Staying safe online–my contribution to JustAskGemalto

Gemalto has launched a consumer education program called JustAskGemalto featuring advice and short videos by many folks in the information security industry. I was interviewed a few weeks ago about staying safe online. The video is now available on JustAskGemalto’s YouTube channel.

Index of insider threats

Saw this article the other day about insider threats. It describes the growth of attacks by insiders, largely motivated by the downturn in the economy. For your statistical reading pleasure, I’ve reformatted the numbers following the Harper’s Index pattern.

Survey participants in London and New York: 600
Departing workers who took sensitive information with them: 40%
Portion who would provide this information if it would help to find another job: 1/3
Percentage of employees who are aware of the illegality of stealing information: 85%
Portion of this population who do it any way: 1/2
Percentage who believe it will be useful it some point in the future: >50%
Percentage who find it easier to pilfer information this year: 57%
Percentage last year: 29%
Percentage who claimed they would take company info if fired tomorrow: 48%
Percentage who would download company/competitive information if their jobs are at risk: 39%
Portion of workers who have lost loyalty to their employers because of the recession: 1/4
Percentage of those who take information “just in case”: 64%
Percentage who would use the information in future job negotiations: 27%
Percentage who would use the information as tools in their new jobs: 20%
Those who would take customer and contact details: 29%
Plans and proposals: 18%
Passwords and access codes: 13%
Product information: 11%
Percentage of workers who would strive to find the redundancy list: 32%
Percentage of those who would bribe a co-worker in the human resources department: 43%
Who would use their own IT-granted access rights: 37%
Who would use personal contacts of those in the IT department: 30%

Links to my Windows Connections presentations

Several of you have asked for copies of my presentations from the autumn 2009 Windows Connections. Because I’m using the online tool Prezi, I don’t have traditional slides to give you. I have, though, shared the presentation files for everyone to see. The links are below.

Thanks again for coming to the talks. And be sure to look for my Windows-related guidance for using Amazon Web Services. I’ll announce here and on the AWS blog when each paper is published.

• Fear the cloud no more
• Introduction to the AWS cloud
• Securing the AWS cloud
• Managing your AWS cloud

I’m presenting at CloudCamp Phoenix

This Saturday, 24 October, CloudCamp is coming to Phoenix. CloudCamp follows a unique format, I’m pretty excited to participate. It starts with several five-minute “lightning talks”; the Phoenix event will have five, and I’ll deliver a rapid overview of cloud security in Amazon Web Services. After the lightning talks is a panel, followed by two breakout “unsessions.” The unsessions are attendee-driven; I’ll focus on general cloud security/compliance and AWS specifics, so come prepared with your toughest questions. Hope to see you there!

CloudCamp information
CloudCamp Phoenix details
Register for CloudCamp Phoenix

Puget Brass in concert

Last year I joined a British brass band here in Seattle, called Puget Brass. I’m a long-time French horn player; since British brass bands don’t have French horns, I learned to play the baritone horn. Our first concert of the 2009-2010 season is this weekend. We’re performing a mix of traditional and contemporary pieces. If you’re local to Seattle, or traveling here, and would enjoy some high quality cultural entertainment, I’d love to see you come.

Date — Sunday 25 October
Time — 2:00 PM
Location — Plymouth Congregational Church, 1217 6th Ave (at University St), 98101 (map)

Payroll attackers add themselves

As a follow-up to my earlier post recommending a procedure for discovering and removing payroll fraud, I’d like to point out an article in yesterday’s Threat Level:

A payroll-processing firm that was breached by hackers last month is warning customers about a new breach, after some clients noticed phantom employees popping up on their payrolls.

New Jersey-based PayChoice sent a message to customers Thursday indicating that thieves appeared to have stolen customer login IDs and passwords by exploiting a vulnerability in the website feature for changing a password, WashingtonPost.com reports. PayChoice said it disabled the change-password feature until it could fix the vulnerability.

The company discovered the problem after some of its payroll customers noticed bogus employee names being added to their payroll lists, in an attempt to get the companies to pay those “employees” through bank accounts controlled by the fraudsters.</blockquote

Newly published: Amazon Virtual Private Cloud scenario paper

One of the coolest new features of AWS is Amazon Virtual Private Cloud. With Amazon VPC you can securely extend your corporate network into the cloud. You can maintain ownership and control of the information, you can provide the IP address range, you can control access and security using your existing tools and products. An IPsec tunnel-mode security association protects the data communications between your network and your Amazon VPC cloud. You can join your Amazon EC2 Windows instances to your domain and manage them with System Center.

