Multifactor Authentication for Office365

Users of Microsoft’s cloud-based Office 365 offering get a double dose of password security, with client apps to follow soon.

Given the likelihood that Office 365 accounts are bound to contain sensitive corporate information, Microsoft is looking to avoid the high-profile security breaches that have plagued other cloud services. To that end, the software giant announced that it has extended multifactor authentication to the Office 365 user base at large.

The security measure is no longer the exclusive domain of administrators. Multifactor authentication has been available for Office 365 administrative roles since June 2013, and now they are extending this capability to any Office 365 user.

The Multi-Factor Authentication for Office 365 will be available for the Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online.

The will allow organizations with these subscriptions to enable multifactor authentication for their Office 365 users without requiring any additional purchase or subscription. Users must authenitcate once on each device they access their Office 365 account on. Once authenticated, it becomes a trusted computer/device for their account.

The move is part of a broader effort by the company to harden its cloud services slate. In June 2013, Microsoft announced that it was bringing multifactor authentication, based on technology from its PhoneFactor acquisition, to Windows Azure Active Directory (AD) services, enabling users to securely access their accounts with additional credentials supplied by an app or Short Message Service text.

In recent years, online service providers have been rocked by breaches that have caused security-conscious enterprises to regard the cloud suspiciously. Dropbox, a popular cloud storage company, rolled out two-step authentication in 2012 after a breach that made user data susceptible to snoops. Twitter followed suit in 2013 after major accounts had been hacked. Yahoo Mail breach would have been a non-event for users had they switched on the service’s multifactor authentication options. I’m sure all online email providers will be adopting similar services – now it is up to the end-user to turn it on and use it. It should be a required setup for all accounts.

Microsoft is also looking to extend multifactor authentication to Office 365 client apps. Noting that users currently have a workaround by configuring App Passwords to secure their desktop apps. Soon Office 365 customers will be able to use multifactor authentication directly from Office 2013 client applications. Microsoft is planning on adding native multifactor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell and OneDrive for Business, with a release date planned for later in 2014. The update will supplement phone-based authentication with support for third-party solutions and smart cards that conform to the U.S. Department of Defense Common Access Card (CAC) and U.S. Federal Personal Identity Verification card (PIV) security standards.

New Symantec Endpoint Maintenance Release – Minor update series for version 12.1.4013.8083 SEPM

The potential to leverage the remote access XXE vulnerability to attempt to exploit the local access SQL Injection issues increases the overall severity from a successful exploit of these issues. Symantec customers need to apply the available updates (12.1.4023.4080) as soon as possible.

Over the course of the next week we will be upgrading our clients using Symantec Endpoint protection to this newer version. For their benefit, we are listing the new and changes features in this release. We recommend all users of Symantec Endpoint upgrade their versions as soon as possible to address these issues (listed below). In addition to this Management/Client release they have also released an urgent patch to the management program, after applying this 12.1.4.4013 fix first, then the Management Security Fix.

  • Expanded operating system and browser support
    Supports Mac OS X 10.9 and Windows 8.1 / Server 2012 R2.  Supports the latest versions of Internet Explorer, Firefox, and Chrome.
  • Expanded and improved features for Endpoint Protection for Mac
    Improved remote deployment features for the client, including a standardized deployment package for use with third-party client management systems that supports unattended, logged out, and silent deployment.
  • Intrusion prevention for Mac client computers.  LiveUpdate 6 for Mac, which does not require Java and can run with no user logged in.  Content for Mac from Symantec Endpoint Protection Manager (SEPM)  Other improvements including improved scheduled scan options, user interface improvements, and language support
  • Faster alerting and notification for priority events  SEP 12.1.4 Windows clients can quickly send priority events to SEPM without waiting for the next heartbeat. You can create notifications without a damper for critical events. Priority events include malware detections and IPS alerts.

