Saturday, September 06, 2008
But are voting machines really dangerous in practice?
Spokesmen for the voting machine manufacturers like to say that the reported vulnerabilities are unrealistic in the context of an actual election, with all its tests and security procedures.
This is plausible. There are lots of cases in security work where it's OK to work around a problem with a cross-check instead of eliminating the problem altogether.
Are they right?
Princeton researcher Dan Wallach rebuts vendor claims in detail. He explains how an attacker or a corrupt official could do the same things his team did, and throw an election without getting caught.
|
This is plausible. There are lots of cases in security work where it's OK to work around a problem with a cross-check instead of eliminating the problem altogether.
Are they right?
Princeton researcher Dan Wallach rebuts vendor claims in detail. He explains how an attacker or a corrupt official could do the same things his team did, and throw an election without getting caught.
# posted by Frederick @ 4:21 PM Email to a friend:
View your online banking records without your password
This is a good example of how a simple feature change can create a security issue, and why security features that seem unnecessary can be important in practice.
Google's Chrome browser has a feature I've dreamed of for a long time. You can search the text of pages you've visited before. If you remember that you looked at a great recipe using arugula but can't remember where you found it, you can type "arugula" into Chrome's do-everything bar and it will find the page in your history with the word "arugula" in it. Nifty. Useful.
OK, but what about your online banking activity? It turns out that if you search for words like "balance" or "Visa" you'll bring up copies of pages that your online bank showed you, with potentially sensitive information on them. Humphrey Cheung reports on Chrome indexing banking records. You can't transfer money or anything like that, but it's an information leak.
If you want your banking activity to be confidential from other users of your computer, there is an answer. Use Chrome's "incognito" window, which turns off storing pages into your history. This is a good idea for any security-sensitive activity.
Also, turn off Chrome's autosuggest feature if you don't want Google to know everything you type into the do-everything bar.
|
Google's Chrome browser has a feature I've dreamed of for a long time. You can search the text of pages you've visited before. If you remember that you looked at a great recipe using arugula but can't remember where you found it, you can type "arugula" into Chrome's do-everything bar and it will find the page in your history with the word "arugula" in it. Nifty. Useful.
OK, but what about your online banking activity? It turns out that if you search for words like "balance" or "Visa" you'll bring up copies of pages that your online bank showed you, with potentially sensitive information on them. Humphrey Cheung reports on Chrome indexing banking records. You can't transfer money or anything like that, but it's an information leak.
If you want your banking activity to be confidential from other users of your computer, there is an answer. Use Chrome's "incognito" window, which turns off storing pages into your history. This is a good idea for any security-sensitive activity.
Also, turn off Chrome's autosuggest feature if you don't want Google to know everything you type into the do-everything bar.
# posted by Frederick @ 3:57 PM Email to a friend:
Friday, September 05, 2008
Alarming security bug in Google Chrome
Some security experts, whose names I can't find offhand, have discovered a bug in Google's new "Chrome" browser that could sidestep all of Chrome's security measures and take over your computer.
The good news is that it can only happen while you're saving a web page, there's no evidence of bad guys trying this in the wild, and it's unlikely that they will given how few Chrome installations there are.
What's alarming is that it's a kind of bug ("stack based buffer overflow") that can usually be avoided by checking a program with well-known tools, and which can usually be blocked from taking over your computer if the programmers use appropriate options when they translate the program from a human-readable computer language into an executable program.
Without the details, it's impossible to tell whether this is just the kind of accident that could happen to anybody, or whether Google has been overlooking precautions that should be standard procedure these days. If the latter, we'll know because there will be a flood of security bug reports in short order.
|
The good news is that it can only happen while you're saving a web page, there's no evidence of bad guys trying this in the wild, and it's unlikely that they will given how few Chrome installations there are.
What's alarming is that it's a kind of bug ("stack based buffer overflow") that can usually be avoided by checking a program with well-known tools, and which can usually be blocked from taking over your computer if the programmers use appropriate options when they translate the program from a human-readable computer language into an executable program.
Without the details, it's impossible to tell whether this is just the kind of accident that could happen to anybody, or whether Google has been overlooking precautions that should be standard procedure these days. If the latter, we'll know because there will be a flood of security bug reports in short order.
# posted by Frederick @ 5:13 PM Email to a friend:
Thursday, September 04, 2008
More thoughts about Google Chrome
Chrome will save passwords for you, but unlike Firefox it doesn't let you define a master password that protects all your stored website passwords.
