Monday, May 05, 2008
If you're not doing anything wrong, why worry about privacy?
One answer to that question is that you might have just broken up with someone who has access to a government database. Information Week reports on a Federal agent indicted for stalking an ex-girlfriend using a government database.
What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.
|
What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.
# posted by Frederick @ 10:58 PM Email to a friend:
Tuesday, April 29, 2008
Voting machines! Sequoia in New Jersey this time
A Princeton professor, Ed Felten, has been unofficially studying the Sequoia voting machines used in NJ.
He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.
If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.
You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:
Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?
|
He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.
If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.
You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:
...this doesn’t look like fraud, only error. A malicious attacker who had access to a machine would have had much more powerful, and much less detectable, options at his disposal.
Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?
# posted by Frederick @ 2:45 PM Email to a friend:
Thursday, April 24, 2008
Great article about malicious software
Ars Technica explains malicious software.
This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.
It's almost completely nontechnical.
|
This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.
It's almost completely nontechnical.
# posted by Frederick @ 6:00 PM Email to a friend:
Friday, April 18, 2008
It's time to update Flash Player again
See previous article about how to uninstall and update Adobe Flash Player.
A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.
To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.
|
A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.
To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.
# posted by Frederick @ 4:22 PM Email to a friend:
Saturday, April 12, 2008
Another scary article about attacking the power grid
Network World says "Experts hack power grid in no time".
I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.
Utilities definitely need to segregate their control networks from the wild Internet, though.
|
I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.
Utilities definitely need to segregate their control networks from the wild Internet, though.
# posted by Frederick @ 10:50 AM Email to a friend:
Here's how sophisticated the attacks are getting
Business Week article alleging that attacks on government and contractors are from foreign spies.
A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.
Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.
It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.
|
A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.
Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.
It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.
# posted by Frederick @ 10:30 AM Email to a friend:
Army tests troops with phishing email
The US Army sent out forged email offering free event tickets if the recipients went to a fake web site that collected personal information
There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.
But tentatively, I say "good for them".
|
There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.
But tentatively, I say "good for them".
# posted by Frederick @ 10:25 AM Email to a friend:
The criminal economy is big and sophisticated
Attacks are big business:
Information Week article about the cybercrime economy.
|
Information Week article about the cybercrime economy.
# posted by Frederick @ 10:18 AM Email to a friend:
Tuesday, April 08, 2008
Do you have an ATT 2Wire DSL modem ("Home Portal")?
They have a security problem. To make a long story short, they made several mistakes and as a result someone can reprogram your modem by getting you to visit a malicious web page. In particular they can change where you go when you try to visit a particular site, for example your bank.
Worse yet, bad guys are taking advantage of this now.
I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".
There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.
|
Worse yet, bad guys are taking advantage of this now.
I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".
There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.
# posted by Frederick @ 3:10 PM Email to a friend:
Monday, April 07, 2008
How a street-smart user handles a suspicious situation
I needed some information from my bank about an outstanding loan, clicked the relevant link, and wound up at a page telling me I needed to re-establish my online account.
This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.
At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.
I was at.loanadministration.com. I wondered whether that was legitimate. Some phishing sites have had names like that.
Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.
So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.
|
This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.
At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.
I was at
Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.
So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.
# posted by Frederick @ 9:42 PM Email to a friend:
If your online banking account gets cleaned out, will your bank cover it?
That depends on where you live. In the UK, "The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection."
I wonder if that means they require Mac users to install anti-virus software.
|
I wonder if that means they require Mac users to install anti-virus software.
# posted by Frederick @ 9:33 PM Email to a friend:
Voting machines again
What makes me mad about this next story is that it's not even a security issue, it's an issue of prudent shopping. When you buy something big or important you should have the opportunity to get an independent evaluation of it.
But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.
Meanwhile, voting machines are more expensive than advertised.
|
But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.
Meanwhile, voting machines are more expensive than advertised.
# posted by Frederick @ 9:23 PM Email to a friend:
Wednesday, March 19, 2008
"And a function that tracked changes to the machines was purposely turned off."
Ohio investigates reported voting machine irregularities.
