The forgotten password function on websites is not a feature. It is a security risk!

The worst of all are the ones that are able to send your current password to your email account. Let’s take a moment to consider what is required to accomplish this. The users’ passwords must not have been hashed, as it would then be impossible to know what your password is. Therefore, the passwords must be stored in a plain text form on the server. In the event that the server is compromised, your password is directly accessible to the attacker. Even if the passwords are stored encrypted, they aren’t much better off. If you’re a software developer, always always store password hashes and not the passwords themselves—unless you specifically need the password in it’s plain text form.

Sites that allow users to reset their password by answering a security question is also bad. The problem with this approach is that often the questions are so simple that your neighbours could probably figure out the answers. Take for example, What is your pet’s name? or What is your mother’s maiden name? Just think how many people actually know the answer to that question and could potentially hijack your account. Think Paris Hilton. While some sites allow users to disable the function by leaving the security questions empty, most sites make it mandatory. In this case, you can still disable the function by entering a long random text as the answer.

Security and usability doesn’t mix. One additional way to recover or change your password is one additional way to hijack your account. Is it worth the risk just so it’s easier to resolve forgotten password situations? I admit I’ve had to use the forgotten password function a few times before but it pays to be aware of the risk. Please check out my next blog post on password management tips. I wonder when that’ll be.

This isn’t the most timely security alert, but just in case you haven’t already heard. Exploits for these vulnerabilities have been observed in the wild.

A flaw was discovered late last year in the way Windows handled animated cursor (.ANI) files. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

For more information, please see Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902).

If you have Windows automatic update enabled, then this patch should have already been applied. Otherwise, the patch for Windows XP SP2 is available from:

KB925902 – Updates for Windows XP

Now, chop chop! Go check that you do indeed have the update applied.

Wireless network is an ideal solution if you have a laptop that is constantly moving around the house, or if you simply wish to eliminate the miles of cabling that run all over the place. However, if not properly configured, wireless networks are very susceptible to attacks. These networks are possibly the most popular source of free Internet for… ahem. You know who they are.

The following are a few simple steps that can be taken to vastly improve the security of your wireless networks:

1. Change the default login on your network devices, especially the wireless access points, router, and the modem. The remaining steps are a pointless exercise if anyone could simply modify your settings and hijack your network.
2. Enable wireless authentication and encryption. Use the strongest authentication method and encryption algorithm supported by your wireless access point and all the wireless clients on the network. Wi-Fi Protected Access 2 (WPA2) should be used where possible. Wired Equivalent Privacy (WEP) is easily cracked. WPA, not WPA2, has also been demonstrated to be vulnerable when weak encryption keys are used. If your only option is WEP or WPA, it is strongly recommended that the encryption key be changed regularly.
3. Choose a strong encryption key. Use the longest encryption key length supported by your wireless access points and all the wireless clients on the network. It is best if you could generate a random hex key. Otherwise, make sure you choose a strong pass phrase. Weak keys can easily be cracked by brute force attacks.
4. Disable SSID broadcast. The Service Set Identifier (SSID) is a name used to uniquely identify your wireless network, and must be specified when a client wishes to join the network. Usually, by default, the SSID is broadcasted at regular intervals to announce the presence of the wireless network. This may simplify configurations of your wireless clients but is also an invitation for hackers. Disabling SSID broadcast makes it more difficult, but not entirely impossible, for an attacker to obtain this information.
5. Rename the SSID. Following from the previous point, you should choose a unique SSID. Lists of default SSIDs are widely available. Additionally, a network with a default SSID suggest that it is poorly configured and is an appealing target for hackers.
6. Enable MAC address filtering. MAC address is a unique identification for network cards. MAC address filtering ensures that only your wireless devices have access to your wireless network. However, this is not a fool-proof measure as the MAC address can easily be spoofed.
7. Disable remote administration, unless you absolutely know what you’re doing. I’m sure you wouldn’t want a hacker administering your network. Nuf said.

The steps detailed above are suggestions for improving your network security. Some of the features described may not be supported by your network devices, while others may be impractical for your network setup. If not supported, check to make sure that the manufacturer has not released new software or firmware upgrades. For those using Windows wireless client, the following Windows update may be required, if not already installed, to support WPA2:

KB893357 – Wi-Fi Protected Access (WPA2) Update

In the end, you may find the network slightly more tedious to setup but it will be much more secure.

A cross-site scripting (XSS) vulnerability has been found in the Google Desktop application. The flaw, first discovered in October 2006, enables an attacker to search for and steal data from a user’s system.

Google released an updated version of the Google Desktop client that fixes the flaw earlier this month. If you use Google Desktop, make sure that you are running the latest version, 5.0.701.30540. The latest version of Google Desktop can be downloaded from the Google Desktop site, http://desktop.google.com/.

For more details on the vulnerability, please see http://www.securityfocus.com/news/11443.

You have been warned.