Saturday, November 28, 2009

Passwords and User Names

Unfortunately, very little has change by computer users in selecting a password over the past several years. Compare the following list of the top 10 most passwords used in automated attacks reported by the Microsoft Malware Protection Center in Do and don’ts for p@$w0rd$, with the the PC Magazine list of the 10 most commonly used passwords online, published by in 2007:

Microsoft List - November, 2009:
  1. password
  2. 123456
  3. #!comment:
  4. changeme
  5. F**kyou (edited)
  6. abc123
  7. peter
  8. Michael
  9. andrew
  10. matthew
PC Magazine list - April, 2007:
  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. blink182
  10. your first name)
Similarly, the MMPC provided this list of the top 10 list most common user names used in automated attacks:
  1. Administrator
  2. Administrateur
  3. admin
  4. andrew
  5. dave
  6. steve
  7. tsinternetuser
  8. tsinternetusers
  9. paul
  10. adam

From the report, Francis Allan Tan Seng and Andrei Saygo provide this advice:

"We just want to make users aware of the fact that passwords of around 8-10 characters (the average length of passwords that are normally used for Internet accounts) are used in attacks. Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based. As seen in the table above, there are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters.

You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator/Administrateur accounts), the passwords shouldn’t be picked lightly.

Usually we choose easy to type and/or easy to remember passwords, but please don’t forget that those passwords (for the moment) are the most commonly used or authentication on the Internet so they need to be strong.

The three basic things to remember when creating a strong password are the following:

1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a "l33t" mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.

2. Use a combination of upper and lower case letters.

3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases."

For additional assistance see Strong passwords: How to create and use them. After creating a new, strong password, use the Microsoft Password Checker.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Clubhouse Tags: Clubhouse, safety, security, story

Wednesday, November 25, 2009

Happy Thanksgiving

Warmest wishes to family and friends for a Happy Thanksgiving!

"Some people complain because God put thorns on roses,
while others praise Him for putting roses among thorns."
May your Thanksgiving day be a rose among thorns.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Woot! Happy Birthday, Aaron!

{{{Happy Birthday HUGS}}} Corrine

Remember - "A day without laughter is a day wasted." May the wind sing to you and the sun rise in your heart...

Monday, November 23, 2009

Holiday Shopping Story

With the biggest shopping season of the year starting, this year I have a true story to share with you about a shopping experience of a long-time friend.

As a bit of background, this friend is one of the most organized people I know. She doesn't merely make lists. She actually completes the items on her lists too! I have known her for over twenty years. She is smart, alert and cautious.

So what happened? Early last week, she used her debit card at a store that did not have a PIN machine. As a result, the card was swiped as a credit card, she signed the credit slip and card returned. From that store, she went on to make two additional transactions, signing her name to both credit slips.

Later in the week, an attempt to use the card as a debit card was denied. She tried again and once again the debit transaction was denied. Since she was recently married and this was a new card with her married name, she thought there was something wrong with the new card. In telling her husband about it, he asked her what was wrong with the card. She hadn't looked at it closely, so pulled it out to see if it was obviously damaged.

That was when she discovered that the card was not hers, rather during one of the credit transactions when the card was swiped by the cashier, another person's card was returned to her! She called the bank immediately and reported the situation, placing a hold on her accounts. Fortunately, whoever received her card had not used it as no transactions have been placed on her account.

Particularly during the holiday shopping season when cashiers are harried, if you have to give your credit card or debit card to a salesperson, make sure you get your card back.

If you are planning on doing any shopping online, review these Online Shopping Safety Tips from Microsoft Online Safety. Frequent online shoppers should consider Windows CardSpace which helps control your digital identity, making online shopping safer.

Whether you shop in the brick and mortar stores, online or a combination of both, be careful, stay safe.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Clubhouse Tags: Clubhouse, safety, security, fraud, story

Saturday, November 14, 2009

Microsoft Security Advisory 977544 Released

Microsoft released Security Advisory 977544, "Vulnerabilities in SMB Could Allow Denial of Service", on November 13, 2009.

From the MSRC Blog:

"Today we released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol. This vulnerability, in SMBv1 and SMBv2, affects Windows 7 and Windows Server 2008 R2. Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected.