I’ve written a paper that describes several scenarios that fit well with Amazon VPC. Please give it a read. And if you’ve not yet tried AWS, perhaps this will give you a few ideas of projects that fit with your IT plans.

Whitepaper: Extend your IT infrastructure with Amazon VPC

Oklahoma lawmakers violate privacy of women

Absolutely unconscionable. In a blatant play to shame women away from perfectly legal medical procedures, the Oklahoma legislature passed a law that will collect and publish personally identifiable information about each woman who receives an abortion in that state. What’s included:

1. Date of abortion
2. County in which abortion performed
3. Age of mother
4. Marital status of mother (married, divorced, separated, widowed, or never married)
5. Race of mother
6. Years of education of mother (specify highest year completed)
7. State or foreign country of residence of mother
8. Total number of previous pregnancies of the mother

Not included is the woman’s name, but given the number of small towns in Oklahoma, deducing her identity will be easy. Also not included is the name of the father. One could surmise this is to conceal the identity of randy state politicians, but that would be…um…correlation without causation, no? (Riiiiiiiiiight.)

I really don’t understand why people continue to vote for politicians who actually think laws like this are good ideas. This law is going to cost taxpayers a quarter of a million dollars every year. What public benefits will the state’s residents receive? Certainly not any increase in public safety. If anything, one potential outcome of the law might be an increase in lynchings — wingnuts might very well locate, harass, even kill anyone they can identify on the list.

Stupid.

There’s an effort to kill the law. Let’s hope it succeeds.

Your opinion: external out-of-office replies

Earlier this evening I sent an email to a list of acquaintances. Along with the expected NDR or two, I received several out-of-office replies. This surprised me: I assumed most people realize sending out-of-office replies beyond their organization creates vulnerabilities. Now I’m curious about how pervasive the practice might be. So, dear reader, please answer this poll about whether you or organization uses external replies and what your opinion is of them:

.
I think they’re dangerous. They frequently offer plenty of information for a bad guy to cause a lot of mayhem. Here’s a sample:

Good day. During 26-31 December 2009 I’m on vacation with my extended family enjoying the sun and triple-bogeying my way to the 19th hole in Cayman Islands. I’ve left my mobile phone at home, too. If you need any assistance, please contact Alice. I’ll answer your emails and calls when I return. –Bob

So what have we learned about Bob?

• Bob is far away from home for six days.
• Bob and his family departed the day after Christmas, so his house is probably full of brand new loot.
• Some of bob’s sibling’s families, and his parents, are also away from home. Their houses are probably full of new presents, too.
• Bob’s shiny new smartphone is sitting on his kitchen table, next to the keys for his wife’s attractive new BMW parked in the driveway.
• Bob must have a lot of money, why else would he go to the Caymans?
• Bob’s a major golf nut, but most likely he’s better at drinking than driving.
• Bob probably left his computer on. I’d bet his bank password is “golfgolf.” (Bob must work in sales.)
• Bob is a moron.

Now I certainly never let fear motivate decisions of mine, but I’ll admit that external out-of-office messages worry me. Internal replies don’t: it’s reasonable to trust one’s colleagues and internal replies help people understand why your emails are delayed. The risk created by external replies outweighs their usefulness, though. If Bob were smart, he would have individually informed business associates about his short absence so they’d know when to expect pending work to resume. Blasting details about your empty house to anyone who pings your mailbox is just stupid.

Cloud for the enterprise

Amazon Web Services is coming to Los Angeles and New York with half-day afternoon events especially for enterprises. I’ll be there, speaking about security and concluding with some remarks on how the cloud is changing delivery of IT services. Click on one of the links below to register. The events are free — hope to see you there!