This could be OK. I worry about future occurrences of a problem that happened in 2006, in which malicious code could put up a login form and fool a browser into entering a saved password silently without asking you first. With a master password in place, you'd get a reminder that your browser was about to retrieve and send a password. A master password also makes password storage more secure.
I've been reluctantly coming to the conclusion that the AdBlock Firefox extension is a security measure. Bad guys have figured out that they can expose zillions of people to malicious code by putting that code into an ad. Don't expect to see anything like AdBlock for a browser that comes from an advertising company.
My other favorite way to reduce my exposure, which is to minimize the number of pages I allow to run Javascript, isn't likely to find a home in Chrome. One of Chrome's main design goals is to have a better, stronger, faster Javascript engine.
This could all work out OK. Google has taken steps to limit the harm that web-based malware can do to you. If Google's paid enough attention in the right places, they might be producing a browser with fewer security bugs for bad web pages to exploit.
|
This could be OK. I worry about future occurrences of a problem that happened in 2006, in which malicious code could put up a login form and fool a browser into entering a saved password silently without asking you first. With a master password in place, you'd get a reminder that your browser was about to retrieve and send a password. A master password also makes password storage more secure.
I've been reluctantly coming to the conclusion that the AdBlock Firefox extension is a security measure. Bad guys have figured out that they can expose zillions of people to malicious code by putting that code into an ad. Don't expect to see anything like AdBlock for a browser that comes from an advertising company.
My other favorite way to reduce my exposure, which is to minimize the number of pages I allow to run Javascript, isn't likely to find a home in Chrome. One of Chrome's main design goals is to have a better, stronger, faster Javascript engine.
This could all work out OK. Google has taken steps to limit the harm that web-based malware can do to you. If Google's paid enough attention in the right places, they might be producing a browser with fewer security bugs for bad web pages to exploit.
# posted by Frederick @ 8:42 PM Email to a friend:
Wednesday, September 03, 2008
Latest word about Google's "Chrome" browser
Someone's already found the first security bug! It was a researcher named Aviv Raff, and it's not a biggy, but it sure is embarrassing. It's a bug in code that Google reused for their browser, that had already gotten fixed elsewhere. It allows a bad site to fill up your desktop with icons for potentially unwanted software.
Chrome will be both good and bad for your privacy. It has a mode where it stops logging your history on your local machine. On the other hand, and Google is commendably up-front about this, in order to generate suggested sites and searches, it's constantly sending information about every place you visit to Google. You can turn this off, but how many people will?
|
Chrome will be both good and bad for your privacy. It has a mode where it stops logging your history on your local machine. On the other hand, and Google is commendably up-front about this, in order to generate suggested sites and searches, it's constantly sending information about every place you visit to Google. You can turn this off, but how many people will?
# posted by Frederick @ 10:31 AM Email to a friend:
Monday, September 01, 2008
What you're up against
A software developer's blog has an example of a malicious web page displaying fake buttons and controls that look like part of Windows to trick you into downloading what they claim is an antivirus program.
It all started from a legitimate web site, too, which apparently got taken over somehow by scammers.
I'm not completely happy with the suggestions the blogger and the people in the comments had to offer. They suggest changing the way your real Windows interface looks so that imitations will look strange. Instead I'd suggest NoScript, which would have halted the example attack in its tracks, and one other thing. The point of all the deception was to trick you into downloading an executable file. You get a real warning at that point, which asks if you really want to save and run a file from the Internet. Say "no" to those unless you set out to download something that you have some reason to trust.
|
It all started from a legitimate web site, too, which apparently got taken over somehow by scammers.
I'm not completely happy with the suggestions the blogger and the people in the comments had to offer. They suggest changing the way your real Windows interface looks so that imitations will look strange. Instead I'd suggest NoScript, which would have halted the example attack in its tracks, and one other thing. The point of all the deception was to trick you into downloading an executable file. You get a real warning at that point, which asks if you really want to save and run a file from the Internet. Say "no" to those unless you set out to download something that you have some reason to trust.
# posted by Frederick @ 11:32 PM Email to a friend:
First reaction to Google's browser announcement
Google accidentally pre-announced a Google-brand web browser. It's not available to try out yet.
It's going to do some encouraging things about security. Google plans to "sandbox" the web applications running in their new browser, so that even if/when you browse to a malicious page it won't be able to do widespread damage to your computer. If I'm reading their claims correctly, they say they can stop keystroke loggers from working (not sure how that's possible).
Popups will be tied to the tab they came from and can't cover up other tabs.