I want to be clear that this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted."

Mitigating factors are provided in Microsoft Security Advisory 977544:
"Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the SMB ports should be blocked from the Internet."

For complete information, see Microsoft Security Advisory 977544 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, November 11, 2009

Lest We Forget

Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country. As in previous years, I am republishing my friend Canuk's last tribute. The comment he posted provides one example of why he was a special person:
"I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."

We Shall Keep the Faith by Moira Michael, November 1918

Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields.
Flags courtesy

Clubhouse Tags: Clubhouse, Story

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 10, 2009

Microsoft Security Bulletin: November 2009

Microsoft released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).

In-depth technical detail on MS09-063, MS09-064 and MS09-065, is available at the Security Research & Defense team blog at this link.

Microsoft also re-released MS09-045 to add detection for users who may be running JScript 5.7 on Windows 2000 Service Pack 4. MS09-051 was re-released to update Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue.

  • MS09-063 - addresses a vulnerability in Windows (KB 973565)
  • MS09-064 - addresses a vulnerability in Windows (KB 974783)
  • MS09-065 - addresses a vulnerability in Windows (KB 969947)
  • MS09-066 - addresses a vulnerability in Windows (KB 973309)
  • MS09-067 - addresses a vulnerability in Microsoft Office (KB 972652)
  • MS09-068 - addresses a vulnerability in Microsoft Office (KB 976307)


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, November 05, 2009

Advance Notice: November 2009 Microsoft Security Bulletin Release

On November 10, 2009, Microsoft is planning to release six bulletins (three critical and three important), addressing 15 vulnerabilities to Remote Code Execution. The affected products include Windows and Microsoft Office products. A restart will be needed in order to install the updates.

According to the Advance Notification, Bulletins 1-4 are planned for Windows (three Critical, one Important). The remaining two bulletins are updates for Microsoft Office and are designated Important.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, November 04, 2009

Critical Security Update for Sun Java JRE 6

Sun Microsystems released update 17 for Java SE JDK 6 and Java SE JRE 6. The update addresses multiple vulnerabilities. These vulnerabilities include arbitrary code execution, privilege escalation, denial of service, and information disclosure.

For detailed information on the updates, see Sun Alerts 269868, 269869, 269870, 270474, 270475, and 270476.

For English-lanugage operating systems, the download link is located at: Java SE Runtime Environment 6u17.

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Release Notes: Java SE 6 Update 17 Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 03, 2009

Celebrating 12 Years of WinPatrol!

In celebration of Scotty's 12th birthday, WinPatrol PLUS subscribers who have helped a friend or family member by having them adopt Scotty are eligible to register to win the grand prize in the WinPatrol Birthday Celebration: Windows Ultimate, Signature Edition!

See the details and register at WinPatrol Birthday Celebration.

Congratulations, Scotty.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, November 02, 2009

Fix it Solution for Windows 7 Upgrade Hanging at 62%

When upgrading from Windows Vista to Windows 7, a number of people have experienced the situation where the upgrade stops responding at 62% and does not resume. In addition, Windows creates a file that is named system_drive:\$WINDOWS.~BT\Sources\Panther\setupact.log

As explained in Microsoft Knowledge Base Article 975253, Upgrade stops responding (hangs) at 62% when you upgrade to Windows 7, this is because the Iphlpsvc service stops responding during the upgrade. According to KB 975253, it could also be other services causing a problem which results in the upgrade process hanging at 62%.

Microsoft released today a Fix it to fix the problem automatically. Note the caveat below specifically indicating that this solution is only to be used if the upgrade stops at 62%.

The Fix it solution is ONLY if the upgrade stops responding at 62%. Do NOT use it if the upgrade stops responding at a different percentage than 62% or if the log entries are not logged.
From KB 975253:

Fix it for Me

To fix this problem automatically, restart the computer where the upgrade to Windows 7 fails at 62%. Your computer will roll back to Windows Vista. Either download the following fix to a flash drive or to a CD or return to this article on the machine where the upgrade fails. If you return to this article on the machine where you experience this problem, click the Fix this problem link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.

Fix this problem
Microsoft Fix it 50319

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...