New fixes in this release

  • A detected threat does not have a corresponding entry in the risk log.  Symptom: You see the pop-up warning, “Threats were detected while you were logged out,” but the risk log does not display a corresponding entry.
  • System hangs after reboot on Windows XP Embedded SP3.  Symptom: After you install Symantec Endpoint Protection client on a Windows XP Embedded device on which PCAnywhere and specific video adapters are also installed, a crash in the video memory occurs.
  • Scan Logs do not display updated scan status.  Symptom: Administrator-defined scheduled scans do not update the scan status of Symantec Endpoint Protection Manager scan logs if you suspend then complete the scan.
  • Microsoft Outlook 2010 freezes.  Symptom: If you install Symantec Endpoint Protection Microsoft Outlook plug-in along with McAfee DLP software, Microsoft Outlook 2010 appears to hang or become unresponsive when you open or add an attachment.
  • Cannot generate quick risk reports  Symptom: When you try to generate quick risk reports, PHP errors and warnings display. You also see many PHP-related errors in the reporting logs.
  • Some detection counts do not display correctly in reports.  Symptom: The distribution bar under the “Risk Detection Counts and Detection by Computer” report shows one color, instead of the expected multiple colors for different infection types.
  • Application and Device Control exception is not working correctly.  Symptom:An Application and Device Control folder control exception does not work correctly with an absolute path, such as “C:\TEST”.
  • Management Server Configuration Wizard encounters Unexpected Server Error  Symptom: An Unexpected Server Error occurs after you run the Management Server Configuration Wizard.
  • When both the Symantec Endpoint Protection client and management server are installed, Windows Server Backup utility cannot complete a volume shadow copy  Symptom: When you install both Symantec Endpoint Protection client and Symantec Endpoint Protection Manager 12.1.x on the same computer, the \System Volume Information\EfaData\ folder grows large in size. This growth causes a lack of available free space for the Windows Server Backup Utility to create a volume shadow copy.
  • Scheduled scan report fails to abide by an OS filter  Symptom: When you schedule a Scan Report based on an OS filter, it instead returns every OS.
  • Symantec Endpoint Protection installation results in warning messages in logs  Symptom: Warning messages, such as Event ID 28, appear in the logs when you install the Symantec Endpoint Protection to a physical Windows Server 2008 R2 with Hyper-V.
  • Unable to remove the “Delete from Quarantine” option Symptom: After you uncheck the “Delete from Quarantine” command option for Limited Admins, this option still appears on the dropdown menu as a possible Action. The only way to remove “Delete from Quarantine” from the dropdown menu is to also remove other features, such as “Enable Download Insight.”
  • Download Protection Content reports as “Not Available” after a restart Symptom: After a client restarts, the initial heartbeat reports that Download Protection is “Not available.” As a result, a notification for “Download Protection out of date” triggers from Symantec Endpoint Protection Manager. Subsequent heartbeats report correctly.
  • Too many active connections from the Group Update Provider (GUP) to Symantec Endpoint Protection Manager Symptom: The Group Update Provider (GUP) computer keeps more than 200 connections open to Symantec Endpoint Protection Manager.
  • Client reports Firewall Status as “Disabled” Symptom: If you disable or withdraw the firewall policy from a client group, the clients display as “Disabled” on the Symantec Endpoint Protection Manager Home tab, under Endpoint Status. Clicking on the Endpoint Status chart shows the Firewall Status as “Disabled.” The Firewall Status should only display as “Disabled” if the end user disables the firewall.
  • Lotus Notes 7.0.3 terminates unexpectedly Symptom: Lotus Notes 7.0.3 terminates unexpectedly when you attempt to open an attachment.
  • Some clients do not honor the restart after using the Client Deployment Wizard Symptom: When you use the Client Deployment Wizard to install a package that includes Application and Device Control, Symantec Endpoint Protection clients do not honor the reboot command provided in Client Install Settings.
  • Clients move to the wrong group if group name has a space in it Symptom: If you copy a group name containing a space from the details tab of one Symantec Endpoint Protection Manager and paste that group name into a new group on another Symantec Endpoint Protection Manager, then the clients end up in an incorrect group. If you copy the same group name containing a space from Windows Notepad, then the clients end up in the correct group.
