Wednesday, June 30, 2004

Cockroaches in the kitchen 

Sometimes it's just no fun being right.

I've been worrying about the security of cheap networking equipment for home offices and small businesses. Writing secure software is hard and takes time. The companies that make these network appliances work hard to squeeze every dime out of their costs and they race to meet market demand. Their speed and efficiency give us a wealth of nifty affordable equipment but it's no recipe for security.

When the first security problem came up in home networking equipment I compared it to finding one cockroach in the kitchen. You have to worry that there are more cockroaches waiting in the woodwork.

Since then lots of wireless access point and firewall products have had problems discovered. Some are funny but show dangerous sloppiness, others are serious. There will be more, because when programmers are in a hurry they copy programs that already seem to work, which means they copy all the bugs and security problems too.

The Linksys WRT54G wireless access point had a security problem that sounded more alarming than it really was. The administration interface, where you set and change the security options, was exposed to the public Internet even if you told the device you didn't want remote administration. That sounds terrifying but you're safe if you turn on the firewall features, which I hope everybody has. Linksys has this fixed in the latest firmware.

The D-Link AirPlus DI-614+ and DI-704 have a serious problem, but it requires a sophisticated attack. Brace yourself for some technical language, or skip this paragraph. When the D-Link box issues an IP address via DHCP(Dynamic Host Configuration Protocol), naturally enough it logs the event. The log includes data from the computer that got the IP address. Unfortunately it doesn't adequately check that data. An attacker running a custom-built DHCP client program could insert HTML commands into the log which could reset the D-Link box or (more difficult) change the settings the next time someone looked at the log. This problem was unsolved as of 6/22.

NETGEAR's WG602 had a "backdoor" password, impossible to disable, which allowed bringing up the administration interface even if you'd changed the usual administrator password. The login was "super", and the password was the phone number of the company in Taiwan that builds the innards. The researcher who discovered the problem looked at NETGEAR's "fix" and reported that they'd just changed the login to "superman" and the password to "21241036". Yes, you can firewall off access from the Internet, but you're still vulnerable to anyone near your coffeeshop with a Pringles can.

It's not just the little guys who have hidden back doors in their products. Two Cisco enterprise products, the Wireless Lan Solution Engine and the Hosting Solution Engine had a nonremovable backdoor password. Cisco did fix this one.

If you'd like to hear about a more benign problem, the NETGEAR FVS318, Linksys BEFSR41, and Microsoft MN-500 won't let you log in to administer your box if someone else has made enough simultaneous connections to the administration web page. NETGEAR and Linksys boxes clam up after 7 connections. Microsoft's boxes, which really did offer better security, don't lock you out until there are 31 simultaneous open connections. This could be a problem if you run a public Wi-Fi hotspot and a prankster comes by.

The BT Voyager ADSL Router/Access point will simply tell you its password if asked politely via SNMP (Simple Network Management Protocol).

"Stop telling me about problems! Give me something useful to do about it!"

OK, that's fair. First, run a separate firewall even if your equipment claims firewall-like functionality. Second, check the vendor's web page every down and then for "firmware" updates. You may get a security fix, and probably some reliability improvements. Consider taking a cheap old computer and turning it into a firewall and Wi-Fi access point with free software that's already been checked for security holes.


Do you ever discuss anything confidential in email? 

Some small business owners got a rude surprise when they discovered someone was routinely reading their business email.

Bradford Councilman ran a web site for rare and used book dealers. He also offered them email service. What the dealers didn't know was that he'd installed a program to make copies of their email so he could find out what his competitors were bidding. An appeals court in Massachussets just decided that he can get away with it.

OK, you probably don't get your email through a competitor. Technical people at your email provider can still read your email. They're always far too busy and usually too ethical to snoop. But they don't have to worry about getting caught if they're in Massachussets.

What about real life? How much risk is there? Well, imagine that you're in an industry like big-city construction and you have crooked competitors. What if they bribe a technician at your Internet service provider to intercept your "sealed" bids?