There will be a few problems to watch out for, and things they can't possibly prevent and still be useful. The big issue is that they want their browser to be a place where sophisticated web apps can run. That means the browser has to be able to do all the sophisticated things the web app is supposed to do. Google tries to make sure the browser can't overwrite things on your hard disk, but by definition it has to be able to overwrite your Google Docs.
"Sandboxes" have been used before. What usually happens is that when they're new, clever people find a few ways that bad code can escape from them and do bad things that the sandbox was supposed to prevent. Then after a little while the holes in the sandbox get fixed and it works as designed.
Plugins are the area most likely to cause security problems for Google's browser. Plugins like Flash are designed to do a wide range of things, wider than the browser's normal security policy would permit. Plugins like Flash have had security problems time and again.
|
It's going to do some encouraging things about security. Google plans to "sandbox" the web applications running in their new browser, so that even if/when you browse to a malicious page it won't be able to do widespread damage to your computer. If I'm reading their claims correctly, they say they can stop keystroke loggers from working (not sure how that's possible).
Popups will be tied to the tab they came from and can't cover up other tabs.
There will be a few problems to watch out for, and things they can't possibly prevent and still be useful. The big issue is that they want their browser to be a place where sophisticated web apps can run. That means the browser has to be able to do all the sophisticated things the web app is supposed to do. Google tries to make sure the browser can't overwrite things on your hard disk, but by definition it has to be able to overwrite your Google Docs.
"Sandboxes" have been used before. What usually happens is that when they're new, clever people find a few ways that bad code can escape from them and do bad things that the sandbox was supposed to prevent. Then after a little while the holes in the sandbox get fixed and it works as designed.
Plugins are the area most likely to cause security problems for Google's browser. Plugins like Flash are designed to do a wide range of things, wider than the browser's normal security policy would permit. Plugins like Flash have had security problems time and again.
# posted by Frederick @ 11:14 PM Email to a friend:
How to recognize an attack
I ran into a suspicious web page the other day.
It opened from an unrelated search result. That's not a sign of a legitimate web page. What really gave it away was that it claimed to offer an antivirus product. Legitimate companies do legitimate advertising. If you see something unexpected suddenly offering you security software, be suspicious: it's like someone walking into your store off the street and offering you "protection".
A really good scam would have shown a web page that looked like a real business. This one didn't even have that much, not that there was any way to trust it at that point.
I looked at the page's inner workings briefly. It looked like it was set up to display all kinds of scary warnings and trick me into downloading a program from them. I didn't even see the scary fake warnings, because I'm running the NoScript extension to Firefox.
|
It opened from an unrelated search result. That's not a sign of a legitimate web page. What really gave it away was that it claimed to offer an antivirus product. Legitimate companies do legitimate advertising. If you see something unexpected suddenly offering you security software, be suspicious: it's like someone walking into your store off the street and offering you "protection".
A really good scam would have shown a web page that looked like a real business. This one didn't even have that much, not that there was any way to trust it at that point.
I looked at the page's inner workings briefly. It looked like it was set up to display all kinds of scary warnings and trick me into downloading a program from them. I didn't even see the scary fake warnings, because I'm running the NoScript extension to Firefox.
# posted by Frederick @ 10:48 PM Email to a friend:
Saturday, August 30, 2008
Rent "Hacking Democracy", the 2006 HBO documentary
It's a good introduction for a non-specialist. It leaves some things out, and I spotted one really minor error, but it's worth your time.
|
# posted by Frederick @ 11:13 PM Email to a friend:
Friday, August 29, 2008
If you have nothing to hide, you have nothing to fear?
A three-year-old in Dorset, England, is having trouble sleeping at night. She's afraid there's a man outside watching her.
There's a reason. Government employees were following her family to and from school for three weeks, making records such as "female and three children enter target vehicle and drive off" and "curtains open and all lights on in premises".
But, we are told, we have to trade some privacy for security. Let's take a look at the public safety implications, and see if they justify following kids to school and scaring a three-year-old.
The surveillance was to assess whether the family really lived in the coverage area of the school they applied to. (They did, by the way).
The Poole borough spying case.
Ask tough questions if your government tells you they need to invade your privacy in the name of security.
|
There's a reason. Government employees were following her family to and from school for three weeks, making records such as "female and three children enter target vehicle and drive off" and "curtains open and all lights on in premises".
But, we are told, we have to trade some privacy for security. Let's take a look at the public safety implications, and see if they justify following kids to school and scaring a three-year-old.
The surveillance was to assess whether the family really lived in the coverage area of the school they applied to. (They did, by the way).
The Poole borough spying case.
Ask tough questions if your government tells you they need to invade your privacy in the name of security.