  • Scan time is shown incorrectly Symptom: If you click Home > View Details > Scan Failures, the last scan time displayed is incorrect.
  • Teefer does not see outbound traffic on Windows XP Symptom: On Windows XP SP3, Teefer does not see the outbound traffic for QoS Packet Scheduler (PSched).
  • Lotus Notes terminates unexpectedly during start-up. Symptom: Lotus Notes terminates unexpectedly during start-up when it attempts to load the Notes Auto-Protect plugin (nlnhook.exe).
  • Windows Hypervisor stops responding. Symptom: Windows Server 2012 Hypervisor servers stop responding after you install Symantec Endpoint Protection 12.1.2 (12.1 RU2).
  • Juniper Network Agent Virtual Adapter missing from VPN classification Symptom: Juniper Network Agent Virtual Adapter (Juniper Junos Pulse client) does not appear within the “Any VPN” classification in the firewall rules.
  • Windows Server 2008 R2 is not identified correctly in Symantec Endpoint Protection Manager Symptom: Symantec Endpoint Protection Manager shows an incorrect operating system name for Windows Server 2008 R2 computers in the client inventory report and client properties dialog.
  • Cannot generate risk report Symptom: When you create a risk report for “Action List” or “Infected and At Risk Computers”, the query fails.
  • Log file size grows to be very large. Symptom: Log messages continue to write to scm-ui.log, even after the user logs out of the console. As a result, the log file grows very large.
  • Windows OXP 64 bit is listed incorrectly. Symptom: If you click Monitors > Logs > Computer Status > View Log, Windows Server 2003 clients incorrectly display as Windows XP 64-bit.
  • GFValidate.exe application error 1000. Symptom: When Symantec Endpoint Protection Management server is running, you see program errors or crashes when ThreatCon contains an invalid certificate.
  • Windows client incorrectly becomes a Group Update Provider (GUP) after an upgrade. Symptom: After you upgrade a Windows XP computer to Symantec Endpoint Protection 12.1.2, the computer becomes a GUP even though it was not designated as one.
  • Management Server Configuration Wizard displays an error when using a non-default path for the database data folder. Symptom: When you designate a new database using a non-default data folder, such as on drive D:, the Management Server Configuration Wizard displays an error about the database data folder, because it is incorrectly looking for the default path on C:.
  • Cannot add applications to Exception policy. Symptom: You try to add detected applications to existing Exception policies, but those policies do not display in the Monitors tab.
  • Discrepancy in the Endpoint Status report. Symptom: The information displayed on the Home tab under Endpoint Status is different from the information displayed when you click the chart for details.
  • An unexpected database error occurs. Symptom: An unexpected database error occurs when you log on the Web Services Application Registration page.
  • Client upgrade rolls back Symptom: At the end of the upgrade to Symantec Endpoint Protection 12.1.2 on a computer with a custom Windows system root directory, the installation rolls back to the previous version.
  • BIOS serial number not stored Symptom: The Symantec Endpoint Protection client sends the BIOS serial number when it connects to the Symantec Endpoint Protection Manager. You can see this information in the scm-server-*.log, but it is not stored within the Symantec Endpoint Protection Manager.
  • Symantec Endpoint Protection Internet email Auto-Protect prevents POP3 email from being sent or received. Symptom: When you check email with a client program that uses the service session (session 0), sending or receiving email experiences delays if you install Symantec Endpoint Protection Internet email Auto-Protect.
  • Unable to copy from USB. Symptom: After you upgrade Windows Vista to Symantec Endpoint Protection 12.1.2, you are unable to read files from a USB device, even though the Application and Device Control policy only prohibits writing to a USB device.
  • Server crashes with BugCheck 8E. Symptom: A Symantec Endpoint Protection client installed to a server operating system crashes with BugCheck 8E {c0000005, f723fac3, abb89930, 0}. The crash log contains a reference to SRTSP.sys.
  • LiveUpdate fails to process content on Symantec Endpoint Protection Manager. Symptom: The LiveUpdate client runs successfully and downloads the content on Symantec Endpoint Protection Manager 12.1.2 (RU2), but fails during the post-processing of the content.
  • EFS encrypted files are damaged. Symptom: After a content download triggers a Defwatch scan, EFS encrypted files become corrupted.
