Tuesday, June 16, 2009

Don't worry yet about the iPhone news 

What do the scary headlines about the latest iPhone security issue mean for you?

Not much.

There are several obstacles in the way of taking over an iPhone remotely. What security researchers discovered is a way past one of those obstacles, but not a way to take over an iPhone.

Right now the prudent thing to do is stay current with software updates and not worry until something else goes wrong.


Saturday, June 13, 2009

What do criminals want with your PC, anyway? 

I like Brian Krebs's security column in the Washington Post, and he wrote a good one a while back about criminal uses for a compromised home computer.

There are dozens of ways your computer could be misused, some of them quite embarrassing. For example, there's a scam in which the intruder sends email in your name to everyone in your address book claiming to be stranded overseas and in desperate need of having money wired. Then the criminal picks up the wired funds, and Western Union transfers are irreversible.


I'm back! 

For a long time it seemed like there was nothing new to say, but lately I've been finding things I'd like to pass along.


Friday, January 16, 2009

How to protect your children online 

Step one is to know what the dangers are, and sensational TV shows turn out to be a bad guide.

A large government-industry-academic team has released a report on dangers to minors online and especially at social networking sites.

You can figure out just about all their conclusions in advance by just thinking about the fact that social networking sites have people on them who do people-type things.

With that thought in mind, you won't be surprised by
Bullying and harassment, most often by peers, are the most frequent threats that minors face, both online and offline.
or by
Social network sites are not the most common space for solicitation and unwanted exposure to problematic content, but are frequently used in peer-to-peer harassment, most likely
because they are broadly adopted by minors and are used primarily to reinforce pre-existing social relations.
or by
Minors are not equally at risk online. Those who are most at risk often engage in risky behaviors and have difficulties in other parts of their lives. The psychosocial makeup of
and family dynamics surrounding particular minors are better predictors of risk than the use of specific media or technologies.

One member of the task force maintains a database of sex offenders, and even he said "This shows that social networks are not these horribly bad neighborhoods on the Internet ...Social networks are very much like real-world communities that are comprised mostly of good people who are there for the right reasons.".

So teach your children to take the same precautions they would in the offline world.


Things to know about the "Conficker" or "Downadup" worm 

The extensive publicity about this piece of malware, which has infected millions of Windows PCs, usually leaves out some things you'd want to know.

For example, you might wonder how to tell if you've been infected. Symptoms include being locked out of accounts, being unable to connect to the websites of security companies, and some more technical symptoms.

Or you might wonder what to do if you are already infected. That's a problem because the worm tries to defend itself against antivirus software. The latest edition of Microsoft's Malicious Software Removal Tool is said to be able to delete the worm.

As for protecting yourself, you're safe if you've been taking normal precautions. It won't go through a firewall, and it can only spread to computers that aren't up to date on Microsoft's security fixes.

In fact, if you'll pardon me a little flame, the fact is that Microsoft released a fix that protects against this worm back in October. They even made it one of their emergency unscheduled patches. When they do that they really mean it. Some companies do need to delay installing patches while they test them for compatibility, but come on, three months? And for home users I recommend turning on automatic updates.


Monday, November 24, 2008

What does the latest attack on WiFi mean to you? 

The headlines were scary, talking about WiFi security being broken. How bad is it?

Not very. The new attack, clever though it is, doesn't allow someone to get onto your network or to read any of your data. It's important, because it means the security mechanisms weren't doing what they were supposed to, but it's not an operational concern yet.

If you like to stay ahead of the game, you can always poke through your wireless settings and make sure you're not using "TKIP", but you'll be OK if you don't.


Reading PDFs can be dangerous 

Adobe has patched multiple problems in their software and browser plugin for reading .PDF documents. You want to be running version 9, which fixes all the problems I've heard of.