Los Angeles – Thursday 15 October – Sofitel Hotel, 8555 Beverly Blvd, 90048
New York – Monday 19 October – Marriott Downtown, 85 West St at Albany St, 10006

Reasons to attend

• Gain a deeper understanding of Amazon Web Services, including best practices for architecting and securing applications in the cloud
• Learn how AWS can help you quickly and cost-efficiently scale IT infrastructure capacity to meet growing business needs without incurring resource costs when demand is low
• Hear enterprise customers talk about their experiences and successes with Amazon Web Services

Who should attend

• Technology and business stakeholders of enterprise companies, including CTOs, CIOs, VPs, directors, program and product managers, architects, administrators, lead engineers, and IT managers

Agenda

12:30pm – 1:30pm: Doors open; partner and solutions expo
1:30pm – 1:40pm: Opening statements
1:40pm – 2:20pm: AWS overview by Dr. Werner Vogels, Amazon CTO
2:20pm – 3:20pm: Customer presentations and Q&A
10 minute break
3:30pm – 4:00pm: Security in the AWS cloud
4:00pm – 4:40pm: Architecting enterprise applications in the cloud
4:40pm – 5:00pm: Getting started with the AWS cloud
5:00pm – 7:00pm: Networking and cocktail reception

Who’s on your payroll?

Do you know for certain that everyone on your organization’s payroll is actually employed by your company? Are you sure? Payrolls have long been tempting targets for attackers. It’s where the money is. Anyone with sufficient access to the payroll database could secretly add a buddy or two; probably no one would notice. The buddies kick a bit of their “paychecks” back to the sleazy employee. This could happen to organizations of all sizes — to avoid detection, people scamming small companies keep their payouts low, while those pilfering from large organizations can get away with greater amounts.

A few days ago we learn that payroll processing and software firm PayChoice got attacked:

In a Sept. 28 e-mail sent to customers, PayChoice indicated that the hackers had obtained e-mail addresses as well as login IDs and at least parts of passwords for account holders using the OnlineEmployer.com web site.

The hackers wasted no time in using the information to trick the customers into relinquising the remainder of their passwords. Customers…received targeted phishing e-mails telling them they needed to download a plug-in to continue using the OnlineEmployer web site. The e-mails referenced the customer’s log-in username and part of their password.

The plug-in, however, was actually a password-stealing Trojan [TrojanDownloader:Win32/Bredolab.X]. When customers clicked on a link in the e-mail taking them to a site hosting the plug-in download, the site searched for vulnerabilities to exploit in the user’s browser and other applications that would allow it to install the malicious software onto their machine. The malware exploits the Internet Explorer browser as well as Adobe Flash and Adobe Reader applications.

While not the same as inserting fraudulent entries into the payroll database, it shows that attackers aren’t exactly stupid about picking their victims. Phishing attacks urging victims to download and run malware are nothing new. I’ve told the story many times about how attackers used a similar tactic in 2004 to siphon money out of the online accounts of e-Gold customers:

Win32.Grams was directly spammed to potential victims, in the form of an attachment containing an encoded Visual Basic script with a .vbe extension… When run, the VB script downloads a file from http://onestopgpt.com/media.exe (no longer available), saves it as svhost.exe and executes it.

Because the trojan automates the burden of siphoning money from the accounts and does it from the victim’s own computer, this method of account looting bypasses all authentication methods employed by the banking institutions, and is therefore expected to become very popular – however, due to tagging of certain browser fields, the automated sessions can still be detected by the financial institutions using backend analysis systems (for example, the Corillian Fraud Detection System).

Since the trojan uses the victim’s established SSL session and does not connect out on its own, it can bypass personal and corporate firewalls and evade IDS/IPS devices. Anti-virus engines may detect some trojans, but signature-based solutions will always have a lag time, and will never reach 100% detection. At the time of this writing, only 5 out of 9 virus scanners tested detected the trojan file.

Back to payroll attacks. If you think your organization isn’t vulnerable, think again. A few months ago I received an email from someone whose IT department hired a consultant to investigate potential insider attacks. The writer mentioned the consultant must have been to a seminar of mine, because the first thing he did was recommend a procedure I’ve long advocated: periodically run manual payrolls.

Announce the date in advance so everyone can be ready. On that date make no direct deposits of paychecks. Instead, employees must appear at a designated location in person, with valid employee ID, to claim paper checks. Give yourself a week to complete the process. Any checks remaining in the box have been going to people who no longer — or never did — work for you.

