Alexander’s Blog

The Windows Server 2008 Security Guide is designed to further enhance the security of the servers in your organization by taking full advantage of the new and improved security technologies and features in Windows Server 2008. Use the guidance to create, test, and deploy your security baseline quickly and reliably, harden your server workloads, and evaluate security setting recommendations to meet the requirements of your environment.

If you are working with Windows Server 2008 you might also be interested in the Windows Server 2008 Step-by-Step Guides.

Microsoft offers a tool called Password Checker. The purpose of the tool is to test the strength of your password as you type. Is Password Checker a reliable tool to test the strength of your password? The answer in my opinion is NO. Microsoft correctly states “It is for personal reference only. Password Checker does not guarantee the security of the password itself. “Microsoft also says about the password that “It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.”

Password Checker tests the strength of your password as you type and rates it as one of the following:

1. Weak
2. Medium
3. Strong
4. Best

I performed several tests and discovered that the tool is programmed to look for certain number of characters and certain combinations. It pretty much ignores the length of the password unless you add special characters or mixed-case to the password. Your pass phrase can be over hundred characters long and Microsoft’s Password Checker considers it a weak password unless you add at least one special character, which the tool considers Medium. You can use a pasword cracking tool and easily prove that Password Checker tool is incorrect in determining the actual strength of your password and therefore should not be used.

In the document Strong passwords: How to create and use them Microsoft acknowledges that “Each character that you add to your password increases the protection that it provides many times over.” Yet, the Password Checker completely ignores this fact. You can keep adding characters by the dozen and the tool will report that your password is weak. In fact, even if you type a 127-character password (the maximum allowed in Windows) in all lowercase the tool will report it as a weak password because you didn’t include an uppercase character, which makes no sense. According to the tool, adding one uppercase character to a 126-character password makes the password’s strength Medium. So the built-in logic in the tool is questionable. There are lots of other tools available that are more reliable to test your password strength.

Microsoft suggests the password should be 14 characters or longer. I suggest you use a pass phrase that is 15 characters or longer, as I explain in this article How Secure Is Your Password?. According to Microsoft security experts that I have talked to, if your password is 15 characters or longer it is not necessary to have a combination of alphanumeric, uppercase, lowercase and special characters in your password. I explain why in my article I just mentioned How Secure Is Your Password?. Of course, if you add any special characters or numbers you only strengthen your password.

If you are interested in cryptography, you might want to check out the Handbook of Applied Cryptography, by Menezes, van Oorschot, and Vanstone (CRC Press). This book is one of the recommended books for the modern cryptography course in the masters program at the University of Washington in Seattle. As of today, it is sold at Amazon.com for $83.95 but you can download it for free in PDF or Postscript format from Alfred Menezes’ Web site.

Alfred Menezes is a professor of mathematics in the Department of Combinatorics and Optimization at the University of Waterloo (Canada), where he teaches courses in cryptography, coding theory, finite fields, and discrete mathematics.

Swiss IT security company Dreamlab Technologies AG has shown that it is possible to capture and decrypt keystrokes, meaning that user names, passwords, bank details
or confidential correspondence can be very easily eavesdropped. Although the trend in wireless communication in peripheral devices such as keyboards and mice is moving
towards Bluetooth, market leaders such as Logitech and Microsoft rely on cost-efficient, tried-and-tested 27 MHz radio technology. Using just a simple radio receiver, a soundcard and suitable software, Dreamlab Technologies has managed to tap and decode the radio frequencies transmitted between the keyboard and PC/notebook computer. Although manufacturers of wireless keyboards partially prevent data from being tapped by using cryptography, unfortunately the encryption is weak and thus does not offer real protection. Max Moser from Dreamlab Technologies states: “Wireless communication is only as secure as the encryption technology used. Due to its nature, it can be tapped with little effort.”

Dreamlab Technologies tested and successfully cracked the encryption key used within Microsoft Wireless Optical Desktop 1000/2000 keyboards. As most products in Microsoft’s Wireless Desktop range are based on the same technology, Dreamlab Technologies does not consider them to be secure either. During the test, Max Moser and Phillipp Schrödel of Dreamlab Technologies succeeded in eavesdropping traffic from a distance of up to ten meters using a simple radio receiver. With the appropriate technical equipment, larger distances are possible.

For more information, you can read Dreamlab’s whitepaper and watch their video demonstration.

Mozilla has taken another security blow with the discovery that Google user accounts can be accessed through a dangerous Firefox exploit.

The vulnerability, which is still in the wild some 10 days after its discovery on gnucitizen.org, allows hackers to access Google accounts, including Gmail, with cross-site scripting attacks.

A client or server-side exploit can be inserted into .zip files via open document formats from Microsoft Office 2007 and OpenOffice, and uploaded to a server where the Firefox JAR protocol extracts the compressed data.

While Mozilla has not issued a solution to the problem, application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol, while Web administrators can use a reverse proxy to prevent malicious content from being uploaded.

Users can download a NoScript add-on for Firefox to block JavaScript and executable content from untrusted Web sites, and can secure their Google accounts by remaining signed out whenever possible.

Read this entire story as reported by PC World.