ComputerWorld article
A smaller, faster PDF reader with fewer and faster-patched security holes


Voting machines roundup 

Here are some more university studies of voting machine security. The key quote, more important than the fact that they demonstrated a virus copying itself from one voting machine to another and therefore making it possible to compromise several machines by infecting just one, is
While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny. A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed, and that their quality does not match the importance of the task that they are supposed to carry out.

The 2008 election went mostly OK, with only scattered reports of problems. Dr. Barbara Simons of the Federal Election Advisory Council still advocates manual audits, pointing to apparent problems that have come up even with optical-scan systems. Her interview is long but well worth the read. Activists worry that there were again discrepancies between exit poll results and the ballot counts, but I don't see how they can rule out bias in the exit polls (one Democratic analyst pointed out that young people are more likely to talk to exit pollers than older people are, and this time there was a big difference between the youth vote and the elderly vote).

Touch screen machines lost ground in this election, especially in the swing states of Ohio and Florida. They were still being used in West Virginia: people in multiple counties there reported their votes being flipped from the candidate they picked to the other one, but that's more likely to be the result of an out-of-alignment touch screen than anything else.


Friday, October 24, 2008

Comments on the news, this one's NOT overblown 

Run Windows Update.

Microsoft released a "Critical" security patch to fix a problem in which any computer running Windows file sharing can be completely taken over with no action on your part.

It's less of a worry if you're running Vista, and normal firewalling will stop the attack. But it's still a big concern.

When the news broke, I advised clients that before long there would be automated attack programs that unskilled attackers could use, and that attackers would use the new attack to spread infections after getting a toehold by other means.

Both have already happened. There's already a self-reproducing "worm" program taking advantage of the security weakness. It's being introduced behind people's firewalls by the usual sort of trickery, but then once it's on one machine it copies itself to the others on the network.

It's a little more complicated than that, but now you have the gist.

If you use a laptop on the road, make sure you've got a firewall program running on it and that it's set to block Windows file sharing, or turn off file sharing altogether in the Control Panel.


Comments on the news: this is overblown 

The headlines said that wireless networking security is now a thing of the past, due to a clever company finding a way to program graphics cards to crack security codes.

In a word, no.

What they did was speed up existing password-guessing attacks on one flavor of Wi-Fi security, by a factor of 25-100. If you've chosen a good password in the first place, it's not going to be so close to guessable that it matters if someone can guess 25 times faster.

And you can really go to town picking a hard password for your Wi-Fi setup, because you only have to type it in when you're installing things. You can use something long and obscure. You can make it up to 63 characters long!

I recommend a passphrase, something with multiple words instead of an incomprehensible set of letters and numbers. Visit http://www.diceware.com for a system that lets you roll dice to pick short words from a big list. As long as you've chosen them randomly, a passphrase with as few as four words will defy any feasible attack.


Saturday, September 06, 2008

But are voting machines really dangerous in practice? 

Spokesmen for the voting machine manufacturers like to say that the reported vulnerabilities are unrealistic in the context of an actual election, with all its tests and security procedures.

This is plausible. There are lots of cases in security work where it's OK to work around a problem with a cross-check instead of eliminating the problem altogether.

Are they right?

Princeton researcher Dan Wallach rebuts vendor claims in detail. He explains how an attacker or a corrupt official could do the same things his team did, and throw an election without getting caught.


View your online banking records without your password 

This is a good example of how a simple feature change can create a security issue, and why security features that seem unnecessary can be important in practice.

Google's Chrome browser has a feature I've dreamed of for a long time. You can search the text of pages you've visited before. If you remember that you looked at a great recipe using arugula but can't remember where you found it, you can type "arugula" into Chrome's do-everything bar and it will find the page in your history with the word "arugula" in it. Nifty. Useful.

OK, but what about your online banking activity? It turns out that if you search for words like "balance" or "Visa" you'll bring up copies of pages that your online bank showed you, with potentially sensitive information on them. Humphrey Cheung reports on Chrome indexing banking records. You can't transfer money or anything like that, but it's an information leak.