You can protect yourself in only two ways. One is to follow the Klingon proverb "If you do not want something heard, do not say it". Or you can keep using email, safely, by scrambling your messages with "encryption" software. Most of it is a pain to set up even if it's fairly easy to use. Hushmail is a fun exception. It's easy to set up and works like other web-based email services. It's easy to use if you can get your correspondents on Hushmail -- otherwise you have to hassle with annoying technical stuff.


Tuesday, June 29, 2004

Latest on the sensational infection last week reports that 130 web sites are still infected, but none of them especially high profile.

What happens if you visit an infected web site today? You won't get hurt. The web site will still take over your Internet Explorer and try to install software to record what you type. Fortunately the infected web sites never had copies of the software they try to install. Instead they sent you to a server in Russia to get it. The Russian server's been shut down so the infection process can't finish.


Sunday, June 27, 2004

Good news on the problem from two days ago 

Antivirus vendors are detecting it now, the number of contagious web sites seems to have been small, and most important the Russian server that distributed the actual poisonous payload is down (nobody knows why).

The security community is still piecing together what happened. There's been a lot of confusion. I'll do some Q&A for you.

Q: I heard that eBay and PayPal were infected. Am I in trouble if I visited them?
A: Probably not (but run an updated antivirus scan anyway, of course). They seem to have escaped. The rumor probably got started because the ultimate goal of the software included stealing eBay and PayPal passwords. There were also rumors about Yahoo! and Earthlink, which couldn't have been infected because they don't run Windows servers.

Q: What web sites were affected?
A: Kelley Blue Book, BuyMicro, MinervaHealth according to reports I've seen. There must have been others but the names haven't been made public.

Q: Did the Computer Emergency Response Team (CERT) really recommend switching away from Internet Explorer in response to this problem?
A: Yes, even before bad people starting taking over web servers to take advantage of the weakness in Internet Explorer.

Q: Could this happen again?
A: Yes.

Q: Is is safe to use Internet Explorer now?
A: No. Unless you're on a Mac or running Windows XP Service Pack 2.

Q: Am I safe if I stop using Internet Explorer?
A: Safe from this particular problem but you should also look at alternatives to Outlook and Outlook Express. They use parts of Internet Explorer to display mail and might be hit by future problems.


Friday, June 25, 2004

Are you thinking about a fingerprint scanner? 

Sounds like a cool idea, right? And it seems that anything would be better than a password.

Unfortunately it's still easy to fool today's fingerprint scanners. Someone made a master's thesis out of fairly easy and cheap ways to build fake fingerprints that fooled all the fingerprint scanners at a trade show.


Today's big problem -- what you need to know 

A security geek's nightmare came true today.

Bad guys have been taking over other people's websites and defacing them with graffiti. Bad guys have been running web sites that infect people who visit with poorly written web browsers. I've been scared for years that someone would put the two together and write something that takes over web sites to install poison on them instead of just defacing them.

Now it's happening. A new piece of malicious software is taking over some high-profile web sites that run Microsoft's web server software, and installing junk on the web page that infects visitors who run Microsoft Internet Explorer (on Windows. The Mac version is unaffected). This time being street-smart won't help you. You get no warning and no choices, the junk installs silently.

As of this morning antivirus vendors were only beginning to catch up.

Folks, it's time to give up on Internet Explorer. It's easy to download and install a more capable browser that's more secure and free. IE is only safe if you're running a prerelease of XP Service Pack 2 or if you turn off Javascript (which keeps a lot of web sites from displaying right). There is no IE patch from Microsoft yet.

If you're running IE just stay off the Internet for now. Nobody's publishing a list of the infected web sites so you don't know where to stay away from.

P.S. Microsoft explains how to tell whether you're already infected. Sooner or later your antivirus vendor will release something to clean out the infection. Be careful in the meantime, 'cause rumor has it the infection records everything you type (like, say, passwords).


Thursday, June 24, 2004

What the new wireless security standard does and doesn't mean 

You may have seen a headline about a standards committee ratifying a new standard for Wi-Fi security.

