Sunday, May 30, 2004

"Should I hire a security consultant? What's a CISSP anyway?" 

Do you need a security consultant? The wimpy answer is "it depends". The honest answer, if you're the small business or home user I'm writing for, is "probably not".

If you have a low profile, you'll only be attacked by relatively dumb automatic programs that look for common vulnerabilities. All you need to do is have a cheap firewall, updated antivirus software and a freshly patched operating system. Then you're like the hiker who put on running shoes when the bear attacked. He couldn't outrun the bear, but it was enough to outrun the other hikers. If you take basic precautions then the automatic "doorknob-twisting" attack programs will move on and infect your neighbor instead.

You may want to pay someone to help develop a disaster recovery plan for your small business. It'll have to be a cheap and basic plan, because paying for it is like paying your fire insurance premium: doesn't help you meet payroll or serve customers. A disaster plan is a service that you should expect a security consultant ot be able to provide.

Medical records, financial records and customer credit card numbers require some special care. Unless you have an IT staff with spare time to study the regulations, it makes sense to bring someone in to guide you through the statutory and technological maze.

You probably need a consultant if you have a big business partner who demands that you use some unfamiliar technology when you talk to them.

How do you pick a security consultant? First of course you'll ask around and look for referrals. Then all the candidates will start talking alphabet soup at you. Here's a quick guide to what different credentials mean.

The CISSP (Certified Information Systems Security Professional) certification is for generalists. The CISSP exam covers phsyical security, management procedures, and disaster recovery as well as technical expertise. A CISSP should be qualified to give you a broad security analysis. That's important and valuable: what good is your firewall if someone can get your business secrets by going through your dumpster?

The GIAC (Global Information Assurance Certification) certifications are deeper and more technical. Those are credentials to look for when you're hiring people to build secure network devices.

Vendor-specific certifications come in handy after you've decided how much security you need and how you're going to get it. Cisco's CCNA, CCIE and other credentials help protect you from paying somebody by the hour while they learn to use your equipment.

Above all look for someone willing to understand your business and make compromises between being "secure" and meeting your budget.

|

Saturday, May 29, 2004

Does your antivirus software warn you about this page? 

On May 16, a blog entry here warned about a way bad guys can disguise where a web link goes, and gave an example. The example was a link that (in some browsers) looks like it goes to coke.com, but actually goes to pepsi.com.

An alert reader (thanks, John!) wrote to say that his McAfee VirusScan complained when he visited this page. Commendably, VirusScan looks for exactly that trick and warns its users.

If you click my example, the worst that can happen is that you'll get Pepsi instead of Coke (some people think that's bad enough!).

It's good that the anti-virus software raises it hackles and barks when it sees something strange. Remember, though, that you're smarter than anti-virus software and your ultimate protection is being street-smart. If someone walks up to you on the street and says "Hey, come into the alley here" you won't do it. Same deal in cyberspace. If you get spam with a link that says "click here for free porn!", well, don't walk into that alley.

|

Easy solution for the big Mac OS X vulnerability 

Mac OS X inherits security-mindedness from Unix. OS X will confine nasty software to damaging only your home directory. The recent flap has been that nasty software could run on your machine simply because you visited a web page. That nasty software could erase all of your personal documents even though OS X would protect system files against it.

Apple's 5-24 security upgrade is good but fixes only part of the problem. An independent developer wrote a free program called "Paranoid Android" which watches where your web browser is going and warns you about suspicious content. The developer has a good reputation in the Mac community and his program should be safe to download.

Here's my workaround. Create a new user account and log in to it whenever you have a reason to browse untrustworthy web sites. If there's any damage it will be confined to that user account and won't hurt your own files.

From System Preferences, click on Accounts and click the New User... button. A wizard pops up. Answer its questions, and when you're given the chance to give the new account Administrator privileges, create it without them.

You can even copy your bookmarks over to the new account if you want.



|

Wednesday, May 26, 2004

Do you have a wireless network without knowing it? 

WiFi technology is so cheap and easy these days that you may have set up a wireless network without meaning to.

Broadband ISPs usually supply you with a box to connect your computers to the network. That box may be versatile and offer you several ways to connect. Some boxes (or "home portals") allow wireless connections but keep the antennas on the inside, like this nifty gadget which SBC is sending to customers. So just by looking you can't tell that it's a wireless networking device.

What if your installer leaves the wireless option turned on? Then you're blindly sharing your Internet connection and your home network with everyone inside radio range.

You're a neighborly person, I know, and you may decide this is just fine. On the other hand, you may not want the pervert next door surfing for who-knows-what over your connection. You may also be sharing files on your home network without wanting to share them with the neighbors.

Rumor has it that some ISPs are actually installing open wireless access points for unsuspecting customers. I haven't tracked down authoritative details, but reports are circulating that ISPs in California and New England have been leaving their customers open. One ISP, allegedly, has been installing wireless-capable access points without even the luggage-lock security of "WEP" (Wired Equivalent Privacy).

Your best move is to dig out the manual for your "portal", "cable modem", "home gateway", "DSL modem" or whatever it's called and look up how to check its settings. Usually you just type its network address into your browser, for example http://192.168;123.254. Then turn off any networking features you're sure you don't need. Which is just what you should do anyway with any piece of security-related equipment.


|

Norton Antivirus 2004: run LiveUpdate! 

Symantec just released an update which fixes another bug that could have allowed nasty people to take over your computer by subverting your firewall.

|

You can have privacy problems without computers 

If you read much security literature you quickly get tired of hearing "security is a people problem, not a technology problem".

It's true, though. Another security blog reported an ugly security breach with no computers involved. Did you ever wonder what happens to the records of your old prescriptions, including the embarrassing ones? If you bought drugs at the Walgreen's in Creve Coeur, Missouri, your records were in an unlocked filing cabinet under the paper towels in the women's restroom. Read this article for more details.

A lot of "computer breakins" happen when a company is equally careless with a computer system.

Maybe it's time to call up one of the businesses that stores your personal information and politely ask how they protect it. Don't expect a business to care about your privacy before you show them that you care.

|

Tuesday, May 25, 2004

You hardly ever hear about this powerful security technique 

Just back up your data.

Backups are a versatile security technique. In one step they can protect you against theft, fire, hardware failures, user error, and destructive viruses.

If you're running a Windows machine you're stuck with an annoying amount of work finding the data you need to back up. You'll start with the My Documents folder, of course. But then you'll discover that all your Outlook email is in a folder with a name like "C:\Documents and Settings\me\Local Settings\Application Data\Microsoft Outlook". A friend of mine who spent years as a Microsoft programmer faithfully backed up his My Documents folder but then lost years of email and his whole address book in a disk crash because he didn't know where Outlook was storing it all. Your browser bookmarks, if you're still using Internet Explorer, are in "C:\Documents and Settings\me\Favorites".

So maybe you want to copy all of "Documents and Settings" someplace to back it up, but that doesn't cover everything because some programs (Quicken, for example) like to write data into the same folder where the program is installed.

But you don't want to back up the whole computer, not very often. Most of it doesn't change and you're better off if you can fit your data backup onto a writable CD.

The best I can come up with is to make a list of the things you do every week (email, Quicken, and so on) and figure out where your computer is storing the data. Then make a routine of burning a CD with the data.

Backing up the operating system and the programs you use is a different kind of problem. For that I refer you to The Elder Geek, a web site full of wisdom and step-by-step instructions.


|

Sunday, May 23, 2004

How to recognize a hoax 

If you're walking down the street in the city and see someone with a sign saying "THE END OF THE WORLD IS NEAR" you know how much attention to pay.

People like the man with the sign are on the net now and starting chain letters. People believe the chain letters because they appear on a computer screen, and pass them along to you.

Linuxsecurity.com has a guide to being street-smart about online hoaxes. It even points to some web sites that investigate which rumors are true and which are bogus.

|

Another update on the Max OS X problem 

Right now I think your best move is to download a utility called "Paranoid Android" from an independent developer. "Paranoid Android" covers some attacks that Apple's update doesn't (yet).

There's still no complete, convenient fix. It's a system-level problem, so all browsers are affected (except maybe Opera, according to one report).

|

Saturday, May 22, 2004

Have another rant! No extra charge! 

You can read more about the recent Mac OS X vulnerability at SecurityFocus. Their article is impressively accurate.

SecurityFocus quotes Apple:

In a statement issued along with the patch Friday, Apple called the hole a "theoretical vulnerability" that never placed customers at risk.

"Apple takes security very seriously and works quickly to address potential threats as we learn of them -- in this case, before there was any actual risk to our customers," said Apple's senior vice president Philip Schiller. "While no operating system can be completely immune from all security issues, Mac OS X's UNIX-based architecture has so far turned out to be much better than most."


I feel like screaming from the rooftops:

Security is not a PR problem!

"Actual risk" doesn't begin when a massive worm attack makes headlines. Apple heard about this particular vulnerability in February. Apple didn't publish a security update until someone went public with the news. For all that time the vulnerability was no more "theoretical" than a loaded pistol on the floor of a day care center. Nobody picked it up and started shooting (thank God for small favors) but that's no excuse for complacency.

Complacency trumps technology. Leaving serious bugs unfixed ruins the security advantages of OS X's Unix core.

|

Mac users, here's an update 

Apple's released a security update for the recent horrible OS X vulnerability. Run Software Update and install it. So far, the update seems to be problem-free. Try to stay calm when you notice the update is dated 5-24: as far as I know Apple hasn't invented time travel.

Some clever good guys, who know the Mac system cold, have found attacks that can still succeed after the update. Stay tuned, and now would be a good time to limit your surfing to sites run by decent people.

|

Friday, May 21, 2004

How much is your computer worth, Part 2 

Worms and viruses often enslave the computers they infect, putting the computers under the control of the virus creator. Then the virus creator may rent the infected computers to spammers or other criminals. At last report, the going rate was five cents per machine per use, which tells you that infected machines are cheap and plentiful.

Infected machines are so cheap and plentiful that one new Internet worm starts by checking whether the machine it just found is worth infecting. The "Bobax" worm runs a test to see whether it's on a machine with a high-speed Internet connection before it "phones home" to tell its creator that's it's enslaved the machine.

Keep your antivirus software and system patches up to date, or your computer may not even be worth a nickel.

|

Do you like rants? Here's a rant. 

When you open your physical mail, as a rule it doesn't spring to life, take over your house, and rent it out to drug dealers.

When you open your email, it should be the same way. It should be just plain data, like the letters your mail carrier delivers. If it were just plain data, you could still follow the advice that security people gave a few years ago, when they said that simply reading email could never hurt your computer. Today your email, or the Web sites you visit, can potentially spring to life, take over your computer, and rent it out to Viagra spammers.

The reason there's a problem is that software publishers added features to provide a "rich user experience" and people bought software with the extra features. The extra features replaced "boring" text with flashy animations and gadgets. That eye candy cost us security, because it allows email and web sites to control your computer.

The latest "rich user experience" causing havoc is the Macintosh OS X vulnerability in the previous blog entry. The problem there was that web browsers on the Mac can open disks automatically over the network and run online help. Then the Mac's online help system can run programs for you. Put those "conveniences" together and any web site you visit from your Mac can run any program it wants on your Mac.

That kind of "convenience" we don't need. I don't make it "convenient" for people to walk into my house without permission.

We need software makers to build programs that don't blindly trust content on the wild Internet. Programs like email and browsers that handle material from the Internet should open it carefully and let you look at it before they do anything with it.

If you want technical detail on the Mac vulnerability, there's a confused but informative discussion on MacNN.com.

|

Thursday, May 20, 2004

Best instructions I've seen for the serious new Mac vulnerability 

You need to fix this one if you run Macintosh OS X. It allows bad web pages to run code of their choice on your computer, and reports are that bad guys have actuallly started using it.

Apple hasn't released a fix of their own yet. When they do, apply it. Meantime there's a workaround. The site with the workaround has careful step by step instructions and doesn't ask you to download special software.

|

Monday, May 17, 2004

Life in the big city 

Remember when all the writers were calling the Internet the "information highway"? It's not a highway, it's a city. Specifically it's a big city, and you need to follow big-city rules to be safe.

You also read how the Internet "abolishes distance", but nobody talked about how that changes your safety. You keep safe in physical space by crossing the street to avoid suspicious people and living far from bad neighborhoods. Those bad neighborhoods, when distance gets "abolished", are suddenly right next door. The Internet's red light district is pouring through your mail slot in the daily spam, and bad people are constantly "twisting the doorknob" on your firewall to see if they can get in.

Big cities pay you back for their problems by offering culture, education, and entertainment. All of those are also right next door on the Internet. MIT publishes lecture notes and homework problems for their classes, for free. Project Gutenberg offers over 10,000 books online at no charge. Google gives access to a wealth of information which would have been unimaginable to the most sophisticated mid-century city slicker.

Like a city, the Internet brings the wonderful and the horrible within reach. Unlike a city, the Internet brings them both right next to you.

I know a New Yorker whose mother taught her "be alert, be aware, but never be afraid". It's good advice on the Internet too. Take simple, common-sense precautions and get out there and enjoy the treasures.

|

Sunday, May 16, 2004

If you want much more detail on wireless security 

For this blog's intended audience of home users with better things to do, I leave out a lot of detail. If you're curious and want to know more, Tony Bradley's blog has a good article with more WiFi security tips.

Tony Bradley is a fellow CISSP who offers sound, down-to-earth advice.

|

Bad guys can easily disguise where a Web link goes 

You're used to clicking on a link and going someplace useful. After all, that's what the web is all about.

Even if the link has some useless text like "click here", you still expect that you can find out where it goes by running your mouse over it.

In some browsers, that may not work. Play with the link below. The results will depend on what browser you're running. Most versions of Microsoft Internet Explorer will be completely fooled.


Run your mouse over this. Look at the bottom of the window. Does it say Coke, or Pepsi? Now click and see where you go.


(Danish security firm secunia.com reported this problem last year).

Bad guys have been using tricks like that one to make you think you're visiting some trusted site like your bank's when you're actually going someplace controlled by the bad guys.

Internet Explorer is so vulnerable to tricks like this that Microsoft actually tells you to type in URLs instead of clicking them: http://support.microsoft.com/default.aspx?scid=kb;[ln];833786

|

Is that security bulletin really from Microsoft? 

Last fall an estimated million and a half computers were infected with a malicious program which spread by pretending to be a Microsoft security update. It was a truly nasty piece of work which tried to turn off firewall and antivirus software. It came as an attachment to email forged to look like it came from Microsoft.

Forged security bulletins from Microsoft are something you can spot and avoid. Microsoft tells you how on their web site. The simplest check you can make is to look at whether there's an attachment. Attachments will never carry security updates, Microsoft promises. The second simplest is to look at the Microsoft web site to see if the email matches a real Microsoft security bulletin.

|

A hidden Windows feature that really helps 

Suppose you've followed my advice, and you log in to your Windows system without Administrator rights.

Sooner or later, probably sooner, you'll find something that doesn't run right. When you're logged in as a normal user rather than an Administrator, all your normal activities should work in a correctly written program. There's a lot of badly written software out there. There's no excuse for a typing tutor program to need Administrator powers simply to run, but it does.

You'll appreciate shift-right-clicking when that happens. It lets you temporarily promote yourself to Administrator. If you mouse over the icon or menu item to run a program, hold down the shift key, and press the right mouse button instead of the left, you'll see a menu pop up. Near the top of the menu, there's an item called "Run As ...". Click it. You'll see a dialog with the choice "Run the program as the following user". Type in the username and password for your administrator account, and click OK. Then you're running the program you started as if you had logged in as an administrator. When you close the program, you're back to normal.



|

Friday, May 14, 2004

What to do when a virus hits your computer 

Skydivers have an all-purpose piece of advice about midair emergencies. No matter what goes wrong, their standard wisdom is "don't get there in the first place".

That's good advice for virus infections. Keep your Windows installation patched, update your antivirus software regularly, and don't run strange software. Also, look in the help for your antivirus program for how to create "rescue disks".

Once you get a virus, you're lucky if your antivirus software can remove it. Today's viruses are starting to turn off antivirus software and prevent you from getting fixes on the Web. But it's worth trying.

Plan B is to reboot your computer from the "rescue disks" you made earlier. That way the virus code doesn't get a chance to run and interfere with your fixing your computer. But you still might not get everything.

Some pessimists suggest that the only safe thing to do is to save as much data as you can, erase your hard disk, and reinstall everything. The problem is that you're almost certain to lose data. I don't want to give in to despair, but one of those pessimists is highly qualified. Microsoft's Dr. Jesper M. Johansson is a CISSP like me and argues that your only safety is to use scorched earth tactics. He makes a virus infection sound like that scene from the movie Aliens where Ripley suggests "I say we take off and nuke the entire site from orbit. That's the only way to be sure."

Software engineer Terry Gliedt also believes the nuke-it-from-orbit philosophy. I think his advice may be a little overstated but he's good at describing everything you need to do step by step.


|

Thursday, May 13, 2004

Update your Symantec firewall today. The other shoe has dropped. 