If you want your banking activity to be confidential from other users of your computer, there is an answer. Use Chrome's "incognito" window, which turns off storing pages into your history. This is a good idea for any security-sensitive activity.

Also, turn off Chrome's autosuggest feature if you don't want Google to know everything you type into the do-everything bar.


Friday, September 05, 2008

Alarming security bug in Google Chrome 

Some security experts, whose names I can't find offhand, have discovered a bug in Google's new "Chrome" browser that could sidestep all of Chrome's security measures and take over your computer.

The good news is that it can only happen while you're saving a web page, there's no evidence of bad guys trying this in the wild, and it's unlikely that they will given how few Chrome installations there are.

What's alarming is that it's a kind of bug ("stack based buffer overflow") that can usually be avoided by checking a program with well-known tools, and which can usually be blocked from taking over your computer if the programmers use appropriate options when they translate the program from a human-readable computer language into an executable program.

Without the details, it's impossible to tell whether this is just the kind of accident that could happen to anybody, or whether Google has been overlooking precautions that should be standard procedure these days. If the latter, we'll know because there will be a flood of security bug reports in short order.


Thursday, September 04, 2008

More thoughts about Google Chrome 

Chrome will save passwords for you, but unlike Firefox it doesn't let you define a master password that protects all your stored website passwords.

This could be OK. I worry about future occurrences of a problem that happened in 2006, in which malicious code could put up a login form and fool a browser into entering a saved password silently without asking you first. With a master password in place, you'd get a reminder that your browser was about to retrieve and send a password. A master password also makes password storage more secure.

I've been reluctantly coming to the conclusion that the AdBlock Firefox extension is a security measure. Bad guys have figured out that they can expose zillions of people to malicious code by putting that code into an ad. Don't expect to see anything like AdBlock for a browser that comes from an advertising company.

My other favorite way to reduce my exposure, which is to minimize the number of pages I allow to run Javascript, isn't likely to find a home in Chrome. One of Chrome's main design goals is to have a better, stronger, faster Javascript engine.

This could all work out OK. Google has taken steps to limit the harm that web-based malware can do to you. If Google's paid enough attention in the right places, they might be producing a browser with fewer security bugs for bad web pages to exploit.


Wednesday, September 03, 2008

Latest word about Google's "Chrome" browser 

Someone's already found the first security bug! It was a researcher named Aviv Raff, and it's not a biggy, but it sure is embarrassing. It's a bug in code that Google reused for their browser, that had already gotten fixed elsewhere. It allows a bad site to fill up your desktop with icons for potentially unwanted software.

Chrome will be both good and bad for your privacy. It has a mode where it stops logging your history on your local machine. On the other hand, and Google is commendably up-front about this, in order to generate suggested sites and searches, it's constantly sending information about every place you visit to Google. You can turn this off, but how many people will?


Monday, September 01, 2008

What you're up against 

A software developer's blog has an example of a malicious web page displaying fake buttons and controls that look like part of Windows to trick you into downloading what they claim is an antivirus program.

It all started from a legitimate web site, too, which apparently got taken over somehow by scammers.

I'm not completely happy with the suggestions the blogger and the people in the comments had to offer. They suggest changing the way your real Windows interface looks so that imitations will look strange. Instead I'd suggest NoScript, which would have halted the example attack in its tracks, and one other thing. The point of all the deception was to trick you into downloading an executable file. You get a real warning at that point, which asks if you really want to save and run a file from the Internet. Say "no" to those unless you set out to download something that you have some reason to trust.


First reaction to Google's browser announcement 

Google accidentally pre-announced a Google-brand web browser. It's not available to try out yet.

It's going to do some encouraging things about security. Google plans to "sandbox" the web applications running in their new browser, so that even if/when you browse to a malicious page it won't be able to do widespread damage to your computer. If I'm reading their claims correctly, they say they can stop keystroke loggers from working (not sure how that's possible).