A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.
This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.
In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.
|
A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.
This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.
In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.
# posted by Frederick @ 11:04 PM Email to a friend:
Tuesday, March 18, 2008
I'm really starting to like this Rich Mogull guy
Mac users, I highly recommend this article about OS X 10.5 Leopard security features. It's clear, informed, and does well at the really hard problem of being both accurate and understandable.
|
# posted by Frederick @ 10:10 PM Email to a friend:
And you thought zip files were boring
.ZIP files are only one of a whole class of files used to compress and package groups of other files. Antivirus programs need to understand how to look inside such things, otherwise viruses could escape detection by hiding inside .ZIP or other files.
So far, so good.
But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.
Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.
They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.
Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties
|
So far, so good.
But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.
Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.
They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.
Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties
# posted by Frederick @ 9:41 PM Email to a friend:
Good advice for Mac users
I agree with almost everything in Mac security expert Rich Mogull's article about security precautions for Mac users. I'd add being cautious about downloaded software. Also be careful with Microsoft Office documents: macro viruses will spread just fine between Mac and Windows systems.
|
# posted by Frederick @ 8:56 PM Email to a friend:
Sunday, March 16, 2008
But don't expect too much from a fingerprint-controlled nerdstick
Some of them will just roll over and give you acess if you tickle them with a free tool. Technical details of the vulnerability of fingerprint-based USB drives.
.
|
.
# posted by Frederick @ 10:56 PM Email to a friend:
Roundup of secure nerdsticks at Computerworld
Summary of Computerworld's review of secure flash drives.
In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.
|
In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.
# posted by Frederick @ 10:49 PM Email to a friend:
Friday, February 01, 2008
Would you trade privacy for increased security?
My favorite security writer, Bruce Schneier, writes about the tradeoff between security and privacy.
UPDATE 2/3:
A cartoon about the security and privacy tradeoff
|
UPDATE 2/3:
A cartoon about the security and privacy tradeoff
# posted by Frederick @ 7:40 PM Email to a friend:
Saturday, January 26, 2008
You can't rely on avoiding bad neighborhoods any more
According to one security firm, Finjan, 80% of the web sites carrying malicious code are legitimate sites taken over by criminals: http://www.securityfocus.com/columnists/463/1
|
# posted by Frederick @ 4:19 PM Email to a friend:
Tuesday, January 22, 2008
Change the password on your router
Where your home network meets the outside network, you've got a box of some sort: a wireless access point, a cable modem, or something. It's got a little web page of its own where you can control it. Which you haven't needed to look at since you first set it up, in all probability.
It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.
Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.
|
It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.
Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.
# posted by Frederick @ 8:20 PM Email to a friend:
Tuesday, January 15, 2008
Macs are getting targeted more and more
One of the problems that's plagued people on Windows machines is that criminals peddle fake security software. The phony software may simply induce you to buy it by always "finding" problems when you do a "free" scan. In extreme cases it may even compromise your system.
Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.
Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.
|
Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.
Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.
# posted by Frederick @ 11:57 PM Email to a friend:
Friday, January 11, 2008
You keep your operating system up to date, but what about everything else?
There have been security problems with media players, PDF readers, VOIP software, and probably some other things I've forgotten about. These programs don't necessarily have an easy way to check for updates and install them. But if you run old versions they can be a security risk.
Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.
One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.
Secunia is a reputable company, so don't be afraid of downloading software from them.
|
Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.
One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.
Secunia is a reputable company, so don't be afraid of downloading software from them.
# posted by Frederick @ 8:51 PM Email to a friend:
Do you watch videos with Quicktime?
There's a new security bug in Apple's Quicktime media software which could allow your computer to get taken over. This is not the same Quicktime security bug that Apple fixed on December 13. Someone announced details of it without telling Apple first, so it will be a while before we get a fixed version of Quicktime. Meanwhile the bad guys know about it.
If I'm reading this right, all you have to do is click on a link to be affected.
If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.
UPDATE 1/15/2008:
Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.
|
If I'm reading this right, all you have to do is click on a link to be affected.
If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.
UPDATE 1/15/2008:
Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.