# posted by Frederick @ 6:35 PM Email to a friend:
"[T]he case could be treated as terrorism"
Gary McKinnon admits that he went into US government computers without permission.
He was sitting at home in his bathrobe looking around for evidence that the US government had secret alien technology taken from UFOs.
He got into many machines, working alone and without being particularly sophisticated. If you're a US taxpayer, take that as a sign that the computers you're paying for are being badly administered. If a computer is important enough to prosecute someone over, it's important enough to protect well enough that a random eccentric can't get in.
BBC profile of Gary McKinnon
The authorities have warned that without his co-operation and a guilty plea the case could be treated as terrorism and he could face a long jail sentence. "
|
He was sitting at home in his bathrobe looking around for evidence that the US government had secret alien technology taken from UFOs.
He got into many machines, working alone and without being particularly sophisticated. If you're a US taxpayer, take that as a sign that the computers you're paying for are being badly administered. If a computer is important enough to prosecute someone over, it's important enough to protect well enough that a random eccentric can't get in.
BBC profile of Gary McKinnon
The authorities have warned that without his co-operation and a guilty plea the case could be treated as terrorism and he could face a long jail sentence. "
# posted by Frederick @ 6:12 PM Email to a friend:
How are voting machines tested?
I've written before about the limitations on the "certification" of voting machines.
There's been more talk about it recently. Wired magazine's criticism of voting machine testing notes that problems go years without being fixed, and that the testing consists of going down a checklist that often has nothing to do with reliability or security. Worse, the software running in your election may be different from the software that got certified. University of Iowa computer science professor Douglas Jones proposes testing procedures for voting machines including election-day tests aimed at catching malicious software that gives the right answers until it sees it's in a real election.
Nobody in those discussions mentions a key point. If you could make software reliable by testing it, we'd see a lot fewer bugs in our daily live. Security is even harder to test for than reliability. A program can run just fine and be insecure.
The way to get secure software is to start at the design stage and build it from the ground up to resist or detect attack. For example, the software that adds up the vote totals from the precincts shouldn't allow the machine operator to change the totals without even creating a record of the change. One widely used design did allow that.
The next step in improving software security is to let qualified people, lots of them, look for hidden flaws. That includes cryptographers, but also the kinds of sideways-thinking people who like solving puzzles and doing things that are supposed to be impossible.
|
There's been more talk about it recently. Wired magazine's criticism of voting machine testing notes that problems go years without being fixed, and that the testing consists of going down a checklist that often has nothing to do with reliability or security. Worse, the software running in your election may be different from the software that got certified. University of Iowa computer science professor Douglas Jones proposes testing procedures for voting machines including election-day tests aimed at catching malicious software that gives the right answers until it sees it's in a real election.
Nobody in those discussions mentions a key point. If you could make software reliable by testing it, we'd see a lot fewer bugs in our daily live. Security is even harder to test for than reliability. A program can run just fine and be insecure.
The way to get secure software is to start at the design stage and build it from the ground up to resist or detect attack. For example, the software that adds up the vote totals from the precincts shouldn't allow the machine operator to change the totals without even creating a record of the change. One widely used design did allow that.
The next step in improving software security is to let qualified people, lots of them, look for hidden flaws. That includes cryptographers, but also the kinds of sideways-thinking people who like solving puzzles and doing things that are supposed to be impossible.
# posted by Frederick @ 4:47 PM Email to a friend:
Security can backfire
TSA inspector damages multiple aircraft.
Mechanics caught the problem in time. The part damaged was important enough that flights had to be delayed while it was fixed.
One aviation industry newsletter had a truly sulfurous comment.
|
Mechanics caught the problem in time. The part damaged was important enough that flights had to be delayed while it was fixed.
One aviation industry newsletter had a truly sulfurous comment.
# posted by Frederick @ 12:55 AM Email to a friend:
Privacy and "I've got nothing to hide"
Earlier this month, the news came out that Best Western exposed the records of 8 million customers.
The information that got out included credit card numbers, which are of obvious interest to criminals, and maybe worse, information about future bookings. That's right, it's possible that crooks now know when people are going to be out of town and where they live.
Privacy contributes to safety and the rule of law.
|
The information that got out included credit card numbers, which are of obvious interest to criminals, and maybe worse, information about future bookings. That's right, it's possible that crooks now know when people are going to be out of town and where they live.
Privacy contributes to safety and the rule of law.
# posted by Frederick @ 12:43 AM Email to a friend:
Voting machines! Again!
Premier Election Solutions (formerly Diebold) machines in Ohio fail to count votes. As far as anyone knows it's just a normal bug.