Popups will be tied to the tab they came from and can't cover up other tabs.

There will be a few problems to watch out for, and things they can't possibly prevent and still be useful. The big issue is that they want their browser to be a place where sophisticated web apps can run. That means the browser has to be able to do all the sophisticated things the web app is supposed to do. Google tries to make sure the browser can't overwrite things on your hard disk, but by definition it has to be able to overwrite your Google Docs.

"Sandboxes" have been used before. What usually happens is that when they're new, clever people find a few ways that bad code can escape from them and do bad things that the sandbox was supposed to prevent. Then after a little while the holes in the sandbox get fixed and it works as designed.

Plugins are the area most likely to cause security problems for Google's browser. Plugins like Flash are designed to do a wide range of things, wider than the browser's normal security policy would permit. Plugins like Flash have had security problems time and again.


How to recognize an attack 

I ran into a suspicious web page the other day.

It opened from an unrelated search result. That's not a sign of a legitimate web page. What really gave it away was that it claimed to offer an antivirus product. Legitimate companies do legitimate advertising. If you see something unexpected suddenly offering you security software, be suspicious: it's like someone walking into your store off the street and offering you "protection".

A really good scam would have shown a web page that looked like a real business. This one didn't even have that much, not that there was any way to trust it at that point.

I looked at the page's inner workings briefly. It looked like it was set up to display all kinds of scary warnings and trick me into downloading a program from them. I didn't even see the scary fake warnings, because I'm running the NoScript extension to Firefox.


Saturday, August 30, 2008

Rent "Hacking Democracy", the 2006 HBO documentary 

It's a good introduction for a non-specialist. It leaves some things out, and I spotted one really minor error, but it's worth your time.


Friday, August 29, 2008

If you have nothing to hide, you have nothing to fear? 

A three-year-old in Dorset, England, is having trouble sleeping at night. She's afraid there's a man outside watching her.

There's a reason. Government employees were following her family to and from school for three weeks, making records such as "female and three children enter target vehicle and drive off" and "curtains open and all lights on in premises".

But, we are told, we have to trade some privacy for security. Let's take a look at the public safety implications, and see if they justify following kids to school and scaring a three-year-old.

The surveillance was to assess whether the family really lived in the coverage area of the school they applied to. (They did, by the way).

The Poole borough spying case.

Ask tough questions if your government tells you they need to invade your privacy in the name of security.


"[T]he case could be treated as terrorism" 

Gary McKinnon admits that he went into US government computers without permission.

He was sitting at home in his bathrobe looking around for evidence that the US government had secret alien technology taken from UFOs.

He got into many machines, working alone and without being particularly sophisticated. If you're a US taxpayer, take that as a sign that the computers you're paying for are being badly administered. If a computer is important enough to prosecute someone over, it's important enough to protect well enough that a random eccentric can't get in.

BBC profile of Gary McKinnon
The authorities have warned that without his co-operation and a guilty plea the case could be treated as terrorism and he could face a long jail sentence. "


How are voting machines tested? 

I've written before about the limitations on the "certification" of voting machines.

There's been more talk about it recently. Wired magazine's criticism of voting machine testing notes that problems go years without being fixed, and that the testing consists of going down a checklist that often has nothing to do with reliability or security. Worse, the software running in your election may be different from the software that got certified. University of Iowa computer science professor Douglas Jones proposes testing procedures for voting machines including election-day tests aimed at catching malicious software that gives the right answers until it sees it's in a real election.

Nobody in those discussions mentions a key point. If you could make software reliable by testing it, we'd see a lot fewer bugs in our daily live. Security is even harder to test for than reliability. A program can run just fine and be insecure.

The way to get secure software is to start at the design stage and build it from the ground up to resist or detect attack. For example, the software that adds up the vote totals from the precincts shouldn't allow the machine operator to change the totals without even creating a record of the change. One widely used design did allow that.