# posted by Frederick @ 12:33 AM Email to a friend:
Thursday, January 10, 2008
SecurityFocus reports on a new thing to worry about
Digital picture frames and other devices may hold malicious software.
These days practically everything that uses electricity has a computer in it, and if not at least some memory.
I'm not sure what to tell you about protecting yourself. Anti-virus software is better than nothing.
|
These days practically everything that uses electricity has a computer in it, and if not at least some memory.
I'm not sure what to tell you about protecting yourself. Anti-virus software is better than nothing.
# posted by Frederick @ 12:35 AM Email to a friend:
Tuesday, January 08, 2008
Happy patchday! There's a critical one this time
Critical vulnerability in Windows networking.
This is like something from years and years ago. Someone can simply send network traffic to your computer and take it over completely.
If I'm reading right, a hardware firewall will prevent this attack, but what if you're on the road?
If you don't have automatic updates turned on, or if you're not sure, then update manually. This is one the bad guys will definitely want to take advantage of.
|
This is like something from years and years ago. Someone can simply send network traffic to your computer and take it over completely.
If I'm reading right, a hardware firewall will prevent this attack, but what if you're on the road?
If you don't have automatic updates turned on, or if you're not sure, then update manually. This is one the bad guys will definitely want to take advantage of.
# posted by Frederick @ 8:44 PM Email to a friend:
Another hazard of traveling with a laptop
If you cross an international border, Customs may ask to go through the contents of your laptop. Not only could that be fairly personal, it could compromise business secrets or worse. Imagine an attorney traveling with confidential client information. Or, for that matter, a security consultant like me.
You could encrypt the data, but the officer you're talking to could always demand the key. There are court cases in the US that might allow you to argue that handing over a key was self-incrimination and to refuse on that ground. Trying that at the border strikes me as a lousy idea guaranteed to raise suspicion and start a confrontation in which you'd be at a disadvantage. Not to mention being completely irrelevant in every country of the world except the US.
For now the options I see are
|
You could encrypt the data, but the officer you're talking to could always demand the key. There are court cases in the US that might allow you to argue that handing over a key was self-incrimination and to refuse on that ground. Trying that at the border strikes me as a lousy idea guaranteed to raise suspicion and start a confrontation in which you'd be at a disadvantage. Not to mention being completely irrelevant in every country of the world except the US.
For now the options I see are
- Hope your confidential information doesn't get inspected
- Don't travel with your laptop, or at least remove all confidential material first (and hope you get it all)
- Hide your laptop in a bale of marijuana so it will get across the border undisturbed
# posted by Frederick @ 7:31 PM Email to a friend:
Monday, January 07, 2008
Heads up for AdAware users
I've recommended LavaSoft's Ad-Aware anti-spyware program before. If you're using the free version, you need to know that there's a new version of Ad-Aware and that unless you got a paid version of the old package you'll no longer receive updates.
More information in Brian Krebs's column.
|
More information in Brian Krebs's column.
# posted by Frederick @ 8:44 PM Email to a friend:
Your personal information gets compromised. Does it matter?
After the UK government lost disks with 25 million people's personal information, TV host Jeremy Clarkson raised the question of how much risk there actually was. It's a good kind of question to ask, but it's not so good to leap to conclusions, as Clarkson did when he said "Honestly, I've never known such a palaver about nothing".
He was so sure that the release of personal information couldn't make anything bad happen, to dramatize his point Clarkson published his bank account details.
Only one person took the bait, oddly enough, and stopped short of cleaning out the account. The thief "donated" 500 pounds from Clarkson's account to a charity.
Clarkson has admitted he was wrong.
|
He was so sure that the release of personal information couldn't make anything bad happen, to dramatize his point Clarkson published his bank account details.
Only one person took the bait, oddly enough, and stopped short of cleaning out the account. The thief "donated" 500 pounds from Clarkson's account to a charity.
Clarkson has admitted he was wrong.
# posted by Frederick @ 8:31 PM Email to a friend:
Saturday, January 05, 2008
How to update Flash Player (you need to)
Blogger Michael Horowitz explains how to fix security problems caused by buggy versions of Adobe Flash Player, and even explains some of the Flash player update problems he had and how to fix them.