  • Weekly deadlocks occur on Symantec Endpoint Protection Manager database. Symptom: The server logs indicate weekly deadlocks on the Microsoft SQL Server database used by Symantec Endpoint Protection Manager. These deadlocks place an excessive load on the database server.
  • USB data stick removal results in BugCheck 7E error. Symptom: When you remove a USB memory stick, the computer crashes with error code 0X0000007E (BugCheck 7E).
  • Servers are slow or unresponsive. Symptom: After you install the Symantec Endpoint Protection client without Network Threat Protection, the file share server appears to be offline, or becomes extremely slow and unresponsive.
  • Connectivity issues with 3G connection. Symptom: When you try to connect to the internet with a 3G NIC, the Symantec Endpoint Protection firewall component detects a problem and blocks the connection.
  • Wired 802.1x connection attempt results in BugCheck 50 referencing Teefer. Symptom: When attempting to connect using wired 802.1x authentication, the computer crashes with BugCheck 50. The blue screen message references teefer.sys.
  • LiveUpdate does not update Symantec Endpoint Protection client. Symptom: The Symantec Endpoint Protection client downloads but cannot update definitions with LiveUpdate. Content updates from the Symantec Endpoint Protection Manager occur as expected.
  • Enabling Windows Driver Verifier on Teefer2 results in BugCheck 139 Symptom: You install Symantec Endpoint Protection, enable the Windows Driver Verifier for Teefer2, and reboot. An attempt at a network connection causes the computer to crash with BugCheck 139.
  • Cluster is unable to fail over with AutoProtect enable. Symptom:  With AutoProtect enabled, an active cluster node cannot fail over and hangs.
  • Some Intrusion Prevention exclusions do not work Symptom: After you create an Intrusion Prevention (IPS) policy exclusion to keep an application from being blocked, Intrusion Prevention continues to block the application.
  • Download Protection reports as malfunctioning . Symptom: Client computers always report Download Protection as malfunctioning on the first heartbeat after the Symantec Management Client (SMC) service is started. This issue occurs because the heartbeat reports the status before this component fully initializes.
  • Persistent “unexpected server error” notification. Symptom: You receive System Event Notification emails multiple times a day reporting an unexpected server error. The Symantec Endpoint Protection server logs display the message, “This is not a valid IP address.”
  • “Unexpected server error” appears in server logs. Symptom: For the Symantec Endpoint Protection Manager, the server name is different than the host name. The Symantec Endpoint Protection Manager’s server logs display repeated errors by ScheduledReportingTask about an UnknownHostException. You do not receive email notifications or scheduled reports.
  • “Unexpected server error [0x10010000]” when deleting a Symantec Endpoint Protection Manager administrator. Symptom: When you try to delete an administrator account in Symantec Endpoint Protection Manager but opt to retain the existing reports, the message “Unexpected server error [0x10010000]” appears and the administrator account remains.
  • The policy serial number unexpectedly updates at midnight Symptom: You notice that the policy serial number updated at midnight, but you did not update a policy at that time, only earlier in the day.
  • Some errors in reporting logs related to risk reporting Symptom: There are PHP errors and warnings in the reporting log. The pie charts on the Monitors tab contain no information, and you encounter a fatal error when you click Reports > Quick Reports.
  • Auto-refresh value reverts for Command Status Symptom: The Auto-refresh value you configure under Monitors > Command Status reverts to the previous value.
  • Scheduled or On-Demand scans fill backup cache disks Symptom: You observe that on a computer using a third-party backup program, a scheduled or on-demand scan unexpectedly fills the backup cache disk.
  • SMC service crashing Symptom: The Symantec Management Client (SMC) service crashes on client computers that are Group Update Providers (GUPs).
  • Accelerated heartbeat after clients fails to register with Symantec Endpoint Protection Manager Symptom:  When Symantec Endpoint Protection Manager returns a registration failure with code 412, the client triggers another registration in five seconds. This behavior results in performance degradation on Symantec Endpoint Protection Manager.
  • Installation of Symantec Endpoint Protection causes BugCheck 8e Symptom: After the installation of Symantec Endpoint Protection, the computer crashes with BugCheck 8e. A triggered Auto-Protect scan appears to be the cause.