The next step in improving software security is to let qualified people, lots of them, look for hidden flaws. That includes cryptographers, but also the kinds of sideways-thinking people who like solving puzzles and doing things that are supposed to be impossible.


Security can backfire 

TSA inspector damages multiple aircraft.

Mechanics caught the problem in time. The part damaged was important enough that flights had to be delayed while it was fixed.

One aviation industry newsletter had a truly sulfurous comment.


Privacy and "I've got nothing to hide" 

Earlier this month, the news came out that Best Western exposed the records of 8 million customers.

The information that got out included credit card numbers, which are of obvious interest to criminals, and maybe worse, information about future bookings. That's right, it's possible that crooks now know when people are going to be out of town and where they live.

Privacy contributes to safety and the rule of law.


Voting machines! Again! 

Premier Election Solutions (formerly Diebold) machines in Ohio fail to count votes. As far as anyone knows it's just a normal bug.

Premier Election Solutions started off by blaming the problem on a conflict with anti-virus software. I was trying to find a way to explain why that sounds wrong to a security person, but someone beat me to it. My favorite nerdy cartoon about antivirus on voting machines.

It's a bad sign when a system has a bug that mission-critical that didn't get caught in testing. Ohio's Secretary of State is suing.


Sorry you haven't heard from me in a while 

I fell way behind on the sources I normally follow to bring you news and commentary. I'll try to do better.


Thursday, May 29, 2008

Flash, AGAIN 

Youtube videos, and a lot of those annoying flashing ads, come to you courtesy of a third-party plugin ("Flash") in your browser. Sometimes it has security vulnerabilities that let the files it shows take over your computer. It's got one now, and last I heard there was no patch available. Meantime bad guys are taking over legitimate web sites and using them to send you hostile Flash files.

You're fairly well protected if you're a Firefox user and have the NoScript extension installed.

If you run Internet Explorer, you can either temporarily disable or uninstall Flash. I recommend uninstalling it and then, if you want, reinstalling it later after there's a fix for the current problem. Here are instructions for uninstalling the Flash plugin. Youtube, a number of games, and a lot of annoying ads will stop working until you reinstall.


Monday, May 05, 2008

If you're not doing anything wrong, why worry about privacy? 

One answer to that question is that you might have just broken up with someone who has access to a government database. Information Week reports on a Federal agent indicted for stalking an ex-girlfriend using a government database.

What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.


Tuesday, April 29, 2008

Voting machines! Sequoia in New Jersey this time 

A Princeton professor, Ed Felten, has been unofficially studying the Sequoia voting machines used in NJ.

He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.

If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.

You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:
...this doesn’t look like fraud, only error. A malicious attacker who had access to a machine would have had much more powerful, and much less detectable, options at his disposal.

Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?


Thursday, April 24, 2008

Great article about malicious software 

Ars Technica explains malicious software.

This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.

It's almost completely nontechnical.


Friday, April 18, 2008

It's time to update Flash Player again 

See previous article about how to uninstall and update Adobe Flash Player.

A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.

To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.


Saturday, April 12, 2008

Another scary article about attacking the power grid 

Network World says "Experts hack power grid in no time".

I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.

Utilities definitely need to segregate their control networks from the wild Internet, though.


Here's how sophisticated the attacks are getting 

Business Week article alleging that attacks on government and contractors are from foreign spies.

A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.

Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.

It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.


Army tests troops with phishing email 

The US Army sent out forged email offering free event tickets if the recipients went to a fake web site that collected personal information

There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.

But tentatively, I say "good for them".


The criminal economy is big and sophisticated 

Attacks are big business:

Information Week article about the cybercrime economy.


Tuesday, April 08, 2008

Do you have an ATT 2Wire DSL modem ("Home Portal")? 

They have a security problem. To make a long story short, they made several mistakes and as a result someone can reprogram your modem by getting you to visit a malicious web page. In particular they can change where you go when you try to visit a particular site, for example your bank.