"Flash Player" is something you almost certainly have. It makes Youtube possible, but is also what enables a lot of those annoying ads. You care because it regularly has security bugs that allow a hostile web page to take over your computer, and a recent update fixes the known security bugs.
Follow Horowitz's detailed and hard-learned instructions to find out what version you have installed, how to remove it (which is more difficult than I'd expect), and if you have some reason, how to install the new improved version.
In addition, I recommend some form of blocking Flash content to protect you from the unknown security bugs (want to bet there aren't any?). My favorite Firefox extension, NoScript, does this.
|
"Flash Player" is something you almost certainly have. It makes Youtube possible, but is also what enables a lot of those annoying ads. You care because it regularly has security bugs that allow a hostile web page to take over your computer, and a recent update fixes the known security bugs.
Follow Horowitz's detailed and hard-learned instructions to find out what version you have installed, how to remove it (which is more difficult than I'd expect), and if you have some reason, how to install the new improved version.
In addition, I recommend some form of blocking Flash content to protect you from the unknown security bugs (want to bet there aren't any?). My favorite Firefox extension, NoScript, does this.
# posted by Frederick @ 10:19 PM Email to a friend:
Physical security: aviation
The February 2008 Consumer Reports, just mailed out to subscribers, has a disturbing article about aviation security with a really disturbing quote.
Retired TSA officer Larry Tortorich is quoted saying
Another TSA officer, Bogdan Dzakovic, had this to say about reinforced cockpit doors:
Consumer Reports found lots of other breakdowns, too. People can get on airplanes with dangerous items. There aren't enough air marshals. And so on.
|
Retired TSA officer Larry Tortorich is quoted saying
There was a facade of security. There were numerous security flaws and vulnerabilities that I identified. The response was, it wasn't apparent to the public, so there would not be any corrective actionIn other words, what counts is what the public thinks, not whether flying is safe.
Another TSA officer, Bogdan Dzakovic, had this to say about reinforced cockpit doors:
People have this illusion hardened cockpit doors work, and they don't...If you want to have a secure door, you need to have a double-hulled doorEl Al has double barriers to the cockpit. We don't.
Consumer Reports found lots of other breakdowns, too. People can get on airplanes with dangerous items. There aren't enough air marshals. And so on.
# posted by Frederick @ 8:33 PM Email to a friend:
What is a trustworthy web site, part 3
This one is just disgusting.
In at least one case, criminals have steered traffic to a web site with malicious software by setting up a fake video memorial web site for an accident victim.
Visitors to the site were told that they needed software to view the video (alarm bells should be going off in your head at this point) and were given a link to click to download it. The software was spyware of course.
You can't ever let your guard down.
|
In at least one case, criminals have steered traffic to a web site with malicious software by setting up a fake video memorial web site for an accident victim.
Visitors to the site were told that they needed software to view the video (alarm bells should be going off in your head at this point) and were given a link to click to download it. The software was spyware of course.
You can't ever let your guard down.
# posted by Frederick @ 2:48 PM Email to a friend:
What is a trustworthy web site, part 2
Via Bruce Schneier's blog, well-known firm CA Security reports that Sears installs spyware on the machines of people who join the "Sears Community".
If the allegations are true, the tracking software
The signup includes your name and email address, which means that any information collected isn't anonymous, but tied directly to you.
UPDATE: this is a separate issue from Sears disclosing your purchase history to third parties.
UPDATE 1/8:
Response from Sears
Further study from spyware researcher Ben Edelman
|
If the allegations are true, the tracking software
Monitors secure sessions (websites beginning with ‘https'), which may include shopping or banking sites.
The signup includes your name and email address, which means that any information collected isn't anonymous, but tied directly to you.
UPDATE: this is a separate issue from Sears disclosing your purchase history to third parties.
UPDATE 1/8:
Response from Sears
Further study from spyware researcher Ben Edelman
# posted by Frederick @ 2:29 PM Email to a friend:
What is a trustworthy web site, part 1
Web browsers routinely have bugs that allow malicious web pages to take over your computer. If you fall behind on installing security patches, then you're at risk from any web page that includes evil software.
