In case some of you have noticed recently there was an article on zdnet (not my favorite publication anyways) that quoted James Gosling, Sun’s CTO, stating that “Microsoft’s decision to support C and C++ in the common language runtime in .Net one of the “biggest and most offensive mistakes that they could have made”“.

I figured that I would share what has to be the best reponse to this statement by pointing people to Don Box’s reply on his blog.

Now, don’t get me wrong, I am all for people raising the alarm when we have a security problem, but to make generalized and unfounded comments like this when we have so much in the area of security to worry about is just a waste of our time.

If you use Internet Explorer then you should pay close attention to this…

An exploit to security holes in Internet Explorer (even if you have XP SP2 installed) has been posted by a group called GreyHats.  They are not happy that MS has not fixed the exploits since they were made known in October 2004 and figured they can increase the speed of a patch, but in the process I expect they will only succeed in screwing alot of innocents.

If you run with least privledge then life is much better for you then if you run as an administrator on your web surfing box.  Either way I suggest you vist the test page provided by Secunia and see the likely bad news.

If you are vulnerable, be careful where you go between now and when you install whatever patch comes out.

It seems to hold true that any tool can have a good and a bad use.  In a recent attacks, Google was used as a support mechanism for spreading a virus and defacing web sites.

While there isn’t anyone who can guarentee that a particular package or product won’t be vulnerable, it does pay to ensure that whoever you get your software from has a track record or providing patches quickly when this kind of thing occurs.  If not then make sure you figure out how you will patch the stuff yourself.

A recent article about a security flaw in the new Google Desktop Beta should serve as another reminder that you should never use beta software on production machines.  The rule for me has always gone that if I would be upset by a total rebuild of the box, then only tested and finished software should be installed.  I admit that I love the new stuff myself, but if you dance with the devil don’t be surprised if you get burned.

MS has made available a preview of the Member Management Component that you can use to build into .Net 1.1 sample applications.  It isn’t exactly what will be released with VS.Net 2005, but it gives you something to play with so you can get used to the new model.

Be advised that it seems that it doesn’t seem to be licensed for production use.  If that interpretation is correct then it means that this is just something to play with in advance of VS.Net 2005 and can’t be built into any real applications.

Who owns the passwords that you or your users use to access your network or application?

If you don’t know, then you have a problem.  Your users hopefully memorize their passwords, but therein lies the rub.  If an accountant has gone to the trouble of memorizing a complex password then they are very likely to be tempted to use that password for other systems.  Maybe the corner hardware store’s web site requires registration.  If they use the same username and password that works on your systems and top it off with entering the company email address then your security now depends on the security of the corner hardware store’s web site security (provided it isn’t actually run by a hacker)!

Tell your users in writing that the passwords they use at work are company property and must not be used on any other systems.  Put it in writing like any other company policy and ensure they know that failure to comply is a terminable offense (and mean it).  If you don’t then forget about security, it won’t help you in the end.

A recent article about how Petco not only was found to be vulnerable to a SQL Injection attack, but also got fined for the false claims this realization cast on their privacy policy just goes to show that no matter how much we talk about it, SQL Injection remains a huge risk.

But the stakes have been raised in the last year.  Now messing up your companies security has legal consequences that start out with fines and can go all the way up to criminal liability and jail time! 

Dell has launched a website designed to help small businesses deal with all the security challenges.  The site seems good, but the performance was so bad at one point that I can’t decide whether that means it is a resounding success or a dismal failure.

It is very much aimed at selling more product.  When you click on the spyware link it doesn’t mention any of the free products that solve the problem, just the ones you can buy from Dell.

The sites advice is a bit behind the times (doesn’t mention pass phrases under the password section), but if you just want to point someone to a place where they can self help on security using a name they will likely trust then this might be a useful link.

A common bit of advice bandied about lately (by Jesper Johansson of MS, me, and others in and out of MS) is to turn off LM Hashes on your Windows systems and networks.  This is great advice, but there is a proviso.  Some things depend on LM Hashes to work.  Most of them are not an issue, like the fact that Windows 95 and Windows 98 shares stop working.  I don’t recommend using Windows 95/98 as file servers anyways.  The problem is that Windows Clustering stops working.  This is a big one.  I realized recently that the knowledge base article that describes how to deal with this small wrinkle got “archived” by MS and was therefore unavailable.  I did some digging and as of today the article has been reinstated due to my prodding.

So, this post is to welcome KB article 828861 back to the land of the living and to make sure everyone knows how to find it for reference.  The advice in it is quite straight forward, but it always helps to point bosses or clients to words written by the platform vendor.

Happy LM Hash Free Clustering!

Often we don’t know we are in danger until we get clobbered. We have all had that feeling in the pit of our stomachs after something heavy falls where we were standing a few minutes ago. In the middle ages ignorance of disease killed many and the same is true of most in the modern world of computer security.