Storing passwords in uncrackable form – Information for Web Server Admininstrators

News about intrusions into the servers of online stores, games vendors and other internet services can now be read on an almost daily basis. Often, the intruders obtain customers’ login data including their passwords. As many people use the same password in multiple places, criminals can use the passwords to obtain unauthorized access to further services.

To prevent passwords from being extracted, web site operators usually protect their users’ passwords through such cryptographic techniques as one-way hashing. For this purpose, a character string that doesn’t allow any conclusions to be drawn about the actual password is derived from the password. The only way of finding out whether a password matches a hash is to rehash the password and compare the results. This method is used by the authentication systems of operating systems and web applications – and also by password crackers.

MD5 hashing was long considered sufficiently resilient for this purpose, because the time that is required to try out all possible combinations made it difficult for attackers to reconstruct a password from a hash. With a strong password, trying out all password combinations (brute force attack) using a cracker such as John the Ripper on conventional hardware used to take months, if not years. But times have changed.

Cloud, CUDA and multi-core computer technologies are both a blessing and a curse: they can greatly accelerate the processing of data and make even complex simulations available to end users. Unfortunately, crackers use the same high-speed computing power to reconstruct plain-text data from an encrypted password, and then they use the password to log into a system as administrators. In this context, password crackers can take advantage of the fact that the harvested hashes were probably created using the MD5 algorithm, which is optimized for fast processing.

Commercial password crackers such as those by vendor Elcomsoft, and such free tools as Hashcat and BarsWF, can try out several million hashes per second to find out whether one of them matches a specific password. This means that a password of eight characters can be cracked in four days. However, there are even faster ways. As hard disk storage is getting cheaper and cheaper, attackers often use giant tables (rainbow tables) containing billions of pre-calculated hashes to find a password. These tables potentially allow them to determine a password within minutes. The lists required for dictionary attacks are also becoming longer and longer and, with very weak passwords, often enable cracking programs to succeed within hours.

Fortunately, progress has also been made in hashing technology that hampers high-speed password cracking attempts and makes it uneconomical for attackers to pre-calculate tables – even if the actual password to be cracked is weak. From a certain password length, calculating and storing rainbow tables is no longer viable in a reasonable amount of time. Therefore, an additional, random character string – a “salt” – is added to the password a user has entered. The newly created character string is passed through a hashing algorithm, and the resulting hash is stored in a file such as /etc/shadow. However, the salt must be known if a system is to compare subsequent password entries with the hash. The salt is therefore added to the beginning of the stored hash in plain text. Storing the salt in plain text may sound contradictory at first glance, but the salt doesn’t need to be secret, it only needs to be random. Its only purpose is to inflate the potential number of combinations for each individual password in order to exponentially increase the effort required to create rainbow tables.

However, a salt has only little impact when an individual password is attacked with brute force. Conventional hashing algorithms such as those for generating digital signatures or fingerprinting files are optimized for speed. This is counterproductive when checking passwords, as the intended aim is to thwart password crackers. Brute-force attacks can be rendered unattractive by intentionally slowing down the hashing algorithm or by hashing multiple times. For users, the required speed isn’t really an issue: They won’t notice if checking a password they enter when logging into a system takes a microsecond instead of a millisecond. A password cracker, on the other hand, will become a thousand times slower – instead of 100 million passwords per second, it will only be able to try out 100,000 passwords per second, and a brute-force attack on a password called “P4ssW0r7” would take 48 years instead of 18 days.