The old advice used to be to avoid porn, gambling, and pirated software web sites.
Unfortunately, criminals have figured out that they can pretend to be a legitimate company that advertises on the Web, buy ad space, put a toxic payload into their ads, and then have an ad broker display malicious content for them on zillions of legitimate web pages. Brian Krebs of the Washington Post writes that high-profile sites such as MySpace and Excite were infected by malicious advertising.
Your defenses start with keeping up with security patches. After that you might consider installing the AdBlock Firefox extension into your copy of Firefox. You can use it to block almost all online advertising if you download a list of advertisers to block like Filterset.G.
I've been reluctant to block all ads, since I can put up with the non-obnoxious ones and they help keep web sites I like in business. But I may soon conclude "safety first".
|
The old advice used to be to avoid porn, gambling, and pirated software web sites.
Unfortunately, criminals have figured out that they can pretend to be a legitimate company that advertises on the Web, buy ad space, put a toxic payload into their ads, and then have an ad broker display malicious content for them on zillions of legitimate web pages. Brian Krebs of the Washington Post writes that high-profile sites such as MySpace and Excite were infected by malicious advertising.
Your defenses start with keeping up with security patches. After that you might consider installing the AdBlock Firefox extension into your copy of Firefox. You can use it to block almost all online advertising if you download a list of advertisers to block like Filterset.G.
I've been reluctant to block all ads, since I can put up with the non-obnoxious ones and they help keep web sites I like in business. But I may soon conclude "safety first".
# posted by Frederick @ 2:09 PM Email to a friend:
Want to read more about voting machines?
The New York Times magazine writes about touch-screen voting machines.
It's a well researched article full of facts, even if it dismisses early critics of electronic voting machines as "fringe" and "scared senseless computer geeks". Security people argue about most things but I've never seen one defend electronic voting machines in their current form.
So the article is not too concerned about security, but gives a long list of reliability problems that e-voting systems have had. I mean a long list. Notice that this is a security problem in itself: imagine a partisan election official allocating the least reliable machinery to opposition precincts.
One lesson from recent changes in Ohio is that many problems can be avoided by thoughtful, careful election administration (a "model of professionalism", the article says). Do you know who's supervising your elections? Is he or she doing a good job?
It's worth reading. Remember that being an informed citizen is good for security.
|
It's a well researched article full of facts, even if it dismisses early critics of electronic voting machines as "fringe" and "scared senseless computer geeks". Security people argue about most things but I've never seen one defend electronic voting machines in their current form.
So the article is not too concerned about security, but gives a long list of reliability problems that e-voting systems have had. I mean a long list. Notice that this is a security problem in itself: imagine a partisan election official allocating the least reliable machinery to opposition precincts.
One lesson from recent changes in Ohio is that many problems can be avoided by thoughtful, careful election administration (a "model of professionalism", the article says). Do you know who's supervising your elections? Is he or she doing a good job?
It's worth reading. Remember that being an informed citizen is good for security.
# posted by Frederick @ 1:17 PM Email to a friend:
Wednesday, January 02, 2008
What kind of year will 2008 be in security?
It will be average.
You know, average. Not as good as 2007, but better than 2009.
The people I know who administer large networks are starting to base their policies on assuming they've already been broken into.
Malware is apparently running ahead of anti-virus software, and the remote control software that enslaves your PC to criminals is getting sophisticated and hard to detect.
You can keep yourself better off than others by being street smart. These days the two most important things I can recommend are to keep your software up to date and to be really really careful about what software you download.
|
You know, average. Not as good as 2007, but better than 2009.
The people I know who administer large networks are starting to base their policies on assuming they've already been broken into.
Malware is apparently running ahead of anti-virus software, and the remote control software that enslaves your PC to criminals is getting sophisticated and hard to detect.
You can keep yourself better off than others by being street smart. These days the two most important things I can recommend are to keep your software up to date and to be really really careful about what software you download.