Premier Election Solutions started off by blaming the problem on a conflict with anti-virus software. I was trying to find a way to explain why that sounds wrong to a security person, but someone beat me to it. My favorite nerdy cartoon about antivirus on voting machines.
It's a bad sign when a system has a bug that mission-critical that didn't get caught in testing. Ohio's Secretary of State is suing.
|
Premier Election Solutions started off by blaming the problem on a conflict with anti-virus software. I was trying to find a way to explain why that sounds wrong to a security person, but someone beat me to it. My favorite nerdy cartoon about antivirus on voting machines.
It's a bad sign when a system has a bug that mission-critical that didn't get caught in testing. Ohio's Secretary of State is suing.
# posted by Frederick @ 12:15 AM Email to a friend:
Sorry you haven't heard from me in a while
I fell way behind on the sources I normally follow to bring you news and commentary. I'll try to do better.
|
# posted by Frederick @ 12:13 AM Email to a friend:
Thursday, May 29, 2008
Flash, AGAIN
Youtube videos, and a lot of those annoying flashing ads, come to you courtesy of a third-party plugin ("Flash") in your browser. Sometimes it has security vulnerabilities that let the files it shows take over your computer. It's got one now, and last I heard there was no patch available. Meantime bad guys are taking over legitimate web sites and using them to send you hostile Flash files.
You're fairly well protected if you're a Firefox user and have the NoScript extension installed.
If you run Internet Explorer, you can either temporarily disable or uninstall Flash. I recommend uninstalling it and then, if you want, reinstalling it later after there's a fix for the current problem. Here are instructions for uninstalling the Flash plugin. Youtube, a number of games, and a lot of annoying ads will stop working until you reinstall.
|
You're fairly well protected if you're a Firefox user and have the NoScript extension installed.
If you run Internet Explorer, you can either temporarily disable or uninstall Flash. I recommend uninstalling it and then, if you want, reinstalling it later after there's a fix for the current problem. Here are instructions for uninstalling the Flash plugin. Youtube, a number of games, and a lot of annoying ads will stop working until you reinstall.
# posted by Frederick @ 12:21 AM Email to a friend:
Monday, May 05, 2008
If you're not doing anything wrong, why worry about privacy?
One answer to that question is that you might have just broken up with someone who has access to a government database. Information Week reports on a Federal agent indicted for stalking an ex-girlfriend using a government database.
What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.
|
What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.
# posted by Frederick @ 10:58 PM Email to a friend:
Tuesday, April 29, 2008
Voting machines! Sequoia in New Jersey this time
A Princeton professor, Ed Felten, has been unofficially studying the Sequoia voting machines used in NJ.
He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.
If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.
You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:
Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?
|
He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.
If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.
You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:
...this doesn’t look like fraud, only error. A malicious attacker who had access to a machine would have had much more powerful, and much less detectable, options at his disposal.
Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?
# posted by Frederick @ 2:45 PM Email to a friend:
Thursday, April 24, 2008
Great article about malicious software
Ars Technica explains malicious software.
This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.
It's almost completely nontechnical.
|
This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.
It's almost completely nontechnical.
# posted by Frederick @ 6:00 PM Email to a friend:
Friday, April 18, 2008
It's time to update Flash Player again
See previous article about how to uninstall and update Adobe Flash Player.
A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.
To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.
|
A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.
To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.
# posted by Frederick @ 4:22 PM Email to a friend:
Saturday, April 12, 2008
Another scary article about attacking the power grid
Network World says "Experts hack power grid in no time".
I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.
Utilities definitely need to segregate their control networks from the wild Internet, though.
|
I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.
Utilities definitely need to segregate their control networks from the wild Internet, though.
# posted by Frederick @ 10:50 AM Email to a friend:
Here's how sophisticated the attacks are getting
Business Week article alleging that attacks on government and contractors are from foreign spies.
A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.
Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.
It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.
|
A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.
Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.
It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.
# posted by Frederick @ 10:30 AM Email to a friend:
Army tests troops with phishing email
The US Army sent out forged email offering free event tickets if the recipients went to a fake web site that collected personal information
There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.
But tentatively, I say "good for them".
|
There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.
But tentatively, I say "good for them".
# posted by Frederick @ 10:25 AM Email to a friend:
The criminal economy is big and sophisticated
Attacks are big business:
Information Week article about the cybercrime economy.
|
Information Week article about the cybercrime economy.
# posted by Frederick @ 10:18 AM Email to a friend:
Tuesday, April 08, 2008
Do you have an ATT 2Wire DSL modem ("Home Portal")?