The method of artificially slowing things down has its origins in the derivation of crypto keys from passwords. As users’ passwords tend to be too short and have too little entropy, keys need to be lengthened securely, for example when encrypting via AES and 256 bits. Cryptographers call this “key stretching”, and they achieve it by sending a password through a hashing algorithm multiple times. The method has been standardized as Password-Based Key Derivation Function 2 (PBKDF2) and is, for instance, used in wireless networks with WPA-PSK keys. Smartphones use PBKDF to encrypt backup files with a password before exporting them. The method also successfully thwarts cracking attempts in those situations.

Each time, the resulting hash value is simply resubmitted to the hash function as a parameter. More complex round functions may, for instance, add the password to each value before it gets hashed. An operating system or application only needs to perform this exercise once per password and user. A cracking program, on the other hand, must perform it for every possible character combination – and each round adds processing time, so that the overall procedure for each password is slowed down immensely.

While many operating systems already use salts and key stretching techniques to securely store user passwords, password security is still a sore topic especially in popular web applications, even though such applications run the greatest risk of being attacked in an attempt to extract user or customer passwords. Sometimes, passwords are even still stored in plain text; and if they do get hashed, it might only be via MD5. Even such popular content management systems as Typo3 use MD5 without salt or rounds as their default method for hashing user passwords.

The “saltedpasswords” Typo3 extension promises to increase security. It offers added security via bcrypt or the phpass security framework; more about that in a moment. However, the extension must first be enabled and configured, which requires installing further extensions and making system adjustments – it’s hardly surprising that many operators simply use the default installation.

WordPress and phpBB use the phpass framework by developer Solar Designer – who, incidentally, also develops the John the Ripper password cracker. By default, phpass uses bcrypt. Bcrypt is based on the Blowfish algorithm which is, strictly speaking, an encryption algorithm rather than a hashing algorithm. Bcrypt uses a complex key initialization algorithm and further encrypts the resulting ciphertext by adding alternately the salt or the password. The number of rounds is a power of 2, and the exponent that is used is added to the beginning of the created string.

If the Blowfish algorithm isn’t implemented on a system, the phpass framework will automatically default to Extended DES and, if necessary, to MD5 with salt and iterations. To prevent the framework from falling back to weak algorithms, the developer recommends using PHP 5.3.2 or later. Blowfish, SHA-256 and SHA-512 are standard PHP components from this version, which means that no further operating system APIs or added libraries are required. Alternatively, the Suhosin PHP security framework will extend the PHP interpreter to include Blowfish.

However, WordPress and phpBB use the weakest of the three possible configurations. When tested on an Ubuntu system, WordPress used the MD5 variant; the CMS deliberately forces this variant to ensure the compatibility of various web applications. WordPress can reportedly use the phpBB user database, and vice versa. The Drupal developers, on the other hand, have adapted the framework for their purposes and started hashing with SHA-512 in Drupal 7. A “Secure Password Hashes” module provides added protection for older versions of Drupal.

The default security of the Joomla CMS isn’t as good as it could be, either. While the CMS is capable of using salted SHA-512 with multiple rounds (getCryptedPassword) via the crypt() PHP function, the default setting is a salt and MD5 with one round. Manually adjusting individual CMS installations to use a more secure variant is generally unproblematic. The only caveat is that add-on modules may be incompatible with the changes.

Self-test

How your own content management system stores passwords can be determined by analyzing its source code or by looking into its database. The latter solution is easiest and can simply be achieved by establishing a connection to the database server, for example like this: mysql -u <user> -p. The “user” parameter designates the registered database user which is used for the CMS to sign into the server. The command show databases; lists all available databases. For instance, to select the typo3 database, enter use typo3; (don’t forget the semicolon at the end). All available database tables can subsequently be displayed using show tables;.

Under Typo3, the most interesting tables are be_users and fe_users. select * from be_users; displays the table contents. If the user passwords contain a simple sequence of characters such as 1ee9e0daf4a2b81fe4064aa5ae31aae4, the system is using a simple, unsalted MD5 string.

