Wednesday, August 25, 2004

Privacy: how to read the news without the personal questions 

When you look up a news story and get slapped with one of those "registration required" messages, there's a way to log in with someone else's information.

A site called BugMeNot lets you type in the Web address of some place that wants you to tell them personal information, and get back a username/password that another BugMeNot user set up.

The Mozilla browser even has an optional extension you can download that does all the work for you.

It doesn't always work: some newspapers have discovered that BugMeNot exists and they're deploying technical countermeasures.

Is it ethical, though? When you use BugMeNot, are you "protecting your privacy" or are you "stealing a free newspaper"?


Tuesday, August 24, 2004

Are voting machines honest? That's a secret. 

Imagine being audited by the IRS.

But then imagine that you could hire your own accountant to certify that your return was correct. Then imagine that you could swear your accountant to secrecy about anything s/he found.

Guess what? That's how "certification" works for electronic voting machines. This depressing article explains that voting machine vendors hire their own testing firms and that the testing firms stonewall any inquiries.

Pick up the blue pages of your phone book and look for your state's "Department of Elections", "Secretary of State", or whatever they call it. Phone or write. Let them know that you want independent certification. If you're afraid of seeming ignorant, you can read the Verified Voting website first.


Monday, August 23, 2004

Some fairly good reading about XP Service Pack 2 

ZDnet has an interesting and informative column about what Microsoft's newest Service Pack does and doesn't do.


Sunday, August 22, 2004

Yet another Internet Explorer followup 

It's fun, but scary, to read the forums where people talk about new security holes.

Someone's already improved on the latest attack against the latest Internet Explorer version. It's now possible for a nasty person to install software on your computer, to be run on the next reboot, if you do nothing but visit a website and drag the scroll bar. I am not making this up. It wasn't even difficult: the guy needed only 20 minutes to write a page demonstrating the attack. Yes, this affects Internet Explorer in XP Service Pack 2.

Details for your technical friends to look at.


Saturday, August 21, 2004

Followup from yesterday: the drag/drop IE problem 

I found the sample attack and took a look. It's kind of scary.

All you see on the screen is some red lines and a little Pac-Man(tm) like figure (and some pointless vulgarity). As far as you can tell by looking, all you do to infect yourself is move a picture from one place on the screen to another. The attack uses some features that only exist in Internet Explorer("IE") which allow it to disguise a program as a picture and disguise a folder on your computer as a blank space.

This can happen even on XP Service Pack 2, the version with all the security improvements.

Microsoft isn't very worried. They say it's a minor problem because it requires so much work by the user before a computer can be infected. At least one independent firm rates it "highly critical". I think it's grounds for worry because it's hard for a street-smart user to avoid. An attack could be disguised as an ad. You've seen the ads that say "click the monkey to win a prize"? An ad that said "Drag the monkey to the barrel and win a prize" could trick a lot of people, and it's less work for the user than some highly successful attacks have required.

The independent firm (Secunia) recommends turning off Javascript (Tools/Internet Options/Security/Internet/Custom/Scripting/Active Scripting/Disable; I am not making that up, and if you do it a lot of web sites won't work right), or switching to another browser. Switching is painless and actually fun. There's even help about how to do it.


Friday, August 20, 2004

Does XP Service Pack 2 make Internet Explorer safe? 

Now that SP2 is trickling out to people who've turned on Automatic Updates (log in as Administrator and go to Start/Settings/Control Panel/Automatic Updates), is it safe to resume using Internet Explorer instead of Firefox?


The security firm Secunia just put out a warning about a problem that affects fully patched systems.

You may be able to protect yourself against this particular problem but there aren't enough details out yet to give you sound advice. Definitely don't drag anything from Internet Explorer to your Startup folder even (especially!) if you get email with a convincing story about why you should. But this problem doubtless has relatives.

If you don't like Firefox, try downloading Opera(free with ads, US$39 without) and looking through the tutorial.

Why do things like this keep happening? And is Internet Explorer("IE") really worse than others? After all, other browsers have security problems too.

Microsoft wanted IE to be a way to run programs on your computer from your company's internal network or even from inside your computer. Running programs on your computer is dangerous, so Microsoft tried to set up different rules for different locations on the Web. Unfortunately there were zillions of places to check those rules and zillions of ways to trick the rules. So far even a large motivated company like Microsoft hasn't been able to plug all the holes. Other browers were designed to loook at Web pages, so they have fewer ways to go wrong.