Worse yet, bad guys are taking advantage of this now.

I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".

There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.


Monday, April 07, 2008

How a street-smart user handles a suspicious situation 

I needed some information from my bank about an outstanding loan, clicked the relevant link, and wound up at a page telling me I needed to re-establish my online account.

This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.

At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.

I was at .loanadministration.com. I wondered whether that was legitimate. Some phishing sites have had names like that.

Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.

So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.


If your online banking account gets cleaned out, will your bank cover it? 

That depends on where you live. In the UK, "The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection."

I wonder if that means they require Mac users to install anti-virus software.


Voting machines again 

What makes me mad about this next story is that it's not even a security issue, it's an issue of prudent shopping. When you buy something big or important you should have the opportunity to get an independent evaluation of it.

But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.

Meanwhile, voting machines are more expensive than advertised.


Wednesday, March 19, 2008

"And a function that tracked changes to the machines was purposely turned off." 

Ohio investigates reported voting machine irregularities.

A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.

This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.

In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.


Tuesday, March 18, 2008

I'm really starting to like this Rich Mogull guy 

Mac users, I highly recommend this article about OS X 10.5 Leopard security features. It's clear, informed, and does well at the really hard problem of being both accurate and understandable.


And you thought zip files were boring 

.ZIP files are only one of a whole class of files used to compress and package groups of other files. Antivirus programs need to understand how to look inside such things, otherwise viruses could escape detection by hiding inside .ZIP or other files.

So far, so good.

But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.

Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.

They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.

Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties


Good advice for Mac users 

I agree with almost everything in Mac security expert Rich Mogull's article about security precautions for Mac users. I'd add being cautious about downloaded software. Also be careful with Microsoft Office documents: macro viruses will spread just fine between Mac and Windows systems.


Sunday, March 16, 2008

But don't expect too much from a fingerprint-controlled nerdstick 

Some of them will just roll over and give you acess if you tickle them with a free tool. Technical details of the vulnerability of fingerprint-based USB drives.


Roundup of secure nerdsticks at Computerworld 

Summary of Computerworld's review of secure flash drives.

In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.


Friday, February 01, 2008

Would you trade privacy for increased security? 

My favorite security writer, Bruce Schneier, writes about the tradeoff between security and privacy.

A cartoon about the security and privacy tradeoff


Saturday, January 26, 2008

You can't rely on avoiding bad neighborhoods any more 

According to one security firm, Finjan, 80% of the web sites carrying malicious code are legitimate sites taken over by criminals: http://www.securityfocus.com/columnists/463/1


Tuesday, January 22, 2008

Change the password on your router 

Where your home network meets the outside network, you've got a box of some sort: a wireless access point, a cable modem, or something. It's got a little web page of its own where you can control it. Which you haven't needed to look at since you first set it up, in all probability.

It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.

Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.


Tuesday, January 15, 2008

Macs are getting targeted more and more 

One of the problems that's plagued people on Windows machines is that criminals peddle fake security software. The phony software may simply induce you to buy it by always "finding" problems when you do a "free" scan. In extreme cases it may even compromise your system.

Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.

Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.


Friday, January 11, 2008

You keep your operating system up to date, but what about everything else? 

There have been security problems with media players, PDF readers, VOIP software, and probably some other things I've forgotten about. These programs don't necessarily have an easy way to check for updates and install them. But if you run old versions they can be a security risk.

Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.

One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.

Secunia is a reputable company, so don't be afraid of downloading software from them.


Do you watch videos with Quicktime? 

There's a new security bug in Apple's Quicktime media software which could allow your computer to get taken over. This is not the same Quicktime security bug that Apple fixed on December 13. Someone announced details of it without telling Apple first, so it will be a while before we get a fixed version of Quicktime. Meanwhile the bad guys know about it.

If I'm reading this right, all you have to do is click on a link to be affected.

If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.

UPDATE 1/15/2008:

Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.


This page is powered by Blogger. Isn't yours?