Jesper has frequently recommended this too; a few years ago he got a call from someone who followed the advice and was shocked to see what remained. How much? “Significant,” was all the customer would say. The customer I mentioned above wrote that the consultant discovered excess payments “in the six-figure range.” Multiply that by a few years and you’ve got a seriously expensive scam.

Contact your HR and payroll department this week and arrange for your organization’s manual payroll. I recommend you perform one annually.

Raising the bar: URLZone trojan evades fraud detection

One of the tools in the good guys’ arsenals is the fact that the bad guys haven’t been very skilled coders. Not anymore: they’re getting very, very good. DarkReading describes how Finjan uncovered URLZone:

URLZone doesn’t just dupe users into giving up their online banking credentials. Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim’s bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim’s on-screen bank statements so the person and bank don’t see the unauthorized transaction.

“The Trojan was smart enough to be able to look at the [victim's] bank balance,” says Yuval Ben-Itzhak, CTO of Finjan. “This is more advanced than other banking Trojans, like Zeus, whose main goal is to get the user to provide his online credentials, credit card numbers, or PINs by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.

“But in this attack, everything happens from the victim’s computer. This is more sophisticated than anything we’ve seen in the past.”

The attack begins like most Web-based infections: An unsuspecting user visits an infected Website — either a malicious or rigged legitimate one. The attack is based on the LuckySploit malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they’re difficult to detect.

Once the victims are infected with the URLZone Trojan, it sets up the victim’s machine as a bot in the banking botnet, complete with command and control instructions. URLZone ensures the transactions are subtle: “The balance must be positive, and they set a minimum and maximum amount” based on the victim’s balance, Ben-Itzhak says. That ensures the bank’s anti-fraud system doesn’t trigger an alert, he says.

Here’s more evidence that as attackers grow their sophistication, defenses that counter yesterday’s attacks become useless. Would smartcard or token-based two-factor authentication have stopped URLZone? Nope. What about out-of-band transaction authentication, perhaps with mobile phone text messages? If the process were built correctly, yes — more than just an OTP, the banking application might require the phone holder to reply to the SMS with what the transaction amount is expected to be.

People are starting to lose trust in computers and the Internet. While waiting for the bus today one of my fellow riders struck up a conversation about the funky colorful shoes I found in Auckland during TechEd 2008. The conversation turned to what our jobs are, and when I mentioned information security, several folks at the bus stop started peppering me with questions. Conversations continued on the bus for the entire ride. People don’t understand the criminal element, can’t figure out how to determine what’s trustworthy and what isn’t, and generally seem apprehensive about doing anything on the Internet. This is becoming a very difficult problem to solve; rampant disregard for the devastation wrought by identity theft, warrantless government wiretapping, and presidential ruminations about “taking down the Internet” aren’t doing anything to help. I’m not even sure National Cybersecurity Awareness Month will be all that effective.

We have got to redouble our efforts to remove the coolness factor from computer attacks. It’s no longer hacking, folks. Drop that term from your vocabulary. Start talking about attacks conducted by criminals. Don’t idolize notorious bad guys. And demand that officials start requiring accountability. Honestly, there’s nothing you can do to prevent the misuse of your PII; in America, you generally don’t even own your PII. We need strong laws to finally convince the holders of your personal information (read: financial institutions) that prohibit all sales, laws that are backed by massive fines. Right now, it’s cheaper for institutions to deal with breaches than to keep them from happening. The only way to fix this is to change the economics.

Webinar: securing public cloud infrastructures

Mark time in your calendars for a cloud security webinar co-presented by Amazon Web Services and enStratus on Wednesday October 7, 2009 at 11:30 AM – 12:15 PM Central Time US.

Sign up today

Public cloud computing has evolved into a mainstream approach for building out components of an IT infrastructure. Cost saving opportunities make the development of a public cloud strategy absolutely critical. Even before taking on pilot projects in the cloud, however, you should have a solid understanding of the security implications and opportunities in public cloud computing. Amazon Web Services and enStratus have teamed up for this webinar detailing how businesses moving into the cloud can understand the security issues in public cloud computing and how to secure a public cloud infrastructure.