Wednesday, August 18, 2004

Best advice I've seen about identity theft 

Are you tired of reading one newspaper story after another that all say that identity theft is a serious problem and that you should buy a shredder and check your credit report once a year?

William Murray of Trusecure, a fellow CISSP, wrote a bunch of really useful advice. His paper is at this link. He has advice for both consumers and for businesses that take credit cards.

The entire paper is interesting to security geeks but normal people may want to skip to "Recommendations for the Individual" and "Recommendations for Merchants". Some of the advice may surprise you. For example, he recommends online banking because you can check for suspicious activity daily and because it keeps sensitive material out of your physical mailbox. Something else you might not have thought of is to use a single-use credit card number whenever possible. Those are just excerpts, there's a lot more good advice there.


Tuesday, August 17, 2004

Technology to help protect against phishers 

The theory

Some of the best ideas are the simplest. Core Street makes a little browser addon for Firefox and for Internet Explorer. All it does is show you what page you're actually on. (If you're rude you might ask why the browser can't tell you that on its own). Then when a scammer tries to impersonate your bank you have a chance of seeing through the scammer's disguise.

The word on the street is that it works smoothly.

The author of the addon (called "Spoofstick") is up-front about the addon's limitations. It's not supposed to be a panacea.

The practice, or, street smarts beat technology

Someone who gave his name only as "John" says he found a way to fool Spoofstick into displaying the wrong location.

Jonathan Penn, an analyst specializing in messaging security at Forrester Research, points out that one scammer registered the domain Spoofstick would report that yes, you really are on, but it would have no way of knowing that had nothing to do with Visa. Lookalike domain names are a common trick. A famous example was someone who set up a domain called, with a numeral one in place of the final "l" in "paypal".

My advice is to treat email like you would a phone call. If someone asks for your credit card number over the phone, you know to stop and think about whether you placed the call. Similarly, don't type in your eBay password unless you're the one who typed in eBay's web address.


Monday, August 16, 2004

How XP SP2 does and doesn't protect you against downloaded files 

Service Pack 2 of Windows XP stamps an invisible warning label on files you download from the Internet. If you try to run a file, XP checks for the label and warns you that the file is from an untrusted source.

Imagine, for example, that someone tricks you into opening an attachment and it puts a file called nastyvirus.exe on your disk. If you go back the next day and double-click on nastyvirus.exe, Windows will ask whether you really want to do that.

That's a good and clever feature. How well does it work? Security researchers have been studying SP2 intently (and mostly finding good things), and Juergen Schmidt has taken a close look at the warning-label feature. He's found some ways to get around it. He can get XP to run a downloaded program without warning.

The good news is that the warning-label feature is good enough to protect against all known kinds of attacks. Nobody's ever seen a virus that could use the tricks that Schmidt invented. The bad news is that Microsoft is going to leave the door open: their reponse was "we don't see these
issues as being in conflict with the design goals".

What does this all mean to you?

Details for technical people.


Sunday, August 15, 2004

What will your bank do if a "phisher" loots your account? 

What happens after someone tricks you into typing your online banking password into the wrong place?

Your account gets cleaned out, of course. But will your bank put the money back, like they would if your credit card got stolen?

The Boston Herald reports that some banks are starting to shift responsibility to the customer. Since tracing the scammers is almost impossible, you might never get your money back.


Friday, August 13, 2004

What XP Service Pack 2 can't do for you 

Compliments to Microsoft

If you haven't already, please go to Start/Settings/Control Panel and turn on Automatic Updates. That will get you Service Pack 2 eventually even if you use a modem. Windows Update will patiently grab one bit at a time from the huge download and piece them all together. It may take days. It's worth it. Don't wait for the CD to ship.

Security experts who've been laughing at Microsoft for years have been grudgingly admitting that Microsoft did a lot of things right. So far (August 2004) SP2 just keeps looking better and better the more people study it.

You knew I was about to say "But..."

Is a Volvo a "safe" car? It's designed to be but it's hardly safe if you drive it drunk or park it in a bad neighborhood. There's only so much that a car or an operating system can do for you.