# posted by Frederick @ 12:55 PM Email to a friend:
What kind of year will 2008 be in security?
It will be average.
You know, average. Not as good as 2007, but better than 2009.
The people I know who administer large networks are starting to base their policies on assuming they've already been broken into.
Malware is apparently running ahead of anti-virus software, and the remote control software that enslaves your PC to criminals is getting sophisticated and hard to detect.
You can keep yourself better off than others by being street smart. These days the two most important things I can recommend are to keep your software up to date and to be really really careful about what software you download.
|
You know, average. Not as good as 2007, but better than 2009.
The people I know who administer large networks are starting to base their policies on assuming they've already been broken into.
Malware is apparently running ahead of anti-virus software, and the remote control software that enslaves your PC to criminals is getting sophisticated and hard to detect.
You can keep yourself better off than others by being street smart. These days the two most important things I can recommend are to keep your software up to date and to be really really careful about what software you download.
# posted by Frederick @ 12:55 PM Email to a friend:
Saturday, December 22, 2007
Upgrade Adobe Flash Player
You almost certainly have it installed as a browser plugin: it's what makes those animated ads work.
It also has serious security vulnerabilities that could allow your computer to be taken over if you visit the wrong web site (or if a legitimate web site displays the wrong ads).
See Adobe's instructions for installing the Flash patch.
|
It also has serious security vulnerabilities that could allow your computer to be taken over if you visit the wrong web site (or if a legitimate web site displays the wrong ads).
See Adobe's instructions for installing the Flash patch.
# posted by Frederick @ 8:42 PM Email to a friend:
Friday, December 21, 2007
The best things in life are free
My colleague Peter Gregory has a list of good free security tools. Enjoy.
|
# posted by Frederick @ 4:53 PM Email to a friend:
Trends in the virus/antivirus arms race
Your antivirus software works two different ways. It checks things against a list of known viruses, like a police officer scanning people's faces against the wanted list. It also looks for suspicious behavior, like a police officer stopping someone who is acting strangely.
Lots of new viruses come out every day. That's why it's so important to keep up with the automatic updates for your antivirus software. That also tells you that there are always viruses that are too new for your antivirus software to know about, so it's really important that it be able to recognize virus-like behavior.
Unfortunately today's crop of viruses is pretty good at evading suspicion. A recent German study of antivirus software found that most antivirus products could detect only 20-30% of viruses not already on their watch lists. Even the most successful one, NOD32 from eSet, only caught 68%.
Your best defense is to be careful what you download.
English article about the German study
|
Lots of new viruses come out every day. That's why it's so important to keep up with the automatic updates for your antivirus software. That also tells you that there are always viruses that are too new for your antivirus software to know about, so it's really important that it be able to recognize virus-like behavior.
Unfortunately today's crop of viruses is pretty good at evading suspicion. A recent German study of antivirus software found that most antivirus products could detect only 20-30% of viruses not already on their watch lists. Even the most successful one, NOD32 from eSet, only caught 68%.
Your best defense is to be careful what you download.
English article about the German study
# posted by Frederick @ 4:17 PM Email to a friend:
The Wall Street Journal reviews small shredders
Anjali Athavaley has a review of 5 home paper shredders on page D3 of the Thursday Wall Street Journal.
The cheapest one that will eat CDs is the Royal Desktop Crosscut Shredder, $50 from royal.com. As with most of them, the opening is small enough that you have to fold paper to fit before you shred it. The cheapest that will take a full size piece of paper unfolded is the Staples Mailmate M3, for $80.
Is it pure paranoia to worry about whether someone might rifle through your recycling bins looking for sensitive information? Well, my neighborhood has been hit by mail thefts, presumably by identity thieves, and someone who steals your recyclables instead of your mail can get almost as much information without risking a Federal prosecution.
|
The cheapest one that will eat CDs is the Royal Desktop Crosscut Shredder, $50 from royal.com. As with most of them, the opening is small enough that you have to fold paper to fit before you shred it. The cheapest that will take a full size piece of paper unfolded is the Staples Mailmate M3, for $80.