The new standard is called "802.11i" and you should start seeing it in ads and on boxes soon.

It's not completely new, because equipment makers have been shipping equipment anticipating the standard. They're selling machines with some but not all of the features, under the name WPA (Wireless Protected Access). You'll probably need new hardware to get all the features.

Are your eyes glazing over yet? The timeline runs like this:
Ship first attempt at wireless security (WEP, "Wired Equivalent Privacy")
Discover that it's not very good
Discover that it's terrible
Begin arguing over a replacement
Agree on main features of a replacement
Begin shipping products before final agreement (WPA, "Wireless Protected Access")
Agree on standard (802.11i, today)

Q: Should I upgrade to WPA, wait for 802.11i, or ignore the entire mess?

A: Do you need to keep dishonest people out of your network? The old broken standard, WEP, is enough to keep honest people out. If you handle credit card information, live in a big city, or have an enviably fast Internet connection, you need security now. See if your equipment can be upgraded to WPA.
Q: I have WPA equipment. Is it obsolete?
A: It's still secure, if that's what you mean (but see below!). Do you want to know if it will keep working once you install 802.11i gear? It's supposed to. That, an hour on hold, and a hundred dollars will buy you a new unit.
Q: I heard something about WPA getting broken? Is it unsafe to use?
A: The fifth law out of Microsoft's Ten Immutable Laws of Security is "weak passwords trump strong security". Security researchers discovered that WPA is open to password-guessing attacks. When you set up security, use a strong passphrase.
Q: My company has a Radius server and --
A: Sorry, but I'm writing for small offices and home offices here. You sound like you'll need information about the Cisco vs. Microsoft split over authentication, and that really wouldn't fit here.
Q: Why is this all such a pain in the you-know-what?
A: Because when Wi-Fi was young the security designers figured that since it's easy to wiretap a wired network, there was no need to make wireless security strong. Then they made a series of well known mistakes in applying cryptography. In fairness, crypto design is harder than it looks. After that, the market was moving too fast to standardize.


Wednesday, June 23, 2004

Here's another introduction to spyware 

If you don't like my explanations, this article from CNN talks about what it can do, what the symptoms are and how to get rid of it.


Spammers have a new trick to get you to open their garbage 

Spammers have long been trying to trick you by making ads look personal. I have an old email account with a made-up name. Pretend it's "mammogram". I get spam there with subject lines like "for my old friend mammogram".

Now spam has been cross-bred with spyware and their illegitimate child sends you email customized with personal information which it steals from your computer. Email security vendor MessageLabs reports that they've seen this happening. It's just now starting to catch on.

Protect yourself from spyware by switching browsers and running AdAware and Spybot Search&Destroy. And be aware that before long you may get spam that seems to know personal details about you.


Tuesday, June 22, 2004

Anti-spyware bill out of subcommittee. Is it worth supporting? 

It's called the "Securely Protect Yourself Against Cyber Trespass Act" (SPY ACT), and it criminalizes "transmitting" a spyware program to your computer without "consent". It's on its way to the floor of the House.

The scum who install programs to record what you type, report what web sites you visit, and to pop up ads you can't close could theoretically be prosecuted by the FTC under this legislation.

Other commentators have pointed out that the bill doesn't allow you to sue on your own behalf. Besides making you wait for the government to act, it doesn't define consent. Those endless dialog boxes that say "by clicking yes you agree to..." might get the scumbags off the hook.

What do I think? It's futile. See, it would still be legal to receive the reports that come in from spyware programs. If Peoria Scumvertising wants to spy on your computer they can simply pay N cents to overseas firm Elbonia Virusmasters for every infected machine. Then when the government investigates, Peoria Scumvertising could say "but they're just an independent contractor we paid for leads. We're shocked, shocked that they did something illegal!".

You'll still need to protect yourself vigorously even if this passes.


Expect problems with XP Service Pack 2. This is a good thing. 

Microsoft has a security problem that isn't their fault. A lot of non-Microsoft programs make assumptions about what they can do that interfere with making security changes. Microsoft has had the dilemma that if they improve operating system security beyond a certain point, customers will start having problems with non-Microsoft applications.

Microsoft is biting the bullet with Service Pack 2. Techrepublic has technical details, but the bottom line is that MS says about 10% of applications will have problems and everyone else expects more than 10%.

Upgrade anyway. It'll be like getting a tooth pulled. The pain of doing it is easier to take than the pain of putting it off.


Why things are so bad, part 2 

One reason we have so many security problems is that writing software to be secure is hard work. It's related to the problem of writing bug-free software, only it's harder to do.


Stay out of bad neighborhoods 

Firewalls won't always protect you.

The latest example showed up in ZoneAlarm Professional. That's a good product but someone recently discovered a gap. ZoneAlarm Pro has a feature which (if you turn it on) is supposed to prevent Web sites from installing programs on your computer(*). The reported hole is that if you make a "secure" connection, like you do when you enter a credit card number, ZoneAlarm stops checking whether the web site is trying to install things on your computer.

Be careful of the word "secure". If the web address begins with https: instead of http, and if you see a closed padlock in the lower right corner of your browser window, that just means the connection is scrambled and that your browser thinks it's proven you're connected to the site you think you're connected to. It's not "secure" in any other way, and the scrambled connection makes it hard for security software to check what's going on.

Your best defense is probably to avoid questionable web sites. If you haven't replaced Internet Explorer yet, you can change its settings under Tools/Internet Options/Security to make it more resistant. If you've already switched to a safer browser like FireFox, that helps too (and blocks popup ads). Windows XP Service Pack 2 will be less promiscuous about running programs from the Web. But technology keeps changing and street smarts stay the same. Next year I don't know what the technology will be but porn sites will still be sleazy and many will still try to install nasty things on your computer.

(*) If you have ZoneAlarm Pro, you can find this feature in the control panel under Privacy, Main, Mobile Code Control.


Tuesday, June 15, 2004

How did it get to be this bad? 

Why do we live in a world where a new PC will catch a virus before you can finish downloading all the patches to protect it? I mean, that's like having your car blow up when you try to drive to the dealer for a recall.

The world's been changing too fast for technology to keep up. That's part of the problem. All the fundamental assumptions built into Windows are for a PC that's sitting by itself or maybe connected to a small friendly network. Your PC is like someone from a small town where nobody locks their doors, walking through bad neighborhoods in a big city. Microsoft is working on removing those assumptions, but changing your assumptions is the hardest kind of engineering work.

Windows is a big target for bad people. That's another part of the problem. Windows is big in two different ways. There are a lot of Windows machines. Microsoft points to the popularity of Windows as the reason bad guys attack it. It's also big in the sense that any Windows machine offers lots of ways to attack it.

No matter what operating system you run, there's something else going on. When computers were new, a machine less powerful than your cellphone would have had a team of experts running it. Today you've got an awesomely versatile and powerful computer on your desk and you're the only one taking care of it. Notice how the security bulletins always talk about problems with software you've never heard of? There's more running on a PC today than most people can keep track of.


Quote for the day: is it your fault? 

I wrote a little while ago about people arguing whether computer users were "stupid" for not taking necessary precautions.

Here's a great comment about that. It's from a reader of security guru Bruce Schneier's wonderful online newsletter, "Crypt-o-Gram".

From: Dan DeMaggio
Subject: Step 1: Admit you have a problem

I love your Crypto-Gram and your thoughtful analysis. But I must take you to task for linking to Tim Mullen's Security Focus article about Walter Mossberg (and implying that you agree with it).

Tim says "The solution is for the end user to start caring." But that will never happen. Only computer enthusiasts care about computers. Only car enthusiasts care about cars. Only llama enthusiasts care about llamas. The vast majority of people in the world will never care about any of them.

Let me tell you about three products I've bought:

- I bought a car. The locks are not much of a deterrent, but they have kept the car perfectly secure (even in Detroit) for more than 10 years now. I take it in for a 10-minute oil change every three months (like it says to do in the owner's manual). When it breaks down (twice in 10 years), I make a phone call and have it fixed. To me, the car is merely a means to an end. I do not care about my car.

- I bought a house. I expect the locks will keep my house reasonably secure. The complex equipment in the basement may break every few years, but a simple repairman visit will fix the problem. I care about my house more than my car, but not by much. I would not have bought my house if I expected it to be a high-maintenance source of problems.

- I got my wife a computer with Windows on it. Within minutes of plugging it in, it started getting spam pop-ups. If I mistyped a domain name, I would get a site that did so many pop-ups and re-spawns that I had to reboot the computer. Keeping up with patches would take hours per month. Even though I'm a techie, I refuse to babysit that computer. If it becomes infected, I guess I'll just wipe and re-install.

The first two examples are "whole products". (See Geoffrey A. Moore's "Crossing The Chasm".) Almost everything I was going to need came bundled. Those things that weren't bundled were things that I knew about, things that were cheap (relative to the product price), and things that do not require much time or thought.

The third product is not a whole product. I refuse to hunt down all the services I need to turn off (but I did get a firewall). I refuse to waste my time downloading multi-megabyte patches and wait for the computer to reboot multiple times. I refuse to pay $100 to protect a $500 computer, especially because no AV software protects from all new exploits. (I know because regularly get new e-mail viruses marked "certified virus free" by AV vendors.)

I refuse to do these things because I know they don't have to be done (and the public will never do them anyway). Linux doesn't require any of that. I know Linux isn't a whole product either (yet), but it's easier to add documentation and support to Linux than security to Windows. If I were really paranoid about security, I'd (easily) migrate to OpenBSD. They've had one remote hole in the default install in the last eight years, unlike Microsoft's seven exploits in one day.

Walter says "It's time somebody [shoulder the whole burden of protecting PCs]." People want computers to be as low-maintenance as a car. Microsoft created this problem because (as a monopoly), it's not profitable to fix bugs (it won't generate more sales) or make things secure (ditto). Yes, Tim, it is "wishful thinking" to expect the problem to be solved for free. But it is even more wishful thinking to expect the public to care about computers.

"OpenBSD", which he mentioned, is a free Unix operating system built with security as a top priority. The only reason I haven't recommended it is that my audience is normal people with other things to do. It's easier for a newbie to get someone to help with a Linux installation.


Tired of nosy marketers asking for your email address? 

Unless they're going to mail you a receipt or a password, they don't need it except to send you junk. But their forms always require it. My favorite solution is to fill in where they ask for my email address. If they send email there, they get back an automatic nastygram suggesting that they should offer attractive products instead of sending junk mail.

Suppose some merchant really does need to send you a receipt, or a password, or a web address where you can download their product. Suppose you don't trust them with your email address (OK, but then why are you buying from them?). An outfit called Sneakemail lets you create a new address for every place you do business with. The new address is something like, and mail sent there goes to your real email address until you want it to stop. You can cancel that one address if you start getting spam through it.

The sneakemail web site is kind of bare-bones. The real information is in their Frequently Asked Questions page. They're free for basic usage, with some extra goodies if you pay them.


Sunday, June 13, 2004

Another wireless access point has a "back door" 

This time it's the Edimax 7205APL. According to one of the mailing lists where security people hang out, even if you change all the passwords there's still one built into the device that anyone can use. After a couple of other steps a bad person can start making changes to the device's settings.

This is getting to be a trend. At least three problems like this have raised their ugly heads recently.

I recommend putting a firewall box between any wireless access point and the Internet. Then you have to hope that everyone who connects to your wireless network is friendly. The only complete solution I know of now is to use a general purpose computer as an access point, running software that people can check for back doors.


Got a business account with your ISP? Ask about their worm policy 

Suppose your computer gets infected. The bad program's first concern will be sending out copies of itself, and after that it will typically be used to send out spam. This can cause enormous amounts of traffic from your computer.

Will you get stuck with the bill for all that usage? Not everybody has an all-you-can-eat account, and not every ISP will forgive the bill.

An unnamed ISP handed Ontario businessman Isaac Liber a bill for CDN$85,000 to pay for what a worm did from Liber's machine. He's now bankrupt.

If you get billed for bandwidth it's a good idea to call your ISP and ask what they'll do if your machine gets infected and uses too much bandwidth.


Friday, June 11, 2004

Antivirus software may help with Internet Explorer problem 

McAfee, Norton, and maybe others can catch at least some forms of the problem I mentioned yesterday. In other words, up-to-date antivirus software may protect you against being taken over by a bad guy's web site.

I'm hemming and hawing because I've looked at the published examples of how bad guys can program a web page to take over your computer. It's complicated and there are lots of ways to disguise what it's doing. It's very possible that someone will find a way to slip it past antivirus software.


Thursday, June 10, 2004

Internet Explorer hole allows web sites to take over your computer 

Yep. It's really that bad.

Even if you've installed all Microsoft's security patches, going to the wrong web site can let a bad guy install and run software on your computer. When that happens, your computer becomes the bad guy's computer. You don't have to do anything, just open the web page. A firewall won't help.

Security firm Secunia rates this problem "extremely critical" and says that spyware perpetrators are using it now.

This blog is all about telling you what you can do. As usual, stay out of bad neighborhoods: clicking links blindly on sleazy sites is not smart. Secunia offers three technical solutions, two of which apply to home or small business users. They say:
Disable Active Scripting support for all but trusted web sites.

Filter "Location:" headers containing the "URL:" prefix in a proxy server.

Use another browser.

Thank you, Secunia.

"Disable Active Scripting support for all but trusted web sites" means click the Start button, move to Settings, wait for the second menu to pop up, move to "Control Panel" and click that, from the window that appears double-click "Internet Options", in the resulting dialog click the tab that says "Security", click the icon that says "Internet", click the button labeled "Custom Level...", scroll almost to the bottom where it says "Scripting" and "Active Scripting", click the radio button labeled "Disable", click OK, click OK again in the first dialog box. Some normal web sites may not work right afterward. If that bugs you, go back to the "Security" tab from the rigmarole above, click "Trusted Sites", and type in the address of the site that you're having trouble with.

The recommendation about a "proxy server" doesn't apply to you if you're a typical home or small business user.

Using another browser is really easy and improves your life anyway. Most competing web browsers block popup ads! I recommend a free one called "Firefox". You should be able to simply jump in and download it, but if you want you can read what it's about first, and maybe read a step by step introduction.


Wednesday, June 09, 2004

Yesterday was Update Day for Microsoft 

Time to run Windows Update again. Microsoft thinks some of the fixes are "critical".


Tuesday, June 08, 2004

Not a hoax this time: a virus that deletes all your files 

This one arrives in email with the subject "Re:", an empty message and an attachment. According to Symantec's report, the attachment can have several different file types. It sends itself to everyone in your address book, and four times a month it deletes everything it can.

The good news is that it's spreading slowly and hasn't gotten far. The other good news is that you're safe if you use common sense and don't open strange attachments.


Monday, June 07, 2004

Mac OS X users: you've got a new security update from Apple 

Your Mac will ask you to install it sooner or later but I recommend installing it now. Apple says this fix takes care of the major problem I mentioned earlier. Word on the street says that it really does.

This one's important.


Sunday, June 06, 2004

The luxury of having computer security problems 

This post will be off-topic.

It is good that we live in a world where we have to worry constantly about the safety of our Internet-connected PCs. It is good to live in a world where an identity theft can ruin your credit.

We have time to worry about our computers because we're not facing death squads or machine gun fire.

60 years ago more than 100,000 teenagers like the high school graduate next door ran into machine gun fire and minefields to free Europe from a vicious and dangerous tyranny. They and all their comrades didn't know how it would turn out. Western Europe, maybe even the USA, might have fallen under a regime of terror and hate to this day.

Many of those soldiers are still alive today. They deserve a thought, and our thanks.


Correction about Korgo 

Korgo is the self-spreading piece of nastiness I mentioned recently. I was wrong about it having a keystroke recorder installed. Antivirus software maker F-Secure issued a correction recently along with a good explanation of how they made the mistake. In short the keystroke recorder is like an "aftermarket option" for the worm: the same gang that released the worm installs the keylogger after a PC gets infected and gets put under their control.

What difference does it make to a home user? None. Your computer winds up in the same state either way. Please install the patch from Microsoft! Just run Windows Update from your Start menu. If you don't want to do that, go to and download the right patch for your version of Windows.

Did people at work tell you that the patch caused problems? I've seen only one problem that's at all likely to show up on a home machine. Do you telecommute? Did your employer give you "VPN" software for telecommuting? Is it from Nortel Networks? Then you should read Microsoft's advice before installing the patch.

Your firewall should protect you and probably does but there are a lot of "if"s and "but"s involved. You need to install the patch.


Friday, June 04, 2004

Tired of viruses? 

I was reading yet another virus or worm announcement, and the writer said something like "As usual, Mac and Linux systems are unaffected".

Most of the advice I've given on this blog has been about reducing the hazards of Windows systems.

You can switch to an alternative in almost all cases. Mac OS X runs Quicken, Microsoft Office, and virtually all the productivity software you could want. Linux is missing competitive personal finance and tax software but can handle your networking and general productivity needs.

Trying Linux is cheap, safe and easy. Spend $5 plus shipping at CheapBytes (*) and order a "Knoppix 3.4" CD. Or ask your local geek for a copy. Then the way cool part begins.

The only thing you need to do is reboot from the Knoppix CD. A minute later you're running Linux with no installation routine and no rearranging your hard disk. It treats your hard disk as read-only. It automatically sets up networking. The only work you may have to do is set your computer to boot from the CD drive. Usually your computer will display a message like "Press F1 to enter setup" or "Press DEL to enter setup" when it first starts. Try that if your computer doesn't boot from the CD. Then just poke around! Especially look for "Open Office".

Quietly let your local geek know that you're experimenting with Linux. You may get enthusiastic support.

(*) no financial interest, no referral fee. I'm just a customer.


Cockroaches in the kitchen: problems with network appliances 

How many computers do you own?

You own more than you think. If you have a cheap hardware firewall box or a wireless access point, those are complete computers on the inside. They probably have more power than NASA had for the moon landings.

If you're a paranoid security consultant, every computer you see makes you think "gee, could this have any security problems?". When the news broke that the Linksys® WRT54G Wi-Fi access point would let anyone on the Internet log in, change settings, and maybe even see your WEP key I thought "and so it begins".

Linksys, a responsible and reputable vendor, released a fix. That's good, but it's like seeing a cockroach in your kitchen and stomping on it. There's one less cockroach but you have the sick feeling there must be more.

There are more cockroaches. The latest bug showed up in the WG602 wireless access point from NETGEAR®. Even if you change the administrator's password (as you should), there's a secret backdoor that lets anyone log in. The password is the phone number of the Taiwanese manufacturer. There's no fix yet.

I expect more problems like these, maybe even some with firewall products. Secure computer programming is hard, even harder than writing bug-free programs. Unless manufacturers tell their programmers "take your time, do it right" (like that's going to happen), we'll get more nasty surprises.

What's a consumer to do? Keep using your hardware firewall box. It protects you against many bad things even if it has hidden security bugs. Search the manufacturer's web site for phrases like "firmware upgrade" or "firmware download", and follow their instructions to make sure your box has the latest fixes.

Consider paying a local geek to turn a cheap old computer into a firewall by installing some well-debugged free "open source" software. "Open source" means that the inner workings are available for inspection and back doors are much less likely. A 486 that you can't even give away has enough horsepower to run a firewall for a DSL line. You get better security and more features than one of the firewall appliances can provide.