Spyware can still get on your computer if you install it yourself. Don't install that flashy animated cursor or password manager unless you know it's from someone trustworthy.

Once the spyware is there, it can still call home and leak your personal information. You still need a third party product like Zone Alarm to stop that from happening.

"Phishing" scams, where you get mail that looks to be from your bank, will of course continue. Don't type important passwords in unless you initiated the transaction.

Weak passwords can still undermine your security. You still need to remove personal information from your hard disk before you sell or discard your computer.


Wednesday, August 11, 2004

The next frontier: your cell phone 

Be Concerned

Your cellular phone is a computer. If it's fairly new it can send and receive data, so it's a computer on a network. Like your home PC, it requires care and street smarts now.

For one thing that means being careful about what you download. Be careful even about software from real companies. Recently there were dangerous copies of a game called Mosquito circulating. The dangerous copies would start sending out premium rate text messages and hit you with unexpected bills. At first security people suspected that someone had tampered with the game. Today antivirus firm F-Secure reports that the makers of the game put that in as a feature to deter illegal copying. Download an illegal copy, and boom.

But Don't Panic

So far almost all the infectious software for cellphones has been experiments to see if it could be done. One "virus" actually asked permission to install itself! When you read a scary article, look towards the bottom to see if it's talking about something found "in the wild".

Check your phone's security settings. Some of them ship with the security features turned off. No wonder there have been scary stories about phones being turned into bugging devices by remote control. Learn to control your phone, just like you learned to lock your car doors.


Tuesday, August 10, 2004

Taking control back from the popup plague 

This isn't exactly a security issue, but when web sites fill your screen with unwanted popup windows, they are interfering with your use of your computer.

There are hundreds of products to block popup ads. Modern browsers, like Mozilla Firefox, have protection built in. When you get XP Service Pack 2 soon, Internet Explorer will block popups.

Besides the technical solution, you can reduce the hassle by staying out of bad neighborhoods on the Web. Porn sites and sleazy get-rich-quick places are some of the worst for bombarding you with popup ads.

I suggest testing whatever popup blocker you install. One vendor has set up a test page where you can try out your popup blocker against some common tricks for making ads pop up. I haven't tried their software but I appreciate their offering a test page.

I'm not linking to the test page. It's too dangerous for someone with a standard installation of Microsoft Internet Explorer. Scroll down to where it says "popup blocker and ad killer test page" near the bottom, then click "enter" on the warning page that comes up next.


Monday, August 09, 2004

Know your enemy: your computer is worth money to them 

Network World Fusion has an interview with an antivirus vendor.

Some interesting points:


Sunday, August 08, 2004

It's NOT about the technology 

Quotes for the day

Security entrepreneur and programmer Marcus Ranum said some pithy things recently about security technology.

His main point is
Well, there are 2 ways to negate 90% of your risk:

a) do a few simple, obvious things that are not very fun
b) spend a ton of money on products and process

to which he adds the opinion

Computer security, as it's done today by most practitioners, is
fundamentally a con. It's a con the same way that most diet foods
and "lose weight fast" schemes are a con: they cost a lot and they
only work if you do something sensible that would have worked
REGARDLESS of whether you were following the rules of the
diet. Because, basically, successful diets involve taking in less
than you burn.

and challenges conventional wisdom with

9) Don't waste your time patching
a) if you're running code on an internet-facing
system that has a history of needing
patches every week, you're running
the wrong code

and tells network administrators

12) No, your users do NOT need that stupid new chat/file sharing/
net-meeting/remote-control/powerpoint sales tool/virtual FAX
garbage - it IS dangerous

The complete article including technical issues


Yes, he's blunt.

Diets are a good analogy. For normal people (the kind this blog is written for) computer security is exactly as much fun as dieting and exercising. The fun level drops even lower because whether it's weight loss or computer security you have to keep working at it forever.

Dilbert has a coworker in IT called Mordac the Preventer. Everyone thinks that Mordac is there to prevent productivity. If you think that describes your company's IT department, maybe they're just following the advice above. They may seem arbitrary when they're actually protecting the company network.

When you're back at home you're the network administrator. I'd say do "waste your time" patching but eventually replace software that's constantly requiring security fixes. Start with replacing Internet Explorer -- the alternatives are faster and more fun. And do use appropriate technology. Antivirus software can protect you against surprises, firewalls reduce your exposure, and both are cost-effective. Just don't kid yourself that they make you "secure". Your antivirus software and your pepper spray are useful tools, but both on the street and online it's your alertness that keeps you safe.