Among the most critical components in cloud security is transparency from your cloud providers. AWS has built out an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. enStratus operates outside of the AWS cloud, watching over its operations, and keeping your authentication and encryption credentials safe outside the cloud while encrypting the data inside the cloud both in transit and at rest.

Steve Riley from AWS and George Reese from enStratus will discuss common cloud security concerns and show you how to take advantage of the security features AWS and enStratus provide you to build a secure public cloud infrastructure.

Key Learnings

• How does AWS protect its infrastructure and, by extension, your data?
• What can you do with tools like enStratus to further protect your data?
• How can you use enStratus to protect your data from third-party subpoenas or subpoenas targeted at AWS?
• How can I manage user access to my AWS infrastructure?
• What issues impact compliance with various standards/regulations in the AWS cloud?

Speakers

• George Reese, O’Reilly cloud computing author and CTO for enStratus, a leading cloud management platform
• Steve Riley, Sr. Technical Program Manager for Amazon Web Services

Will they ban food, water, and air, too?

In a lapse of common sense, the government of India is seeking to ban Internet telephony until some kind of tracing mechanism can be put in place. “Terrorism” certainly seems to be the popular excuse for eliminating pesky citizen behavior. We’ve seen attempts to ban mobile phones, attempts to ban constitutional law, attempts to subjugate with fear. Will it ever end?

Like similar attempts in other countries, India’s proposition will utterly fail. What is an Internet “phone call,” anyway? A stream of bits between applications on computers. Hm, sounds like every other kind of Internet communication. Attention, government regulators: the distinction between voice and data disappeared in the late 1990s. Banning Internet telephony is as ridiculous as all other attempts to ban ideas. Sure, you can make it difficult for people to download VoIP and messenger applications, but there’s an essentially infinite supply of distribution points for these programs. There’s also an essentially infinite supply of alternate telephony applications: people will just keep cranking out new tools that national proxy servers don’t recognize. Blocking VoIP protocols won’t work, either, because a lot of applications fall back to HTTP, the durable universal protocol. Most of them work over VPNs, too; public VPNs seem to be all over the place these days.

The article mentions that India’s government successfully lobbied RIM to modify its protocols to satisfy certain regulations. Okay. Guess what? The bad guys have done what they always do: changed tactics. They’re probably using iPhones now. Was it really worth all those endless meetings? How many non-terrorist customers might have switched platforms after this?

Banning a thing because bad guys might use it to unleash mayhem prohibits good guys from using the thing, too, even during emergencies. Which only serves to make everyone a bit more insecure.

RunAs Radio interview

Recently I was interviewed by Richard Campbell and Greg Hughes of RunAs Radio. We discussed my transition from Microsoft Trustworthy Computing to Amazon Web Services, some points to consider about cloud security, and a bit about desktop virtualization.

Voodoo security

Amazingly, even in the 21st century, people still want to cling to ancient beliefs that lack even a whisper of a shadow of evidence. Dowsing rods are back — but this time in the guise of bomb detectors. A few weeks ago NPR had a story on portable bomb detectors the Iraqis are deploying at roadside checkpoints. Turns out they’re completely fake: the units contain no electronics. They serve only one purpose: to allow an officer to search any car he wishes without needing to notice potential criminal behavior. In other words, these “detectors” are actually very handy devices for confirming baseless suspicions or disguising profiling.

While the story does indicate “U.S. military experts suspect it is nothing more than a charade” and “Many U.S. officials say the science is about as sound as searching for groundwater with a stick” and “One American expert in Baghdad compared the machine with a Ouija board,” the story spends more time quoting people who claim the devices actually work. Unfortunately, NPR is demonstrating the increasing trend among many journalistic organizations to soft-pedal the facts. These gadgets are a complete sham, and the author of the story should have said so in no uncertain terms. “Reporting the controversy” is just plain deceptive where there is actually no controversy to report. Where the reporter chickened out, the story’s comments reveal the truth, and also suggest possible real motives behind the use of the devices.

Groovy security in Windows 7

Get a full dose of great Windows 7 information and advice in the October issue of TechNet Magazine. The entire issue is dedicated to helping you learn about and deploy the newest version of Windows in your organization. Included is my article “Groovy security in Windows 7,” where I discuss my favorite new security features: DirectAccess, BitLocker and BitLocker To Go, AppLocker, and DNSSEC (yes, I’ve changed my thinking about the need for authentication and integrity in DNS), multiple firewall profiles, and the Windows Biometric Framework. Please take a look. I hope you enjoy it, and as always, I welcome your feedback.

