In association with heise online


Critical points of entry which should definitely be avoided are old program versions with known security holes. Browser vulnerabilities and holes in Java, Flash, Adobe Reader, MS Office, MP3 players and similar components have become a routine way for attackers to inject spyware or botnet software. And it's not only dubious and obscure sites that spread these attacks but also hijacked servers at popular web sites and compromised advertising banners.

The Windows update features, which automatically install Windows security updates and are now also used for other Microsoft products such as MS Office, are a blessing that is not to be overlooked. However, unlike other operating systems, Linux for example, Windows is still lacking a usable infrastructure for systematically updating third-party programs. As a result, the third-party vendors each do their own thing, and many programs are not updated reliably, or aren't updated at all. A common problem with inexperienced users is that they ignore / cancel update notifications or turn automatic updates off.

Regular visits to the Update-Check pages at The  H Security can help Windows users to remedy this situation. On these pages, a browser-based Java applet checks Windows as well as 26 further programs including the popular browsers, Adobe Reader, Flash, QuickTime and Java for versions that are known to be insecure. If a version with known security issues is found, the service offers a link for installing the required update.

A more thorough solution is Secunia's locally installed Personal Software Inspector (PSI), which checks the programs it finds against Secunia's vulnerability database. While Mozilla's Plugin Check does function with Internet Explorer, this service only checks the browser plug-ins.


Passwords continue to be another problem area. This isn't because they are being hacked all over the place, which is what investigations into password complexity might suggest, but because users need more passwords than they can remember. Those who use the same password for many purposes are living dangerously. Should this password be stolen through a server hack, or should the wrong Wi-Fi connection be inadvertently used to log in via an unencrypted page, allowing the transmitted password to be read as plain text, a well-disposed hacker would have easy access to a whole range of services.

Probably the most important password is the one protecting your email client. In-boxes often contain further access data, and attackers can frequently also gain access to other services by resetting the password. Therefore, this password should, if possible, be kept separate.

Help is available for using individual, sufficiently secure passwords for other accounts; for instance, the popular browsers include a password safe. However, these features can easily be made to give away their secrets. As a minimal precaution, users should set a master password for accessing them. Otherwise, a few mouse clicks at an unsupervised computer are all that is required to extract an entire password list. Alternatively, one of the almost ubiquitous cross-site scripting holes on web sites across the internet might reveal the password.

Zoom The KeePass main screen.
The next level is an external password safe such as KeePass. This at least removes the sensitive information from the risky browser environment. However, a password safe will remain a very attractive and generally vulnerable target. After all, you'll have to key in the master password sooner or later – and then a spyware program potentially listening in the background can claim the jackpot.

If you are serious about your password security you should take your measures a step further, avoid storing any passwords on your vulnerable PC, and instead use a trick to memorise them. Memorise a character string that is as long and complex as possible and combine it with an easily guessable string for each individual site. The result could be something like heis%fgHao6CE4. %fgHao6CE4 will be retained in your memory once you've typed it a few dozen times, and something like "heis" for your heise account is easy to remember. This type of password is almost impossible to crack.

If this sounds too complicated, consider using an old-fashioned, analogue password safe. Although often ridiculed, writing down your passwords on a piece of paper which you keep in your wallet isn't such a bad idea. We do tend to look after our wallets, and a PC-based program that can spy out such a list has yet to be developed.

A pick-pocket who might get hold of your wallet will be more interested in your cash and credit cards than in a plain piece of paper containing cryptic character strings. Someone who really does target wallets to obtain these passwords won't shy away from using brute force if necessary. Of course, the paper slip safe shouldn't be used as a password policy for high-security areas. But when choosing between a few bad passwords and written-down passwords, the paper slip method is definitely the better choice.

Next: More protection

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit