Friday, April 30, 2004

Is your home computer for rent? 

Viruses and worms these days like to enslave your machine to whoever created the virus or worm. Widespread infections can give a bad guy control over many thousands of machines.

There are so many enslaved home computers today that the bad guys have organized entire black markets in control of infected machines. Spammers can rent wholesale blocks of machines to send out their scams. The prices even depend on how quickly the infected computers can send email.

Read more at an online paper called "The Register".


Thursday, April 29, 2004

Is your email bugged? 

Spammers can use technical tricks to tell when you've opened email from them: see this InternetWeek article.

Spammers couldn't do this back when everyone got email as just plain text. Today a lot of mail programs display mail like it was a little Web page and that opens up lots of chances for mischief. In particular spammers can put a picture in the email that gets fetched from their computer when you look at it. Then their computer records who fetched it and when.

Outlook 2003 prevents this by blocking images from showing up in your email. Most non-Microsoft email programs also let you protect yourself.


Another reason to avoid giving out personal info 

Once your info is in someone's database, crooked employees can look at it.

Wired magazine has a scary article about an AOL customer service employee who stole private data about Hollywood people and used it to make contacts for a movie deal.


Is it safe to use my credit card online? 

Do you want the short answer, or the long answer?

The short answer is yes. You can always refuse to pay a fraudulent charge. There are laws about this. A debit card may not give you the same protection. I don't use my debit card for web purchases.

The long answer is (ready for this?) "it depends". Your credit card information can indeed get stolen. The two most common ways to steal credit card information online are to break into a store's database, or to trick you into typing your credit card information someplace untrustworthy. You can do something about the second risk. Use what you already know -- only give out your card number if you started the transaction. That's the same rule you follow over the phone. So you'd type in the card number after you order something from, but you wouldn't if you get email that asks for it.

Oh, and make sure it's really you're talking to. Sleazy people regularly get domains that are misspellings of high-traffic sites. Usually the reason is to collect money from advertisers. Someday one of them might start to steal credit card numbers.

I didn't mention looking for the padlock icon at the bottom right. If you see that, then some really sophisticated technology is trying to keep your credit card number unreadable and ensure that you're really talking to the site you think you are. Unfortunately that technology only works if a bunch of people you've never heard of did their jobs right. There's no substitute for street smarts.


Tuesday, April 27, 2004

Do you use those "email a friend" links? 

You see a great online comic, you want to share it, so you click on the "email this strip to a friend" link.

Which means you just gave that web site your friend's email address.

How do you know they won't share your friend's email address with their "marketing partners"?

It's better to take a couple of extra seconds and use your own email program.


Monday, April 26, 2004

Will the market force security improvements? 

The world may change soon.

Why do software companies sell insecure software? Because people buy insecure software. Businesses and home users have been paying for convenience and features instead of reliability and security.

If WidgetCo's purchasing department tells BigSoftwareCo "You get our next $50 million order only if you fix your product", guess what will happen.

Executives in the USA are now legally compelled to make sure their computers give trustworthy financial results. Burton Group analyst Fred Cohen predicts that executives are going to demand better products starting this year. If software companies learn good habits, home users should see results in a year or two.


What firewall should you buy? 

The first question is, do you need a firewall at all. The answer is yes.

The second question is whether to get a firewall program that runs on your computer, or to get a firewall box that sits on its own. The short answer is that getting both is a good use of money, but if you get only one I recommend the firewall box.

There are three wonderful things about a firewall box (also called "firewall appliance" or "hardware firewall"):

That last sounds bad but a security consultant sees it as good. Dumb means simple, and simple means there's less to go wrong. The biggest advantage is that today's storm of viruses and spyware won't affect them.

A firewall program running on your computer shines in blocking outgoing activity. Sound strange? It's important because of spyware that tries to send data from your computer and because of worms that call home to ask their creators what they should do next. A firewall program can also do some of the work of a firewall box.

Almost all the firewall boxes are good choices. Even the cheapest "connection sharing" boxes provide important protection for basic home use.

Firewall programs are more complicated to evaluate but you can confidently pick Zone Alarm. There's splendid word of mouth in the security community about Kerio. Like Zone Alarm, Kerio has a basic version which is free for home and personal use.

You may already have a firewall program built in to your operating system. Mac OS X and Windows XP both have firewall software. Just remember to turn it on.


Spyware update: some "removal" programs are actually spyware. 

To make matters worse, some scumbags (that's a technical term, folks) have been using product names and web addresses confusingly close to those of legitimate anti-spyware products.

Legitimate products and web sites:

Ad-aware comes from

Spybot S&D is currently at I think Spybot's interface is a little quirky, so by all means check out the tutorial.

If you see an ad for some other removal product, Google for reviews and see if anyone reputable recommends it.


Sunday, April 25, 2004

Have you ever Googled for your credit card number? 

A lot of people who have web sites don't know how to run them. They accidentally publish information they didn't mean to publish.

Someone on the nerd discussion board Slashdot typed his credit card number into Google and found it. One e-commerce company had stored his credit card information in the wrong place, where it was accessible to Google. He scorched several people's ears at the responsible company.

If you want a more technical explanation, the "Joat" (Jack Of All Trades) blog has an entry with more detail.


"Am I stupid?" 

No. You are not.

I know the overworked IT person where you work grumbles about "stupid users". Don't take it personally.

You've chosen to put your attention on your job instead of on your computer. Of course your IT person knows more about computer security than you do.

I got a lesson about this recently when I talked to a really smart person who knows non-Windows computers so well she could tell you what "|IFS=' ' && p=/usr/local/bin/procmail && test -f $p && exec $p -Yf- > || exit 75 #Metropolis" means (don't ask). But she didn't know that you can get security fixes for a Windows machine by picking "Windows Update" from the Start menu. It's all a matter of where you've put your attention and what you have time for.

You can learn to keep your computer reasonably secure. Read non-technical material like this blog, or my company's online library. Follow your IT person's advice: it may sound strange but it comes from someone who's studied the security news.


Microsoft has advice for you 

Microsoft's web site has an entire section to give security advice to home users. It's worth a look.

Would you like to have better security than 2/3 of your fellow computer users? Just keep your antivirus software up to date. The Seattle Times quotes Microsoft's head lawyer, Brad Smith, as saying that 70% of the people out there have missing or outdated antivirus software.


Saturday, April 24, 2004

Street smarts: that email is probably not from your bank 

If you haven't seen this scam yet, you will soon. Somebody sends you email and forges the return address, so it looks like it came from your bank (or your broker, or eBay, or PayPal...). The mail says you need to log in to your account. Maybe it asks you to fill out a form. Often it says something alarming, like telling you there's been unauthorized access. The email contains a link you're supposed to click. The link looks like it goes to your financial institution but it really doesn't.

If you do what the email asks, you'll wind up giving your password and personal information to the con man who sent the email.

This scam happens so often today that it's got a name, "phishing", and an entire web site devoted to fighting it. If you're in a hurry, the best places on that web site are their tips on how you can recognize a scam, and their long list of scams their readers have reported.

The Beryllium SphereTM consumer tip is simply to treat email like a phone call. You already know not to give out your credit card number when a stranger calls. If the caller says they're from your bank you'll hang up and call back. Do the same with email: don't answer it, just contact your financial institution directly.


Friday, April 23, 2004

The hidden problem with getting security patches 

What if you use a modem instead of a high-speed Internet connection?

SecurityFocus columnist Scott Granneman has a hard-hitting article about trying to download vital security updates over a modem. He points out the good news that Microsoft offers a CD containing security updates, but of course by the time you get the CD in the mail there wil be new updates to install that aren't on the CD yet.


Running Norton security products from Symantec? Update now! 

Norton Internet Security 2004, Norton Internet Security 2004 Professional, and Norton Personal Firewall 2004 have some serious bugs which allow a bad guy to send toxic data to them and crash your machine or take it over.

Symantec is working on fixes. If you asked your software to get updates automatically, make sure it's actually getting them. If you update manually, then update at least daily until this clears up.

Meantime, I haven't heard of bad guys taking advantage of these bugs. Until that happens, you're better off with the Norton software than without it.


Thursday, April 22, 2004

"My computer-savvy friend muttered something about 'spyware' and walked away" 

"Why is my computer acting funny?"

These days (spring 2004) the number 1 cause of strange behavior in home PC's is "spyware", nosy software that gathers information about you and ships it off somewhere, usually to a marketing company. It comes attached to useful utilities. A program to manage your passwords or set your computer's clock may be the bait which hides the hook of spyware. It interferes with your computer by popping up ads, hijacking your Internet searches, or just simply being so poorly written it causes slowdowns and bugs.

"Why is my friend being rude?"

Don't take it personally. The reason he threw up his hands and walked away is sheer exasperation. Spyware is all over the place. Some computer people have found and removed thousands of spyware programs from a single computer. That kind of work gets old fast.

Invite your friend back, offer him some beer or some Coke, and ask him to show you that "Linux" thing he keeps talking about. He'll mellow out.

"But I don't have anything worth spying on"

Marketing companies spend millions of dollars to collect personal information about people. Your address and phone number are worth money to junk mailers and telemarketers. That's big money if they have an idea what you're likely to buy.

"Why should I care?"

Because the spyware is making your computer act strange and run slowly. You can't trust the people who tricked you into installing it -- they may be hurting your system's security. The spyware is giving away information that's worth money and could even be embarrassing.

"What should I do?"

First of all, stop installing spyware.


Don't take candy from strangers.

"And then?"

Install a program that scans for spyware and can remove it. Most antivirus software won't help. Norton Antivirus 2004 does have anti-spyware features. You can save some money by using a free program called Ad-Aware. There are lots of other good anti-spyware programs but some of them are kind of quirky. Whatever you install, update it at least once a week and keep using it to check your system.


"So what's up with this 'Internet vulnerability' that's been in the papers lately?" 

If you're in this blog's target audience of small-scale users with lives, you can ignore this one. Mostly it matters to the people who run the central plumbing of the Internet. They spent a frantic week protecting themselves against it before the problem hit the newspapers.


Wednesday, April 21, 2004

"Nobody would want to break into my computer" 

I hear this one a lot. "I don't store anything important", "I've got nothing to hide", and so on.

A criminal might steal your eight-year-old Ford to use as a getaway car for another crime. Same with your computer. Bad guys take over computers to send spam, attack other systems, and store stolen files. Your computer can attract them as long as it has an Internet connection and a disk.

Hiding in the crowd doesn't help. You'll be attacked by a computer program that automatically scans Internet addresses looking for systems to break into. If something like this were happening in the physical world, there would be swarms of robots jetting through the city twisting every doorknob until they found one unlocked.

Should you be scared? No, just be careful. I can't put it any better than the mother of a New Yorker: "Be alert, be aware, but never be afraid".


Tuesday, April 20, 2004

"Do I have a virus? I just got email that says I do." 

My wife's friends have been asking this regularly.

The short answer is "probably not", and the reason is viruses lie.

Bad people and bad programs can put a fake return address on email they send out. It's even easier than putting a fake return address on your postal mail. Today's viruses (spring 2004) usually add a fake return address when they mail out copies of themselves. They make the address look believable by grabbing an address at random from a victim's address book. If your address is on the victim's machine then the virus may pretend to be you.

Suppose Homer Simpson gets virus-laden email with an attachment, DONUTS.EXE. He says "mm, donuts!" and opens it. The virus installs itself, sends itself to Mr. Burns, and puts Lisa's address as the return address. When Mr. Burns's virus scanner detects the virus, it tries to warn the sender, but as far as it knows Lisa sent it. So the virus scanner sends email to Lisa saying "You have been infected by the DONUTS virus."

Lisa's fine, because she's kept her antivirus software up to date, doesn't open unexpected attachments, and she probably uses a Macintosh anyway. So far, virus writers haven't been targeting Macintoshes.

"But it looks so official! Why would professionally written antivirus software tell me I'm infected if it doesn't even know where the mail came from?", you ask perceptively. Two reasons. Virus writers used to be less sneaky and didn't used to forge return addresses. The other reason, cynics say, is that every warning email is free advertising for the antivirus vendor.


Monday, April 19, 2004

Security references for the mildly technical 

Browse the wealth of information about security on if you're comfortable with terms like "TCP/IP stack".


Sunday, April 18, 2004

What a firewall won't do 

I was all set to write a short article about what you can expect from firewall appliances. Then I found a nice, solid, already reviewed essay on

It explains when you need more than a firewall box. Keith Tarrant, CCP, wrote it to answer a steady stream of questions in the forums.

If the flood of marketing terminology confuses you, there's nothing wrong with you. Marketers have deliberately blurred the distinctions between some technical terms. When the linked essay says "NAT router", it means one of the cheap connection-sharing boxes from companies like SMC and NetGear. I called them "firewall appliances" earlier because sometimes the package in the store will say "firewall" on it.

You need one, whatever they're called.


Friday, April 16, 2004

Something new to worry about! Update your firewall software. 

Firewall programs like Zone Alarm and Black Ice Defender are written to meet market demands. Market demands lead to haste. Haste leads to bugs. Bugs lead to security problems. Security problems lead to .... suffering.

Black Ice made the news when one of its bugs spread the "Witty" worm. Zone Alarm had a quieter problem earlier this year which could have allowed bad people to take control of a machine running Zone Alarm.

The good news is that both vendors are responsive and responsible. Black Ice already had a fix by the time the Witty worm came out. Zone Labs fixed Zone Alarm within days after they heard about their bug.

The bad news is that you have to install the updates. Security is like staying healthy: you've got to keep working out all the time.

What about firewall appliance boxes? Well, those are just small computers running a firewall program. You need to update them every now and then. Every few months, check the manufacturer's web site for "firmware upgrades".

Don't panic, and keep running your firewall. No matter what, you're better off with it than without it.


Wednesday, April 14, 2004

It may not be your fault 

Whose fault is it when a worm spreads?

The nerds on Slashdot were discussing this recently. Is it the user's fault for opening an email attachment? I argued that it isn't.

In plain language, my argument is that people are already kind of careful about what attachments they open. Worms are only spreading by trickery. They pretend to come from someone the victim knows. They pretend to be documents instead of programs. And let's face it -- how many people could do their jobs without receiving documents in email from people they know?

What you can do to protect yourself is


Give away your old computer, not your old data 

How to throw away a computer

Before you send your old computer to a nonprofit or to a landfill, stop and think. Is there anything on the hard disk that you want to erase first?

Windows may have stored passwords for you. It certainly stored a record of what Web sites you've visited. If you don't visit embarrassing Web sites, what about your old email? Did you type any letters that included a credit card number?

People have thrown out hard disks with all sorts of sensitive information on them.

When you format a disk and Windows tells you "All information will be lost!", all Windows means is "I won't be able to find it". Running a normal format or fdisk command overwrites the system's map of the disk but doesn't overwrite your data. To keep your data safe you need to run a program that writes over every sector on the disk.

The simplest and cheapest way to write over your data is to boot with a DOS floppy and type "format /u". The "/u" flag is supposed to destroy your data. You can also download a utility that's specially built to overwrite your data. If you like doing your own research, Sarah Dean put together a review of several disk-shredding utilities. And if you like paying for software, the Norton Utilities include a program called WipeInfo which will do the job nicely.


Microsoft's Ten Immutable Laws of Security 

Microsoft hires some of the smartest people I know. Really smart people can explain technical concepts in plain language, and Microsoft’s security team did just that in a white paper called “The Ten Immutable Laws of Security”. The list came out in 2000, but the advice is timeless. The ten laws are worth remembering, and if you want help remembering them Microsoft has them in the form of a screensaver . Microsoft has some good commentary along with each of the ten laws, but there’s more to be said about each of them. Here they are, somewhat paraphrased, with my own commentary replacing Microsoft’s.
Run software from a bad guy, and you’ve given away your computer.
That’s the “don’t take candy from strangers” principle. Keep this in mind, and you can avoid a lot of trouble. On a typical desktop machine, running a program requires as much trust from you as handing over the keys to your car.
The practical problem you run into if you try to live by this principle is that it’s too hard to tell when you’re running a program. Browsing to a Web page may run Javascript code. So may reading a piece of HTML email, depending on the settings in your email program. So can previewing a piece of HTML email. Double-clicking a file either opens a document or executes a program in the file, depending on the file’s extension. Everybody knows what a .EXE is, but normal people with non-computer jobs can’t be expected to know that a .PIF or a .SCR may be a program. To make matters worse, virus authors know several tricks to keep an extension from showing up on the screen. There’s a security hole waiting to happen as long as random software is allowed complete access to the computer.
Microsoft addressed this problem starting with Windows 2000. If you run as a normal user instead of running as Administrator, and if you installed to an NTFS volume, then you can’t modify the system files and therefore any virus running on your account can’t either. On the other hand it can still send out embarrassing email or wreck your documents.
The open source world has a potentially more powerful solution. They have a program called systrace, which was originally developed for the ultraparanoid OpenBSD operating system and has been ported to Linux. You can use systrace to specify in great detail what a program is and isn’t allowed to do. For example, you could restrict your mail program so that it could only save files in certain directories, could only read certain files, and so on. Systrace can watch a program’s normal behavior and build a set of permissions that allow routine operation but nothing more.
Allow operating system changes from a bad guy, and you’ve given away your computer.
That looks redundant to the first law but it really isn’t. You can partly protect yourself from evil application software by logging in to a non-Administrator account. But you have to be logged in as an Administrator to install system software.
Use extra care to get system software from trustworthy sources. Email is not a trustworthy source; quite a few people got burned when bad guys sent around forged email that seemed to come from Microsoft and claimed to contain a “system update”. Of course the program attached to the forged email was a worm and not a system update.
Device drivers are system software. Have you seen a Blue Screen of Death recently? That’s an operating system crash. If you’re running newer versions of Windows, usually Microsoft’s code was running OK and a buggy device driver caused the blue screen.
Make sure to get device drivers and driver updates direct from the manufacturer.
Let a bad guy tinker with your computer, and you’ve given it away.
There’s no substitute for physical security. Did you know that there are free programs that allow a person to change the Administrator password of a Windows machine from a boot disk, without knowing the original password? Did you know that there are keystroke recorders that fit inside the keyboard cable, look like RF suppressors, and can log everything you type including all your passwords? Allow a stranger more than a couple of minutes alone with your computer, and you’re showing a lot of trust.
Let a bad guy put software up on your web site, and you’ve given it away.
You don’t take candy from strangers. Don’t let strangers give candy to your website visitors.
Use dumb passwords, and you’ve wiped out your security.
Password guessing programs are really good these days. They can try every word in the dictionary, make substitutions like “$” for “s’ (so “pre$ident” is a weak password), and many come equipped with lists of commonly chosen passwords. Some even have the complete text of all the Star Wars episodes. And they can try tens millions of passwords every second.
The strongest passwords that are still halfway memorable are random phrases built from a word list like the one on Diceware . You pick the words by rolling dice. A four-word phrase is all the security a normal person needs. Check first whether your operating system or application allows long passwords. Microsoft began allowing 127 characters in passwords with Windows 2000. Linux and the BSD’s allow long ones as well. Mac OS X prior to 10.3 only uses the first 8 characters in a login password.
Forget lines from songs, and things like that. They’re too easy to include in a password guessing program. Ditto keyboard patterns.
Here’s my personal heresy. If it’s too hard to remember, write it down. How much is access to your computer worth? If it’s less than a hundred dollars, just carry the password in your wallet. If you do home banking, then your passwords are worth more and you should store them wherever you keep valuables. In any event you are more at risk with a simple password than with a written password in a protected place.
At least, please, please change all the default passwords for your firewall, wireless access point and so on!
Hire the wrong administrator, and you’ve given your computers away.
That one really doesn’t apply to the home user, but give it some thought at work. An undertrained or overworked system administrator can hurt you just as much as a criminal one.
Encryption doesn’t protect your data.
Seriously. All it does, when you think about it, is change the problem from keeping your data secret to the problem of keeping your decryption key secret. That’s an easier problem but still a difficult one.
The most common mass market encryption programs protect decryption keys with a password. Pick a good one.
Encryption can actually endanger your data. What happens if the only person with the key(s) gets fired, hit by a bus, or can’t drive in to your backup site after the big earthquake? Then all your data and all your backups are useless.
Think encryption through carefully if you’re going to use it for anything important.
If you run your computer with an outdated virus scanner, you’ve given it away.
The virus you’re most likely to get is a brand new one that’s just starting to circulate. Unless you’re updating frequently, your antivirus software won’t recognize it. Some antivirus software may catch it anyway, but running software like that will waste your time with false positives.
Set your antivirus software to update automatically, pay the subscription fee to keep the updates coming, and check whether the updates are actually happening.
You’re not anonymous, no matter how hard you try.
You can make yourself harder to find, but not impossible to find. In the worst case, someone could identify you by your writing style with computerized text analysis, and all the anonymizing technology in the world wouldn’t save you.
Which brings us to Microsoft’s tenth commandment:
Technology isn’t going to save us.
Locks and alarms didn’t end crime in the physical world, and security technology won’t end crime in cyberspace. Crime is like that wrinkle in the carpet that you can shift around but never get rid of. Your mil-spec firewall doesn’t make a difference to that nice man in Nigeria who wants to wire you a few million dollars. Your street smarts and alertness will make the difference.


This page is powered by Blogger. Isn't yours?