Symantec recently fixed a bug that could crash their firewall products. The security company which discovered that bug had also found another that would allow bad people to take over your firewall.

Do a Live Update today and you'll get Symantec's fix for the takeover problem.

|

Wednesday, May 12, 2004

Macintosh users need to be alert too 

There's been very little evil software attacking Macintoshes. Some writers have even said that antivirus software on a Mac is "optional".

A Mac user recently donwloaded a file called "Microsoft Word 2004" from a file trading service (bad idea). It had a Microsoft icon(so what?). He ran it. It erased all his documents.

He should have remembered two of the eternal rules of security:

|

Tuesday, May 11, 2004

Why you really, really want XP Service Pack 2 

"An ounce of prevention is worth a pound of cure."

Microsoft has been sending out tons, not pounds, of cure the last few years. Megabytes of security patches every month are better than nothing, but still a royal pain to install.

Microsoft is fixing some root causes of problems in SP2. For a home user the big news is that the web browser and the email program are less promiscuous about installing programs from strangers. Under the hood they've wired in some clever prevention to stop entire classes of attacks from working. The built-in firewall is on without any work from you and is a respectable product.

What can you expect from SP2? There will still be security problems. Windows is just too big and complicated to be problem-free. You can realistically expect fewer problems and less severe ones. You'll still need to have up-to-date antivirus software. You'll have some more decisions to make: instead of installing software from Web sites behind your back, SP2 will ask you first. Say "No" unless you trust the supplier and know what the software is for.

(Disclosure: I'm a former and prospective Microsoft employee)

|

Sunday, May 09, 2004

Is Google's email service a privacy problem? 

I'm a beta tester and I'm slackjawed at the amount of nonsense out there. There's a real set of issues but sheesh, it's not the ones people are talking about.

The most common objection is that Google will show ads based on the content of the email you're reading. The ads are exactly like the ones you see when you're searching the web with the Google search engine. If you send email at all you're used to the idea that a computer can see your email. If you use a spam filter or virus filter you're already letting a computer read the content of your email.

There's a complete review with screenshots at ExtremeTech. Journalist Jim Lynch adds commentary in his blog.



Want to know what the real problem is? GMail is too powerful and convenient. With 1000 megabytes of storage and Google searching to organize it, people are going to store everything in their GMail accounts. After a few years your GMail storage will be a tempting target for scammers, snoops and divorce attorneys. Current law makes it easy for the government to look at it. Anyone who tricks you out of your GMail password can have a wonderful day romping through your data looking for words like "credit card", "prescription", or "confidential". They could do that to your Hotmail account, but Hotmail doesn't let you have enough storage to keep your whole life there. They could do it with email stored on your local machine, but that might require getting into your house first.

|

Saturday, May 08, 2004

eBay offers tips for spotting scam email 

Go to eBay's consumer tips for a list of signs that forged email is trying to trick you out of your password.

My advice is simpler -- don't give out your password unless you're the one who started the transaction. That means contacting eBay (or your bank) directly, typing in the Web address yourself. If you follow a link in email, then the email sender's the one who started the transaction, and they probably used a technical trick to make the link go to them instead of to eBay.

|

Here's more decent info on avoiding spyware 

My fellow CISSP Tony Bradley offers you down-to-earth tips on this page. He names some safe places to find free software and explains the hazards of clicking "Yes" to everything.

|

Friday, May 07, 2004

How to tell if a virus alert is a hoax 

Sad to say, some of the warnings making the rounds are bogus.

You can spot many of the hoaxes without being a computer expert. The opinionated but useful site vmyths.com has a list of warning signs. If you want a list that's longer and more boring, check out this government site.

The single biggest tipoff is if you get mail that says "please forward this to all your friends". Real alerts from antivirus companies and corporate security departments never say things like that.

|

Thursday, May 06, 2004

Should you even care about securing your home wireless network? 

OK, you're not running a business. You like your neighbors. What's the problem if someone outside your house can share your Internet connection?

Well, maybe none. You might see a slowdown when the teenager next door starts huge music downloads using your wireless network. If you're using a cable modem, the cable company might cut you off for "excessive use". Cable companies do that sometimes, but never explain what's "excessive".

It gets worse. The Recording Industry Association of America has been suing individuals lately for downloading copyrighted music. They sue the owner of the network address used for the download. That would be you, if someone connects to your wireless network and downloads Britney Spears tunes. If you get sued, there's a risk that the case will be in the newspapers and that everyone will think that you like Britney Spears.

Every now and then people on the wrong side of the law hunt for open wireless networks to use for illegal activity. Warning: don't click the following link if you're squeamish. There was a dramatic case of this in Canada last year.

Suppose you decide not to share your Internet connection. What do you do?

There are entire books about WiFi security. The basic problem is that almost all the security features available today are easy to bypass. They keep honest people and lazy people out of your network and only slow down the rest.

If you're buying all new equipment, look for the acronym "WPA". It's a little more work to set up. It's also new technology so glitches are likely. Use good passwords and you'll get good security as far as anyone knows today.

On older equipment the best you can expect without lots of effort is to persuade intruders to drive to a more vulnerable network. The easiest way to repel honest people is to rename your network. Use a name like "GOAWAY()". Wardrivers recognize the closed parentheses as a sign the network is meant to be private. Everyone else should understand "GOAWAY". But don't make the name a challenge.

Dishonest but lazy people will go away if you turn on the security features of your access point and your wireless cards. Look for the acronym "WEP" in the help files for your equipment. This is only about as secure as the lock on your bathroom door but it's more than most people do.



|

Wednesday, May 05, 2004

Hidden problems of maintaining your computer 

Everyone tells you to "patch" your computer. It's like taking your car in for a recall, only it happens more often and you can do it over the Internet.

Well, maybe you can do it over the Internet. Dialup is way too slow for the big files Microsoft sends you when you pick Windows Update from the Start menu. Last time I wrote about this, I recommended ordering patches on CD from Microsoft. The bad news is that the CD doesn't include the last six months of patches. The other bad news is that people are starting to report that it's taking three months to get the CD.

Dialup users still need the security updates. If you're on dialup my best advice is to wheel your computer into the library or into the home of your long-suffering technical friend to download patches over a broadband connection. Do this on the second Tuesday of every month, when Microsoft issues regular updates.

|

Tuesday, May 04, 2004

"Am I stupid?", Part 2. The debate continues. 

Tim Mullen argues in The Register that "The solution [to security problems] is for the end user to start caring".

He wrote the column to rebut "Stop Blaming the Victims", a Wall Street Journal column by Walter Mossberg.

Since then others have argued that Mullen was unrealistic. The "joat" (Jack Of All Trades) blog (recommend it to your technical friends) carried a stinging rebuke.

All these arguments are useless. Fixing blame is for lawyers. Winners fix problems.

You, the end user, can contribute to fixing security problems. You can substitute street smarts for technical wizardry. Your common sense will take you a long way.

|

Sunday, May 02, 2004

Whose PC is it, anyway? 

The FTC (Federal Trade Commission) held a workshop on spyware last month. They invited spyware companies to attend. Maybe they're imagining that some kind of industry self-regulation will work.

Do you think you have property rights in the PC you paid for? Spyware companies don't. The author of the Spyware Weekly Newsletter asked one of the panels about regulating obnxious behavior like software that fights back when you try to uninstall it. He got a shocking reply.

The Software & Information Industry Association's Mark Bohannon said he didn't think you should have a specific legal right to uninstall software on your computer.

Think about that. Think about the arrogance behind an attitude like that. You need to protect yourself against people like that. So far the government isn't helping.

|

Saturday, May 01, 2004

Impersonation just got easier 

The crooks who pretend to be your bank so they can trick you into giving them your banking password now have a new weapon.

Most security advice out there says you should check whether there's a lock icon at the bottom of your browser window. Supposedly if it's there, you can be sure you're talking to the real website for your bank, and you can be sure your information is protected on its way there.

Recently I wrote:

I didn't mention looking for the padlock icon at the bottom right. If you see that, then some really sophisticated technology is trying to keep your credit card number unreadable and ensure that you're really talking to the site you think you are. Unfortunately that technology only works if a bunch of people you've never heard of did their jobs right. There's no substitute for street smarts.


Coincidentally, a bug report just surfaced on one of the security mailing lists about a bug in Internet Explorer. If the guy is right, a bad guy can trick IE into displaying a lock icon and telling you that you're talking to your bank when you're really talking to a criminal impersonator.

Protect yourself by typing security-critical addresses yourself or picking them from your own bookmarks. Don't click the link from an email that says "log in immediately to get a security fix". Even if the link looks fine it could still be a fake.

|

This page is powered by Blogger. Isn't yours?