Google email "hacked", the first headline shrieks 

You should be fine if you use a good password.

Near as I can tell from the early reports, all that's going on is that someone wrote and released a program that keeps trying to log in to GMail accounts using every possible password it can think of.

Change your password if you're using one like "cookie" or "password" or "secret".


Pick up the September Consumer Reports. Clever trick in it. 

Consumer Reports for September recommends products and actions for slowing down the most common threats to a home user. They did a pretty good job, which doesn't always happen when they write about something technical.

They offer a clever trick to use if you suspect you're visiting a phony web site that impersonates eBay or PayPal to deceive you into giving them your password. Of course, I say don't go there in the first place, but if you do, try giving them the wrong password to start with. eBay knows your real password and will make you try again. A scammer is trying to find out your password and will let you in no matter what you type. If the wrong password gets you in, you're in the wrong place and should get out. (This won't always work! Some scammers have started forwarding your password to the real destination after they record it).

Check out their product ratings. Their ratings aren't too far from the general buzz on the net.

Consumer Reports did leave out any mention of the need to replace Internet Explorer, or the fact that so far malicious software mostly hasn't targeted the Macintosh or Linux operating systems.

Bad news

They did a survey and found that three percent of the people who'd gotten spam had ordered something from it. Not only did those people help keep spammers in business, they probably got taken as well. Remember, "if it's spam it's a scam". Reputable companies use more ethical forms of advertising.


Saturday, August 07, 2004

Keep yourself informed about e-voting 

PC World has a balanced article about the convenience and security of electronic voting machines. They explain the issues accurately. You'll get enough background information to understand the debate. Every citizen should know what's in that article, and I mean that with no exaggeration.

If you want a less balanced point of view, check out what gadfly Bev Harris has to say.


Friday, August 06, 2004

News from a "hacker" convention 

Roger Zelazny wrote a fantasy novel in which the magicians invite both white magicians and black magicians to a huge get-together. They meet under a flag of truce, and it's considered impolite to pay too much attention to the difference, because the reason for the confab is to exchange information and to party.

The computer security world has an annual meeting like that, in (you guessed it) Las Vegas.

The buzz there was that Windows XP Service Pack 2 is going to make Windows noticeably harder to break into.

The most quoted talk was about how to use Google to find leaked information and vulnerable computers. Try Googling for your unlisted phone number, or even your credit card -- the results may surprise you. Lots of web sites are set up with mistakes that publish more information than anyone intended. Any search engine can then point the world toward that information.

What it means for you

Upgrade your XP installation to Service Pack 2 when it comes out. Are you tired of hearing me say that?

Think twice before you send someone a sensitive file by putting it on a server.


Thursday, August 05, 2004

More evidence that Microsoft is doing the right thing 

Microsoft has told the world that the next big update to Windows XP will take security seriously.

The acid test of how serious they are is whether they'll make changes even if those changes break programs that people are using.

Microsoft announced recently that one of their own programs will stop working when you install XP Service Pack 2. If you're curious, it's the Business Solutions CRM application, and you can download a fix that will make it work again under Service Pack 2. The point is that Microsoft is biting the bullet and making security a genuine priority.


Wednesday, August 04, 2004

Keep a low profile 

You probably don't display your most expensive jewelry when you're walking down the street in the city, and you certainly don't flash big rolls of cash. Basic street smarts means you don't advertise yourself as a target.

Apply the same precautions online. High-profile targets like or may get personal attention from very smart attackers. A random small business will get attacked by dumb automatic programs instead, which are much cheaper and easier to defend against.

Wired magazine says that there's been a wave of breakins at computers belonging to highly publicized security workers. They got targeted because they're well known.

I recommend against bragging about your security in public, or making disparaging remarks about people in the computer underground. A few years ago one site got forced off the net by a flood of attack traffic when an underground member simply thought the site owner had insulted him.


Monday, August 02, 2004

Moving day 

All articles from August 2 onward are at


Sunday, August 01, 2004

The Security Mentor is moving tomorrow 

Please bookmark this link to the new home.


This page is powered by Blogger. Isn't yours?