Thursday, June 03, 2004

Why you absolutely need Microsoft's big April patch 

Did your Windows machine start rebooting at random recently? It could be a lot worse. For some people it already is.

There's a new worm spreading called "Korgo". It crawls through the same hole in Windows as "Sasser", which caused the random reboots. It installs by itself automatically, and doesn't depend on you opening an attachment.

Korgo is seriously dangerous because it records everything you type into Web forms. Antivirus company F-Secure believes it's designed to steal online banking passwords and credit card numbers.

In the short run a cheap firewall should protect you. Don't connect a Windows machine to the net without one. You need something above and beyond the built-in firewall in Windows XP. (Because when you start XP it turns on networking long before it turns on the firewall, so you may be wide open for ten or twenty seconds, and that's all it takes).

In the longer term you need to install Microsoft's patch. If you're on dialup, take the computer and a six-pack to the home of your tech-savvy friend with high-speed Internet access, put your computer in your friend's network and the six-pack in your friend, and run Windows Update.

If your antivirus software tells you that you got Korgo then F-Secure advises changing your online passwords and canceling any credit cards you've used online. It's that bad.


Wednesday, June 02, 2004

Setting up wireless security is hard unless you put a hex on it. 

CNN said recently that a lot of people leave their wireless networks insecure because it's the only way to get the equipment to work.

It's a real problem. The manufacturers have caused the problem with some mistakes and lack of standardization in their user interfaces. Right now there are three ways to have a fighting chance to get security working:

What's the problem, anyway?

The wireless equipment tries to keep your transmitted data secret by scrambling it with a secret "key", which has to be the same on every device that can talk to your network. The key is simply a very big number. Computers are good at handling very big numbers and humans aren't. Unfortunately the WiFi equipment manufacturers force humans to tell the equipment what key to use.
Manufacturers try to make it easier for you to enter a key by asking for a passphrase instead (it's like a password, only longer). Then the equipment does some math starting on the passphrase and creates a very big number from the passphrase you type in. Unfortunately, not every manufacturer's equipment does the math the same way. Put the same passphrase into a Linksys® device and an Apple AirPort® device and they'll compute different keys and refuse to work together.

Buying everything from the same company

Maybe you can still get some Microsoft® wireless network equipment on clearance. Microsoft, bless their hearts, turned on security by default and let you configure keys by carrying a floppy around to each device.
If you buy everything from one company, then when something doesn't work it's harder for tech support to pass the buck.

Putting a hex on it: typing things like 9E907DA0FFC30075EC61A8C3DC

The word "hex" here doesn't mean black magic, though it may certainly seem that way. It stands for "hexadecimal", a word you may see in setup dialogs and in manuals. It's simply a way of writing very big numbers. Hex is handy for computer use because every letter or number corresponds to exactly 4 bits. That ugly string above is 26 hex digits long so it could be a 26x4 or a 104-bit key. That's the length you need when you're setting up a "128-bit" key (you don't want to know why. It's like measuring a 2 by 4).
The advantage of doing something so painful is that you're typing in what the key really is. Unfortunately you're not out of the woods yet. Apple equipment thinks you're typing in a passphrase instead of a literal key unless you type "0x" or "$" in front of it. Oh, and you can't check your work either, because usually what you type shows up as "****" because it's a seekrit passwurd.

Waiting and hoping things get better

Computers enjoy very big numbers. WiFi manufacturers should let the equipment talk to its neighbors and decide what key to use. A few manufacturers are starting to do that. Maybe it'll catch on.
Buffalo Technologies has a nifty system where you press buttons on the access point and in the setup software, and the equipment sets itself up. Unfortunately it only works with Buffalo equipment. Unfortunately it only works with some Buffalo equipment.
Chip maker Broadcom builds the innards for many brands of WiFi equipment. Broadcom is trying to get WiFi manufacturers to use a technology called SecureEZSetup which also automates setting up the keys. So far Belkin has said they'll use SecureEZSetup in future products.


This page is powered by Blogger. Isn't yours?