In current Drupal installations, a (user table) password hash that is stored in the database may look like $S$CbkCbEtqypgcggWPee9c6wpgwUYqKjMb0pUR9YTgdwdYkxztRmWj

The dollar signs at the beginning enclose the hash type and are followed by the salt and the actual hash. The hash type value of 2a designates bcrypt. WordPress (wp_users table) will produce entries like $P$Bz0ZwGCmWuvcurZbj4CaptBFir8gQv1 – the “P” hash type designates what is called a portable hash – in other words, the MD5 variant.

Integration

Phpass is very easy to integrate into PHP applications. It consists of a single PHP file with one class and several methods. Although in modern versions of PHP all hash algorithms can also be called directly, the advantage of using phpass is that there is no need to worry about creating a random salt or assembling the character string. The returned hash string can be stored directly in the database.

On UNIX systems, phpass creates the salt by reading /dev/urandom, and under Windows it uses the microtime() PHP function. Two lines are sufficient to generate a secure password hash: $t_hasher = new PasswordHash(8, FALSE); $hash = $t_hasher->HashPassword($password);

The FALSE parameter in the constructor tells phpass to choose the most secure algorithm first – on modern systems, this will typically be bcrypt. Submitting TRUE forces the insecure, but more compatible, MD5 implementation to be used; this is, for instance, the approach chosen by WordPress. The constructor also generates the salt. In bcrypt, the 8 parameter determines the exponent for the required number of iterations, meaning that bcrypt uses 256 rounds. The maximum exponent is 31.

The HashPassword method then generates the hash from the password and the salt. Checking an entered password is equally simple: $check = $t_hasher->CheckPassword($password, $hash);

The $check variable contains the result of the comparison, where 1 is true.

Rather than relying on their system’s default settings, administrators should implement the most secure methods – and let their users know about it. However, when visiting a forum or online store, users have no influence on whether the operator uses a secure method. Even worse, it isn’t possible to ascertain which password encryption method is being used. Therefore, the best way for users to protect themselves is by always choosing different passwords. Using identical passwords for the Typo3 CMS and for a PayPal account should be avoided. The basic rule is: length is trumps – as long as the word isn’t contained in a dictionary. Passwords for less important accounts may be a bit shorter than those used for premium services.

 

Microsoft Office 2013 Part 1

If there’s a new Windows, then surely a new Office can’t be far behind. With Windows 8 almost out the door, it’s about time for Office 2013 to show its face. We’ve seen snippets of it in conference presentations and at the Surface launch, and we’ve heard rumors of its features, Microsoft unveiled the first public beta of its new Office. This you can be sure of – it’s clear that Microsoft is making another of its big bets on the cloud, with Office 365 users getting far more from Office 2013 than users who buy the boxed product.

Microsoft has stated that Office 2013 will only be available for Windows 7 and 8, so you won’t be able to upgrade if you’re using Windows XP or Vista.

Office and the cloud

Microsoft is offering four different preview releases of Office 2013, with the three business subscriptions all built around its Office 365 and SkyDrive services. They’re also all subscription services that use a new version of Microsoft’s Click-to-run tools to install applications from the cloud (and to keep them up to date). All the subscriptions allow users to install Office on five machines — and Microsoft has said that this will be across multiple platforms, including Mac OS. There’s also 20GB of additional SkyDrive storage for subscribers.

The Click-to-run-based Office On Demand streams the Office applications to PCs, so you can quickly get up and running with the core functions installed first, while the rest of the application installs in the background. For example, you can stream in a copy of PowerPoint and start a presentation, without having to wait for a full download. Installs are linked to user accounts, so you can also quickly deauthorize a PC from the Office 365 web portal and temporarily install on a friend’s or a co-worker’s machine just to do one thing and then move on. Once you close a streamed application, it’s gone — and because it runs in an application virtualization sandbox there’s no trace of it, or of your files.

The four preview plans are Office 365 Home Premium Preview, Office 365 Small Business Premium Preview, Office 365 ProPlus Preview, and Office 365 Enterprise Preview. Consumers with the Home Premium plan will get the core Office applications (Word, PowerPoint, Excel, Outlook, OneNote, Access and Publisher), while the Small Business Premium plan adds access to the Office 365 cloud services, including Exchange, SharePoint and Lync for up to 10 users. The ProPlus option adds support for up to 25 users, and also includes the InfoPath and Lync applications. Similarly, the Enterprise plan adds more complex Exchange support with archiving and compliance tools.

