L0PhtCrack Is Back !!

One of my favourite security tools, L0phtCrack, is back and available for download.  L0phtCrack is an excellent password auditing tool which allows you to determine whether or not there are weak passwords on your network.  L0phtCrack first came out in 1997 and it is a sad reflection on the information security industry, that twelve years later we still depend on passwords to protect our key information assets.

I remember giving a presentation on information security in 1998.  As delegates entered the room we had them enter in a secure password into a Windows laptop.  While I gave my presentation I had L0phtCrack audit the passwords on the laptop.  At the end of the presentation, which lasted about 40 minutes, I then displayed the results from the audit.  It was telling the shock and amazement on the delegates faces when they saw their “secure” passwords displayed on a screen within such a short period of time.  I am willing to bet that if I ran that same test today there would still be a large number of people who would enter passwords into the test machine that would be quickly cracked.

I recommend strongly that you download L0phtCrack and have a look at how strong your own users’ accounts are.  But be warned make sure you get permission of your senior management before doing so.

List of the TOP 25 Most Dangerous Programming Errors Released

Earlier today the List of the Top 25 Most Dangerouse Programming Errors was released.  The list was compiled by a number of different organisations and coordinated by the SANS Institute

Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure.   In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors.  If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.

Has Your ISP Patched Their DNS Servers?

A number of people have contacted me looking for insight into what risks the recent DNS vulnerability announced by Dan Kaminsky pose to Irish Internet users.  In particular what ISPs have patched their systems and which ones have not.  As pointed out to me by one person this would be where an Irish CERT would be very useful in coordinating a response to this issue within the Irish Internet space.

I am not privvy to the internal workings of the various ISPs and how effective their patching processes are, however I would hope that it is a rigourous one with the appropriate change control mechanisms in place.  So this means that maybe your ISP has not yet been able to roll out the appropriate patch as they could still be testing it.  It may mean that your ISP has the patch scheduled for their next maintenance window.  Or it may mean your ISP is not aware of the problem or has the technical ability to implement the patch.

I have tested my various business Internet providers and am happy to see that they have managed to patch their servers.  You should test your ISP using the free tool available on Dan Kaminsky’s blog

If the test shows your ISP’s DNS server is still vulnerable then contact their support people and ask them what the situation is, or alternatively get your account manager into giving you that information.  If the responses are not satisfactory then remember you can still use other DNS services such as those provided by OpenDNS.

Remember if this vulnerability is serious enough for all the major vendors to work together in secret to coordinate their efforts to produce, test and release the patch on all the same date, then it is serious enough for you to apply the same patch and your ISP to do likewise.

Also don’t forget to ensure you patch your own DNS servers and apply the Microsoft workstation OS patches as well.  We all need to work together to keep the Irish Internet space that bit more secure.

If you want more details on the vulnerability there will be a webinar hosted later today where Dan will discuss it in more details.

Firefox 3.0 – Hackers 1

Mozilla released the latest version of Firefox on June 17th amidst much fanfare and hype.  The major buzz about this release being the attempt by Firefox to break the Guinness Book of Records for the most downloads in a 24hr period for a single program. 

Well the launch has not gone so well for Firefox.  Firstly due to the number of people attempting to download the latest version (over 8 million) the site’s availability has been patchy at best.  But worse was to follow, within five hours of its release a security vulnerability affecting the latest version, and previous versions, were discovered.   Tipping Point have verified that the vulnerability is real using their Zero Day initiative.  The SANS Internet Storm Center and the Security4all blog provide more coverage on the issue.

For the browser that promotes itself as being more secure than Internet Explorer this is not the best of starts.

Latest Information Security News Roundup

Below is a round up of news stories relating to information security that we have collated from the past few days.  For ease of use we have categorised the stories under the most appropriate headings.  If there are other stories that may be of interest please let us know via the comments feature. Continue reading