Predicting the future

At the Get Your Head in the Cloud seminar at Iowa State University yesterday, I briefly mentioned how the future will bring about certain unavoidable disruptive discontinuities in the way traditional IT carries about its business. I mentioned several books worth reading. Many of you have asked for the list; here it is:

• The Cathedral and the Bazaar by Eric S. Raymond
• The Wisdom of Crowds by James Surowiecki
• We Are Smarter Than Me by Barry Libert, Jon Spector, Don Tapscott
• The World Is Flat by Thomas L. Friedman
• The Innovator’s Dilemma by Clayton M. Christensen
• The Long Tail by Chris Anderson
• The Speed of Trust by Stephen M. R. Covey
• What Got You Here Won’t Get You There by Marshall Goldsmith
• Outsourced (the movie)

I’m speaking at Windows Connections in November

Windows Connections is one of my favorite events. I’m returning in November, this time in my role as cloud computing evangelist for Amazon Web Services. I’m delivering a keynote and three breakout talks. While the breakouts are in the Windows track, my presentations will cover various aspects of cloud computing, including details on AWS. My keynote is also on cloud computing, it’s vendor-neutral and is designed to help you understand the drivers behind cloud computing. See below for descriptions.

If you’ve never attended a Windows Connections event, I urge you to give one a try. They’re very well run, with plenty of technical depth, relevant topics, and great speakers. Plus Minasi If you’ve attended in the past, please come back — we’ve got all new material, and it will be good to see many of you again. The event runs 9-12 November.

More information

• Download the schedule
• Download the brochure
• Download issue #1 of MyWinConnections
• Register today

My talks

Fear the cloud no more

Suddenly, it seems, the simple network diagram symbol for the Internet has become a major component for providing infrastructure platforms and service offerings. Unlike the application service provider days of the late 1990s, cloud computing is here to stay. It’s already gained much traction for specialty computing purposes, yet many IT shops remain wary. Moving compute and storage out of your own data center and into someone else’s, mingled among many others, seems daunting at first. Common questions arise around security, manageability, performance, and reliability. Think about it, though–these are the same concerns you’ve always had. Nothing about the cloud requires that you jettison everything you’ve learned during your career. The cloud is a logical next step in the evolution of computing, and when integrated with corporate IT removes much of the burden and allows a business to concentrate on its core functions. Steve Riley will explore common concerns, dispel several myths, and help you learn how your business can benefit from the cloud.

Introduction to the cloud: infrastructure, platform, and software services

There have been many attempts to define and classify cloud computing. And while most providers seek ways to differentiate themselves and offer novel solutions, three general service models have arisen. Roughly following other compute and protocol stacks, the models include infrastructure as a service, platform as a service, and software as a service. Depending on your requirements, you may decide to select providers from one or more of these models. Steve Riley will explore the models and illustrate where the various components of Amazon Web Services fit.

Security and compliance in the cloud

Moving to the cloud raises lots of questions, mostly about security. Providers worthy of your business should answer them clearly and honestly. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. Steve Riley will discuss common cloud security concerns, show how AWS protects its infrstructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Managing resources and performance in the cloud

Transitioning your compute processing and data storage to the cloud doesn’t mean you have to give up control. Indeed, many providers are investing in technology and adding features that can help you manage cloud resources using the same tools and procedures you already use in your existing environment. Steve Riley will illustrate capabilities in Amazon Web Services that allow you to monitor resource utilization, to dynamically add or remove resources as demand changes, and to integrate cloud resources as a logical extension of your data center.

Fixed the Passgen download

Several people have alerted me that the Passgen tool in my Box.net site was corrupt. I uploaded a new version this morning, and tested it. All’s good now, please try your download again from the widget to the right of this frame. Sorry for the troubles.

(Jesper wrote Passgen and included it in our book, Protect Your Windows Network. With this tool you can manage machine and user passwords locally and remotely across a domain. Unlike other tools, it doesn’t actually store any passwords; instead, it sets completely random passwords or passwords derived from an identifier plus a pass phrase. Check it out, it’s very handy.)