All of the plans get access to a new version of Microsoft’s Office Web Apps, so you can edit files anywhere. Files are also automatically synced to SkyDrive when you save them, giving you a cloud backup. Business subscriptions get access to Office 365 SharePoint.

 

Free Utility Flips And Rotates Video Files

Ever needed to mirror reverse a video or rotate it 90 or 180 degrees? Then this free utility will do the job for you. It’s virus free but like many freebies these days offers to install a toolbar during program installation. Just say “no” and all will be sweet.

You can’t blame some software authors trying to make a buck out of their labors but frankly these optional toolbars are becoming far too common for my liking. That’s why these days you really need to be vigilant when installing new products, free commercial or otherwise.

You’ll find it at http://www.dvdvideosoft.com/products/dvd/Free-Video-Flip-and-Rotate.htm

Ten Ways to Dodge CyberBullets, Part 2

This is the second in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

2. Catch the patch batch

Keep applications and operating system components up to date with automated updates and patches, and by regularly reviewing the vendors’ product update sections on their web sites.

This point is particularly relevant right now, given the continuing volumes of Conficker that we’re continuing to see. Win32/Conficker is a network worm that propagates by exploiting a vulnerability in the Windows operating system (MS08-67). The vulnerability is present in the RPC subsystem and can be exploited remotely by an attacker. The attacker can perform his attack without valid user credentials it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at: http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.

It’s important to note that it’s possible to avoid most Conficker infection risks generically by practicing “safe hex”. Keep up to date with system patches, disable AutoRun and don’t use unsecured shared folders. In view of all the publicity Conficker has received, and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions, but clearly it isn’t happening. Sometimes it seems that the whole world assumes that the only vendor that suffers from vulnerabilities in its operating system and other software is Microsoft. To see how misleading claims like this can be, check out the weekly “Consensus Security Vulnerability Alert” published by SANS (see http://portal.sans.org), which summarizes some of the most important vulnerabilities and exploits identified in the preceding week. Even during a week that includes “Patch Tuesday,” you’ll typically find that problems are flagged with a frightening number of applications from other vendors. Certainly, any system administrator should consider making use of this resource.

At the moment, vulnerabilities in applications are a serious threat (arguably more so than operating system vulnerabilities). Third-party applications are expected to continue to bear the brunt of vulnerability attacks for a good while yet, as security improvements in operating systems will continue to drive vulnerability research to applications like Safari, iTunes, Adobe Flash, Adobe Reader, many IM clients and other applications.

Unfortunately, users are far less savvy about patching third-party applications than they are about patching the operating system. However, this vector will also decline in impact as application vendors learn to tighten their quality control and patching methodologies. Part of this will be driven by adoption of Windows 7. Computers originally sold with Windows XP, with a few exceptions (such as newer netbooks), are beginning to age and will be replaced with PCs that have Windows 7.

OneNote 2010 – Easy to use and worth the upgrade

The Skydrive feature alone is worth the upgrade – now it is easier than ever to synch your notebooks. Here’s the tag line from Microsoft:

“Once you start using OneNote to create digital notebooks of your notes and ideas, you’ll wonder how you ever lived without it. Before you know it, you’ll be looking for reasons to create more notebooks – work or school reports, home projects, and who knows what else.”

Well it is pretty close to reality. I find I can’t do without it. While we have not migrated all our 2007 OneNote notebooks to 2010, we will have it done by the end of the month. It is simply too important to not have all the info in the 2010 format and available whenever I need it!

  •  OneNote helps bring together your digital info (notes, photos, videos, web links, etc.) into easy-to-organize notebooks.
  •  OneNote makes it easy to share your notebooks and collaborate in real time with other OneNote users.
  •  The OneNote Web App and OneNote Mobile allow you to access and add to your notebooks from virtually anywhere.