IT Security: Passwords and Patching

Provided some attention is paid to keeping your system up-to-date, the security of IT systems and Internet communications is good. This has made a hacker's life different to the early days. They must now be a confidence trickster if they wish to easily gain access to your valuable information. It is far easier to persuade you (often unknowingly) to give the information away than it is to do the complex coding and mathematics required to steal it without your permission. A good analogy is the modern motorcar, most of which are now stolen using the original keys as their engine immobilisers make it very difficult any other way.

As a general rule of thumb; if it seems too good to be true, it is! You won't inherit unexpected money, obtain tax refunds, get cheap drugs, find questionable pictures of your neighbour or grow any of your bodily appendages without there being some undesirable side-effect…

A password is the front-door key to your IT security. It should be treated like a real, physical key by keeping it safe and not letting other people obtain a copy of it. There is a difficult trade-off between a secure password and one that is easy to remember. Secure passwords should be long (ideally 12 to 14 characters), complex (contain mixed case, numbers and punctuation) and random (not contain names or real words, even several joined together or with characters substituted). Most people find these difficult to remember, so below is a recommendation for generating a strong password you can easily remember:

  1. Start by thinking of a memorable phrase: Life is too short to remember a really long, complex password!
  2. Take the initials of the words in the phrase: Litstrarlcp (note the mixed case)
  3. Convert some of the words to numbers: Li2s2rarlcp (too/to becomes 2)
  4. Add in the punctuation: Li2s2rarl,cp!

You now have a secure password, which is easily remembered through the original phrase. However, if you use the same password for every machine and/or web-site you are trusting the owners of those systems to never disclose your password. If one system is compromised, your e-mail address (often used as a username) and the common password will enable the hacker to access any site with the same credentials.

To avoid this issue, use part of the machine name or web-site address to add to your password. So, for the site http://www.example.com/ you might prefix your secure password with ex to give a site specific password of exLi2s2rarl,cp!. For passwords that regularly expire and need changing, a similar technique can be used by appending part of the date. So, in January 2010 you could append Jan10 to give a site and date specific password of exLi2s2rarl,cp!Jan10.

Programmers are humans and make mistakes too. Often due to the complexity of computer systems there are unexpected side-effects of features in software. Open source software tends to suffer these less due to the collaborative way it is written and the number of people reviewing it. Closed source (proprietary) software is reliant on the manufacturer alone to test and fix any security issues.

Large companies have patch strategies:

  • Microsoft choose to keep details of security vulnerabilities private until they release patches on the second Tuesday of each month (the following Wednesday morning in the UK and Europe due to time zones)
  • Apple periodically release roll-ups of updates
  • Canonical release security updates for Ubuntu as soon as a patch becomes publicly available

Many pieces of software now automatically check and notify you when there are updates you need to apply. It is important that you do this as soon as you are notified. Once the patch has been released the details of the vulnerability will be available to every hacker on the planet. If you have not updated, you are their best friend! Likewise, some patches need to restart your machine before they become effective. If you delay in doing this you will also be at risk.

Flash Player comes in a variety of different formats to support different web browsers and operating systems. Therefore, it is essential that you check both Internet Explorer (if running Windows) and any non-Microsoft browser you use separately. The exception to this rule is Google Chrome, which ships with its own integrated Flash Player and keeps itself updated automatically.

To check your current version, visit http://www.adobe.com/software/flash/about/ and then follow the update link on the page as appropriate.

To enable an automatic update check, use the Settings Manager at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html and set it to notify you as soon as possible (currently 7 days).

When Adobe release an update for Reader, an icon will appear in your notification area:

Adobe Reader Update Tray Icon

You can also carry out a manual update check by starting Reader and selecting the Help ⇒ Check for Updates… menu item.

To ensure the software on your Mac is up to date, click the Apple icon in the top left-hand corner and select Software Update…:

Mac OS X Updates

When updates are available to Microsoft software an icon will appear in the notification area, as shown below:

Microsoft Update Tray Icon

Hovering the mouse pointer over the icon will display a status message and clicking on the icon will allow you to apply the updates. It is possible to verify that you are updating all Microsoft product (rather than just Windows) and check for updates by visiting http://windowsupdate.microsoft.com/ from Internet Explorer on your Windows PC.

When Oracle issue a new Java release an icon will appear in the notification area, as shown below:

Oracle Java Update Windows XP Tray Icon Oracle Java Update Windows 7 Notification Icon

Clicking on the icon will begin the update process. Apart from declining the bundled extras (currently the Ask search engine browser toolbar) the process is straightforward. A restart of your computer is not normally required but any open web browser windows may need closing.

You can also manually check you are running the latest Java version by visiting http://java.com/en/download/installed.jsp and clicking the Verify Java version button.

Your system will automatically check for updates and display the Update Manager application if any are needed:

Ubuntu Update Manager

If you are using a portable machine the automatic check will be skipped when running on battery. You can always run Update Manager manually and click the Check button to check for any available updates.