They have a security problem. To make a long story short, they made several mistakes and as a result someone can reprogram your modem by getting you to visit a malicious web page. In particular they can change where you go when you try to visit a particular site, for example your bank.
Worse yet, bad guys are taking advantage of this now.
I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".
There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.
|
Worse yet, bad guys are taking advantage of this now.
I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".
There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.
# posted by Frederick @ 3:10 PM Email to a friend:
Monday, April 07, 2008
How a street-smart user handles a suspicious situation
I needed some information from my bank about an outstanding loan, clicked the relevant link, and wound up at a page telling me I needed to re-establish my online account.
This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.
At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.
I was at.loanadministration.com. I wondered whether that was legitimate. Some phishing sites have had names like that.
Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.
So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.
|
This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.
At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.
I was at
Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.
So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.
# posted by Frederick @ 9:42 PM Email to a friend:
If your online banking account gets cleaned out, will your bank cover it?
That depends on where you live. In the UK, "The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection."
I wonder if that means they require Mac users to install anti-virus software.
|
I wonder if that means they require Mac users to install anti-virus software.
# posted by Frederick @ 9:33 PM Email to a friend:
Voting machines again
What makes me mad about this next story is that it's not even a security issue, it's an issue of prudent shopping. When you buy something big or important you should have the opportunity to get an independent evaluation of it.
But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.
Meanwhile, voting machines are more expensive than advertised.
|
But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.
Meanwhile, voting machines are more expensive than advertised.
# posted by Frederick @ 9:23 PM Email to a friend:
Wednesday, March 19, 2008
"And a function that tracked changes to the machines was purposely turned off."
Ohio investigates reported voting machine irregularities.
A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.
This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.
In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.
|
A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.
This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.
In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.
# posted by Frederick @ 11:04 PM Email to a friend:
Tuesday, March 18, 2008
I'm really starting to like this Rich Mogull guy
Mac users, I highly recommend this article about OS X 10.5 Leopard security features. It's clear, informed, and does well at the really hard problem of being both accurate and understandable.
|
# posted by Frederick @ 10:10 PM Email to a friend:
And you thought zip files were boring
.ZIP files are only one of a whole class of files used to compress and package groups of other files. Antivirus programs need to understand how to look inside such things, otherwise viruses could escape detection by hiding inside .ZIP or other files.
So far, so good.
But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.
Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.
They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.
Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties
|
So far, so good.
But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.
Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.
They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.
Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties
# posted by Frederick @ 9:41 PM Email to a friend:
Good advice for Mac users
I agree with almost everything in Mac security expert Rich Mogull's article about security precautions for Mac users. I'd add being cautious about downloaded software. Also be careful with Microsoft Office documents: macro viruses will spread just fine between Mac and Windows systems.
|
# posted by Frederick @ 8:56 PM Email to a friend:
Sunday, March 16, 2008
But don't expect too much from a fingerprint-controlled nerdstick
Some of them will just roll over and give you acess if you tickle them with a free tool. Technical details of the vulnerability of fingerprint-based USB drives.
.
|
.
# posted by Frederick @ 10:56 PM Email to a friend:
Roundup of secure nerdsticks at Computerworld
Summary of Computerworld's review of secure flash drives.
In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.
|
In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.
# posted by Frederick @ 10:49 PM Email to a friend:
Friday, February 01, 2008
Would you trade privacy for increased security?
My favorite security writer, Bruce Schneier, writes about the tradeoff between security and privacy.
UPDATE 2/3:
A cartoon about the security and privacy tradeoff
|
UPDATE 2/3:
A cartoon about the security and privacy tradeoff
# posted by Frederick @ 7:40 PM Email to a friend:
Saturday, January 26, 2008
You can't rely on avoiding bad neighborhoods any more
According to one security firm, Finjan, 80% of the web sites carrying malicious code are legitimate sites taken over by criminals: http://www.securityfocus.com/columnists/463/1
|
# posted by Frederick @ 4:19 PM Email to a friend:
Tuesday, January 22, 2008
Change the password on your router
Where your home network meets the outside network, you've got a box of some sort: a wireless access point, a cable modem, or something. It's got a little web page of its own where you can control it. Which you haven't needed to look at since you first set it up, in all probability.
It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.
Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.
|
It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.
Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.
# posted by Frederick @ 8:20 PM Email to a friend:
Tuesday, January 15, 2008
Macs are getting targeted more and more
One of the problems that's plagued people on Windows machines is that criminals peddle fake security software. The phony software may simply induce you to buy it by always "finding" problems when you do a "free" scan. In extreme cases it may even compromise your system.
Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.
Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.
|
Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.
Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.
# posted by Frederick @ 11:57 PM Email to a friend:
Friday, January 11, 2008
You keep your operating system up to date, but what about everything else?
There have been security problems with media players, PDF readers, VOIP software, and probably some other things I've forgotten about. These programs don't necessarily have an easy way to check for updates and install them. But if you run old versions they can be a security risk.
Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.
One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.
Secunia is a reputable company, so don't be afraid of downloading software from them.
|
Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.
One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.
Secunia is a reputable company, so don't be afraid of downloading software from them.
# posted by Frederick @ 8:51 PM Email to a friend:
Do you watch videos with Quicktime?
There's a new security bug in Apple's Quicktime media software which could allow your computer to get taken over. This is not the same Quicktime security bug that Apple fixed on December 13. Someone announced details of it without telling Apple first, so it will be a while before we get a fixed version of Quicktime. Meanwhile the bad guys know about it.
If I'm reading this right, all you have to do is click on a link to be affected.
If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.
UPDATE 1/15/2008:
Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.
|
If I'm reading this right, all you have to do is click on a link to be affected.
If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.
UPDATE 1/15/2008:
Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.
# posted by Frederick @ 12:33 AM Email to a friend:
Thursday, January 10, 2008
SecurityFocus reports on a new thing to worry about
Digital picture frames and other devices may hold malicious software.
These days practically everything that uses electricity has a computer in it, and if not at least some memory.
I'm not sure what to tell you about protecting yourself. Anti-virus software is better than nothing.
|
These days practically everything that uses electricity has a computer in it, and if not at least some memory.
I'm not sure what to tell you about protecting yourself. Anti-virus software is better than nothing.
# posted by Frederick @ 12:35 AM Email to a friend:
Tuesday, January 08, 2008
Happy patchday! There's a critical one this time
Critical vulnerability in Windows networking.
This is like something from years and years ago. Someone can simply send network traffic to your computer and take it over completely.
If I'm reading right, a hardware firewall will prevent this attack, but what if you're on the road?
If you don't have automatic updates turned on, or if you're not sure, then update manually. This is one the bad guys will definitely want to take advantage of.
|
This is like something from years and years ago. Someone can simply send network traffic to your computer and take it over completely.
If I'm reading right, a hardware firewall will prevent this attack, but what if you're on the road?
If you don't have automatic updates turned on, or if you're not sure, then update manually. This is one the bad guys will definitely want to take advantage of.
# posted by Frederick @ 8:44 PM Email to a friend:
Another hazard of traveling with a laptop
If you cross an international border, Customs may ask to go through the contents of your laptop. Not only could that be fairly personal, it could compromise business secrets or worse. Imagine an attorney traveling with confidential client information. Or, for that matter, a security consultant like me.
You could encrypt the data, but the officer you're talking to could always demand the key. There are court cases in the US that might allow you to argue that handing over a key was self-incrimination and to refuse on that ground. Trying that at the border strikes me as a lousy idea guaranteed to raise suspicion and start a confrontation in which you'd be at a disadvantage. Not to mention being completely irrelevant in every country of the world except the US.
For now the options I see are
|
You could encrypt the data, but the officer you're talking to could always demand the key. There are court cases in the US that might allow you to argue that handing over a key was self-incrimination and to refuse on that ground. Trying that at the border strikes me as a lousy idea guaranteed to raise suspicion and start a confrontation in which you'd be at a disadvantage. Not to mention being completely irrelevant in every country of the world except the US.
For now the options I see are
- Hope your confidential information doesn't get inspected
- Don't travel with your laptop, or at least remove all confidential material first (and hope you get it all)
- Hide your laptop in a bale of marijuana so it will get across the border undisturbed
# posted by Frederick @ 7:31 PM Email to a friend:
Monday, January 07, 2008
Heads up for AdAware users
I've recommended LavaSoft's Ad-Aware anti-spyware program before. If you're using the free version, you need to know that there's a new version of Ad-Aware and that unless you got a paid version of the old package you'll no longer receive updates.
More information in Brian Krebs's column.
|
More information in Brian Krebs's column.
# posted by Frederick @ 8:44 PM Email to a friend:
Your personal information gets compromised. Does it matter?
After the UK government lost disks with 25 million people's personal information, TV host Jeremy Clarkson raised the question of how much risk there actually was. It's a good kind of question to ask, but it's not so good to leap to conclusions, as Clarkson did when he said "Honestly, I've never known such a palaver about nothing".