Is it pure paranoia to worry about whether someone might rifle through your recycling bins looking for sensitive information? Well, my neighborhood has been hit by mail thefts, presumably by identity thieves, and someone who steals your recyclables instead of your mail can get almost as much information without risking a Federal prosecution.
# posted by Frederick @ 1:20 PM Email to a friend:
Saturday, December 15, 2007
Ohio finishes study of voting machines
“All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election,” said the study team.
Article with responses by voting machine vendors.
Text of the voting machine study.
|
Article with responses by voting machine vendors.
Text of the voting machine study.
# posted by Frederick @ 10:44 PM Email to a friend:
Friday, December 14, 2007
Mac video users, an update you should get right away
Apple's Quicktime media player has some security problems. Apple's finally released a fix. You'll be asked to install it within a week anyway, but if you play lots of video from the net I'd suggest doing the upgrade right away.
Go to System Preferences, the one with the icon like a light switch. Under System, choose Software Update. Click Update Software, and Check Now. Accept the Quicktime update.
Security firm Symantec reports that bad guys are using the Quicktime vulnerabilities today.
|
Go to System Preferences, the one with the icon like a light switch. Under System, choose Software Update. Click Update Software, and Check Now. Accept the Quicktime update.
Security firm Symantec reports that bad guys are using the Quicktime vulnerabilities today.
# posted by Frederick @ 7:51 PM Email to a friend:
Thursday, December 13, 2007
Good article about how to spot dangerous e-cards
http://www.csmonitor.com/2007/1213/p13s01-stct.html?page=2
|
# posted by Frederick @ 5:58 PM Email to a friend:
Wednesday, December 12, 2007
HP laptops this time
Have you ever wondered why security people start making pained faces whenever they hear about some cool-sounding useful feature?
It's because they've seen too many things that looked good go horribly wrong.
via The Register, there's a report that the "HP Info Center" on HP laptops, which does several useful and powerful things, can be triggered to do them by a web page, and can do some powerful things that are useful to an attacker.
Technical details of the HP laptop vulnerability for your technical friends.
Pending a fix from HP, the best way to avoid this is not to use Internet Explorer.
|
It's because they've seen too many things that looked good go horribly wrong.
via The Register, there's a report that the "HP Info Center" on HP laptops, which does several useful and powerful things, can be triggered to do them by a web page, and can do some powerful things that are useful to an attacker.
Technical details of the HP laptop vulnerability for your technical friends.
Pending a fix from HP, the best way to avoid this is not to use Internet Explorer.
# posted by Frederick @ 11:58 PM Email to a friend:
Wednesday, December 05, 2007
Does it seem hard to keep your PC secure?
My favorite security writer says it's not your fault, that Computers are just too hard for normal people to use securely.
I'm not sure it's that bad. A lot of computer security is just a matter of applying your normal street smarts to your online world. You know that someone who appears out of nowhere trying to sell you drugs does not have your best interests at heart, whether he whispers out of an alley or sends you spam.
|
I'm not sure it's that bad. A lot of computer security is just a matter of applying your normal street smarts to your online world. You know that someone who appears out of nowhere trying to sell you drugs does not have your best interests at heart, whether he whispers out of an alley or sends you spam.
# posted by Frederick @ 11:25 PM Email to a friend:
Curious about the details of password guessing programs?
This is for people who like to look under the hood.
My favorite security writer discusses how password cracking programs make their guesses and how fast they work. He uses that information to explain how to choose a good password.
|
My favorite security writer discusses how password cracking programs make their guesses and how fast they work. He uses that information to explain how to choose a good password.
# posted by Frederick @ 11:17 PM Email to a friend:
This is interesting - Rohrschach passwords
Use inkblots as a password hint.
It's down as I write this, but the idea Microsoft Research came up with was to present you with a series of inkblots. What you do is think of a word for what the inkblot looks like to you, which is presumably different from what someone else would think of, and then you use the first and last letter of that word as part of a password.
So if you saw a butterfly, a train, a chimney and Madonna, you'd pick a password of "bytncyMa", but you'd be able to remember it by association with the pictures. Someone else looking at the same inkblots might see a flower, a sausage, a box and Cher, so they'd pick "frsebxCr".
