not requiring complex passwords and then storing said passwords in the clear was a ticking time bomb, and should be a lesson to other sites and to end users who may not understand the danger of sharing passwords between sites.

Well an analysis of the passwords revealed in the hack has been completed and the results are unsurprisingly, not dissimilar to the hotmail passwords revealed last year.

The top passwords revealed were:
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

Compared to the previous analysis of hotmail passwords:
1. 123456
2. 123456789
3. alejandra
4. 111111
5. alberto
6. tequiero
7. alejandro
8. 12345678
9. 1234567
10. estrella

And the results of an analysis of other recent password breaches showed a similar pattern with '123456' being incredibly popular....

The complete report is available here (pdf) and is worth a look.

IE? Nein! Nein!

No Microsoft haven't released a sucessor to Internet Explorer 8 (yet!)

The Australian is reporting that the French and German governments have warned people against using Internet Explorer due to the (as yet unpatched) security vulnerabilites that were allegedly exploited by the Chinese Government in cyberattacks against Google.

While I applaud any government effort to help ensure their citizens are provided with information on how to stay safe online, how to detect and avoid phishing attacks etc, I'm not sure I can agree with a Government picking out (or picking on) a particular piece of software.

Microsoft certainly has had a number of long running legal battles with the European Union, the most recent over their alleged browser monopoly, that was dropped after Microsoft agreed to include up to 12 other browser choice in European versions of Windows. Has this recent case and previous legal entanglements coloured the judgement of certain European government officials?

Microsoft are always the bad guys, the evil empire, the 800-pound gorilla, the easy target. It's something that comes with the territory of being so dominant in an industry. Windows and Internet Explorer have a less than stellar security record, but one that has been improving greatly since the start of their 'Trustworthy Computing' major security inititives back in 2002.

Are they perfect? No. But no software vendor is (or is even close!), as every major vendor regularly releases security patches. Will these same governments recommend users stop using Acrobat next time Adobe faces a 0-day vulnerability? Or stop using Safari? Or Firefox?

The high profile nature of the Google-China standoff (and I don't know what's worse, Google withdraws and the chinese people are punished, or China backs down to Google...) has thrust browsers and vulnerabilities back into the limelight for 5 minutes and I think some politicians want to have their soundbyte heard. I think their time and effort would be better used in continuing education for their end-users and letting them decide for themselves what software they want to use once they understand all of the risks involved.

The danger in pointing the finger at Microsoft and Internet Explorer is that it doesn't address the fact that these sort of attacks are out there and all software has flaws. It may give those people who do swap to Firefox or Safari a false sense of security 'because they're not using IE' (in much the same way I am critical of Apple's security attacks on Microsoft that paint OSX/Safari as being free of security problems). It seems to me to be a pretty shortsighted approach (but we are dealing with politicians right?).

Or maybe it's an EU thing and they want everyone using Opera instead?

*EDIT*
While there seems to have been plenty of hysterical articles about dropping IE and changing over to (insert favourite browser) NOW!, this one is much more balanced and sensible.

The Circus is back in town for 2010!

I came across an article recently that had me doing a double-take when I saw the date it was published. It seems the jokes we aussies like to tell about our neighbours 'over the ditch' being behind the times may be true, as in December the Waikato District Health Board over in Aotearoa was ground to a halt by.....conficker!

You read that right, December 2009. To refresh your memory, Conficker exploited a vulnerability that Microsoft released the MS08-067 patch for back in October 2008.

To put that in perspective, some other events from October 2008 were:
  • Sarah Palin and Joe Biden have their only scheduled debate for the vice presidency of the United States
  • U.S. President George W. Bush signs the US$ 700,000,000,000 bailout bill after it is passed by the House.
  • Head of International Monetary Fund says the US Financial Crisis threatens to send the world into a recession.
All jokes aside, a virus outbreak affecting the information systems of multiple hospitals is a very serious matter. So is the almost crim­i­nal incom­pe­tence in the IT management/administration that allows 3000 desktops to lack up to date anti-virus and patches that were over a year out of date.
To make matters even worse (if that's possible) the NZ Ministry of Health was hit by Conficker 12 months earlier! Obviously there were no lessons learned from this earlier outbreak...

Good security is hard. It takes planning, organization and hard work. Unfortunately for the patients of the Waikato DHB, bad security is easy. It requires nothing more than apathy and ignorance. In this case it took not doing what even the most computer illiterate user knows are 'the basics' (patching and AV).

One can only hope that this is a wake up for organizations and Government departments, not only in NZ, but everywhere.