He was so sure that the release of personal information couldn't make anything bad happen, to dramatize his point Clarkson published his bank account details.
Only one person took the bait, oddly enough, and stopped short of cleaning out the account. The thief "donated" 500 pounds from Clarkson's account to a charity.
Clarkson has admitted he was wrong.
|
He was so sure that the release of personal information couldn't make anything bad happen, to dramatize his point Clarkson published his bank account details.
Only one person took the bait, oddly enough, and stopped short of cleaning out the account. The thief "donated" 500 pounds from Clarkson's account to a charity.
Clarkson has admitted he was wrong.
# posted by Frederick @ 8:31 PM Email to a friend:
Saturday, January 05, 2008
How to update Flash Player (you need to)
Blogger Michael Horowitz explains how to fix security problems caused by buggy versions of Adobe Flash Player, and even explains some of the Flash player update problems he had and how to fix them.
"Flash Player" is something you almost certainly have. It makes Youtube possible, but is also what enables a lot of those annoying ads. You care because it regularly has security bugs that allow a hostile web page to take over your computer, and a recent update fixes the known security bugs.
Follow Horowitz's detailed and hard-learned instructions to find out what version you have installed, how to remove it (which is more difficult than I'd expect), and if you have some reason, how to install the new improved version.
In addition, I recommend some form of blocking Flash content to protect you from the unknown security bugs (want to bet there aren't any?). My favorite Firefox extension, NoScript, does this.
|
"Flash Player" is something you almost certainly have. It makes Youtube possible, but is also what enables a lot of those annoying ads. You care because it regularly has security bugs that allow a hostile web page to take over your computer, and a recent update fixes the known security bugs.
Follow Horowitz's detailed and hard-learned instructions to find out what version you have installed, how to remove it (which is more difficult than I'd expect), and if you have some reason, how to install the new improved version.
In addition, I recommend some form of blocking Flash content to protect you from the unknown security bugs (want to bet there aren't any?). My favorite Firefox extension, NoScript, does this.
# posted by Frederick @ 10:19 PM Email to a friend:
Physical security: aviation
The February 2008 Consumer Reports, just mailed out to subscribers, has a disturbing article about aviation security with a really disturbing quote.
Retired TSA officer Larry Tortorich is quoted saying
Another TSA officer, Bogdan Dzakovic, had this to say about reinforced cockpit doors:
Consumer Reports found lots of other breakdowns, too. People can get on airplanes with dangerous items. There aren't enough air marshals. And so on.
|
Retired TSA officer Larry Tortorich is quoted saying
There was a facade of security. There were numerous security flaws and vulnerabilities that I identified. The response was, it wasn't apparent to the public, so there would not be any corrective actionIn other words, what counts is what the public thinks, not whether flying is safe.
Another TSA officer, Bogdan Dzakovic, had this to say about reinforced cockpit doors:
People have this illusion hardened cockpit doors work, and they don't...If you want to have a secure door, you need to have a double-hulled doorEl Al has double barriers to the cockpit. We don't.
Consumer Reports found lots of other breakdowns, too. People can get on airplanes with dangerous items. There aren't enough air marshals. And so on.
# posted by Frederick @ 8:33 PM Email to a friend:
What is a trustworthy web site, part 3
This one is just disgusting.
In at least one case, criminals have steered traffic to a web site with malicious software by setting up a fake video memorial web site for an accident victim.
Visitors to the site were told that they needed software to view the video (alarm bells should be going off in your head at this point) and were given a link to click to download it. The software was spyware of course.
You can't ever let your guard down.
|
In at least one case, criminals have steered traffic to a web site with malicious software by setting up a fake video memorial web site for an accident victim.
Visitors to the site were told that they needed software to view the video (alarm bells should be going off in your head at this point) and were given a link to click to download it. The software was spyware of course.
You can't ever let your guard down.
# posted by Frederick @ 2:48 PM Email to a friend:
What is a trustworthy web site, part 2
Via Bruce Schneier's blog, well-known firm CA Security reports that Sears installs spyware on the machines of people who join the "Sears Community".
If the allegations are true, the tracking software
The signup includes your name and email address, which means that any information collected isn't anonymous, but tied directly to you.
UPDATE: this is a separate issue from Sears disclosing your purchase history to third parties
If the allegations are true, the tracking software
Monitors secure sessions (websites beginning with ‘https'), which may include shopping or banking sites.
The signup includes your name and email address, which means that any information collected isn't anonymous, but tied directly to you.
UPDATE: this is a separate issue from Sears disclosing your purchase history to third parties