It's still a research project. There are lots of open questions, and the privacy statement tells you right up front that they're recording everybody's word choices. In other words, it's not for serious passwords yet. One issue I thought of immediately is that most people aren't going to think of words outside a set of a few tens of thousands at most. Most of the words you know, for example "knowledge" or "abstraction", are not going to be words you'd use to label a picture. The password therefore won't be as strong as a truly random one, and should be made longer to compensate. At an uninformed guess I'd recommend six pictures: in a little while Microsoft Research will know for sure.
This gives me an idea: your employer may forbid you to write down your password, but I bet they don't have any rules about making cryptic doodles that look like something from your preschooler. You could use a password reminder that looks like refrigerator art and as long as you put in a number and a special character you could have a strong password without having to memorize it.
Infoworld article about inkblot passwords
|
It's down as I write this, but the idea Microsoft Research came up with was to present you with a series of inkblots. What you do is think of a word for what the inkblot looks like to you, which is presumably different from what someone else would think of, and then you use the first and last letter of that word as part of a password.
So if you saw a butterfly, a train, a chimney and Madonna, you'd pick a password of "bytncyMa", but you'd be able to remember it by association with the pictures. Someone else looking at the same inkblots might see a flower, a sausage, a box and Cher, so they'd pick "frsebxCr".
It's still a research project. There are lots of open questions, and the privacy statement tells you right up front that they're recording everybody's word choices. In other words, it's not for serious passwords yet. One issue I thought of immediately is that most people aren't going to think of words outside a set of a few tens of thousands at most. Most of the words you know, for example "knowledge" or "abstraction", are not going to be words you'd use to label a picture. The password therefore won't be as strong as a truly random one, and should be made longer to compensate. At an uninformed guess I'd recommend six pictures: in a little while Microsoft Research will know for sure.
This gives me an idea: your employer may forbid you to write down your password, but I bet they don't have any rules about making cryptic doodles that look like something from your preschooler. You could use a password reminder that looks like refrigerator art and as long as you put in a number and a special character you could have a strong password without having to memorize it.
Infoworld article about inkblot passwords
# posted by Frederick @ 7:04 PM Email to a friend:
Sunday, November 11, 2007
How not to be left holding the bag after Internet crime
What do crooks do when they steal someone's online banking password?
They don't want to transfer money to their own accounts directly and leave an arrow pointing straight at them. Instead, they launder the money through intermediaries. Sometimes they're not honest about recruiting their mules, imagine that.
The scam, a truly poisonous one, is to advertise a job handling financial transfers. The pitch is that you get money into your bank account, forward it to a Western Union destination or something of the sort, and keep a commission. The reality is that you're receiving money stolen from someone else's account, forwarding it to criminals, and profiting from the crime. This could be hard to explain to the authorities.
A fellow in the UK is making a hobby of exposing money transfer fraud. He gives many examples of the dishonest advertising and tips on avoiding it (no legitimate business wants to transfer money to your personal bank account and be real, you're not getting job offers in spam).
I found this link via the folks at anti-virus firm F-Secure, who have a video about recruitment of money mules.
|
They don't want to transfer money to their own accounts directly and leave an arrow pointing straight at them. Instead, they launder the money through intermediaries. Sometimes they're not honest about recruiting their mules, imagine that.
The scam, a truly poisonous one, is to advertise a job handling financial transfers. The pitch is that you get money into your bank account, forward it to a Western Union destination or something of the sort, and keep a commission. The reality is that you're receiving money stolen from someone else's account, forwarding it to criminals, and profiting from the crime. This could be hard to explain to the authorities.
A fellow in the UK is making a hobby of exposing money transfer fraud. He gives many examples of the dishonest advertising and tips on avoiding it (no legitimate business wants to transfer money to your personal bank account and be real, you're not getting job offers in spam).
I found this link via the folks at anti-virus firm F-Secure, who have a video about recruitment of money mules.
# posted by Frederick @ 9:00 PM Email to a friend:
Haloscan: they provide trackback