Wednesday, September 29, 2004

Here's a bunch of good tips in one place 

Security consultant Loren Kohnfelder has put together a talk for home and small business users who have other things to do than study computers. His list of basic home computer security precautions is concise, to the point, and emphasizes the need for common sense and staying alert. He also has some clever ideas for creating and remembering good passwords.


Monday, September 27, 2004

It's happening: dangerous JPEGs in real life 

Someone has posted pornographic pictures on the Usenet news service which use Microsoft's latest security hole to take over your PC. The malicious software is nasty but at least it doesn't spread itself. Yet. Right now the only way to get infected is to view a tainted picture using unpatched Microsoft software.

More will follow, I'm sure.

The relevant defenses on a Windows machine (others are unaffected) are


Antivirus software works 

Vincent Gullotto, an executive at anti-virus firm McAfee, said recently that viruses are now aimed at home machines rather than corporate networks. He says that corporate security is increasingly too difficult for a virus to get through (which is oversimplified).

What's the difference? It's simply that corporate security products are kept up to date.

The software on a home computer may be months old by the time you buy it. A lot of people don't know that they need to tell their antivirus software to call home for a list of the newest viruses to check for.

It's a pain to do, but if you keep up with software updates you can make your home machine as unappealing a target as a large company's.


Saturday, September 25, 2004

More than one program vulnerable to the JPEG flaw 

Here's a tool you really want to have. The respected security organization SANS has published a program to look through your computer and find programs that need to be updated for the security problem I mentioned last time. It's not just Internet Explorer that's affected. You may need to update Microsoft Office applications. When you go to Windows Update, Microsoft gives you a scanning tool to do the same thing, but the word in the security community is that it doesn't work well.

Here's a link for the free download of the scanning tool for the JPEG vulnerability.

Meantime, a firewall won't protect you against this particular problem but freshly updated antivirus software should.


Thursday, September 23, 2004

Have you updated Internet Explorer yet? 

Microsoft published a fix a few days ago for a dangerous bug that could let someone take over your machine if Internet Explorer simply displayed an image file put together by the attacker.

The good news is that (as far as we know!) Microsoft fixed this before the bad guys found out about it.

Now, of course, the bad guys know about it. There is now a program, publicly available, that builds a JPEG picture which, if you look at it in unpatched IE, adds a new administrator account to your machine.

That's what has been made public. Likely there are worse things in the underground.

What's going to happen next is that people are going to start using these new attack tools in automatic attacks. For example, someone could infect thousands of machines by sending out spam with a picture in the message.

It's going to happen soon, too.

Remember, click the Start menu, choose Windows Update. You may need to update Office as well.


Forbes has an article about phishing. 

There's a Forbes article about Internet credit card thieves in the current print and electronic issues.

They offer the same advice I do: don't use a hyperlink from an email to go to your financial institution's web site. They mention a good idea that I may not have, namely using a bookmark to go there. Bookmarks are not only more convenient than typing, they save you from the risk of spelling the name wrong. This matters because scumbags sometimes register common misspellings and put up a fake site to trick poor typers into thinking they're talking to a bank.

A sidebar mentions free Earthlink software called Scamblocker which tries to tell you if you're visiting a fake web site. I'm sure it's good, but don't expect too much: software like that is just one move in an arms race and the crooks will work hard to find ways around it.

They point out that you should watch your statements carefully. For one thing, if you don't report a problem within 60 days your bank may stick you with the bill. For another, crooks sometimes try to escape attention by making lots of small charges.

Forbes recommends that you take advantage of offers by credit card issuers to let you use an additional password for online purchases along with your credit card number. I'm not so sure. If someone tricks you into typing your credit card number they can trick you into typing the extra password. Issuers pitch the extra-password services to online merchants by saying it's harder for customers to dispute charges. Does that mean your credit card issuer eats the loss instead of the merchant, or does it mean you get stuck? Ask your credit card issuer.

Forbes also recommends firewalls, maybe by reflex. Firewalls don't help against phishing scams.


Are you still waiting for XP Service Pack 2? 

Wondering whether it's real or just one of those imaginary things that industry people talk about?

You're more likely to get it now. Microsoft has not been updating everybody all at once. They've been gradually downloading Service Pack 2 to customers who've turned on automatic updating. As of today, they're speeding up the distribution so you're more likely to see SP2 on your computer soon.

To turn on automatic updating (which I recommend for home users), go to the Start menu, click Settings, click Control Panel, click Automatic Updates and fill in the blanks.

Are you on dialup? SP2 is a huge download but you should be OK. The way it's supposed to work is that Windows can download it a little at a time and put it all together for you. You can also order an SP2 CD from Microsoft or look for a free CD in the October issue of computer magazines.


Tuesday, September 21, 2004

Good news from AOL! Something better than passwords 

Security people have spent decades studying how humans can identify themselves to computers. They've come up with lots of ideas and have reached some definite conclusions about some of them. For example, security researchers have established something about passwords.

Pardon the technical language, but passwords suck. They suck golf balls through thirty foot hoses. They suck hard-boiled eggs. Passwords are too hard to use and too insecure.

Imagine a password that you don't have to memorize. Imagine that it changes by itself every minute, so that it doesn't matter whether someone copies it or tricks you into telling it to them. Imagine that it's completely random so there's no good way to guess it.

That's what you can get from AOL now. For a small extra fee they offer a small box which displays a constantly changing 6-digit password. AOL's own computers know which 6-digit number should be up at any given time. You log in by typing the number on the screen of the "Passcode" device along with your regular password. If someone steals your password they can't get into your account without your little box to tell them the right 6-digit number. If someone steals your little Passcode box, they can't get in without your password.

AOL's nullified a whole range of threats with this move. I hope a lot of others follow their example.


Spam is now using unpatched Internet Explorer hole 

Antivirus firm F_Secure reports that there's a piece of spam going around that is dangerous even with a fully updated copy of Internet Explorer.

The spam will install a "backdoor" program to allow bad guys remote control of your machine if you make three mistakes:

You can protect yourself with normal prudence. Don't follow links from evil sources. It's like letting a scumbag on the street beckon you into an alley. And of course use an alternative web browser.


Sunday, September 19, 2004

What to do with new hardware/software when you get it home 

You've just unpacked or downloaded a shiny new widget. It promises to give you an "out of box experience", which means you can just plug it in and start using it.

These days, it probably has a computer inside and probably connects to a network. Security will be an issue. If it's like most widgets it comes out of the box with bad security settings.

Here are some things you should do soon, if not right away:

Why this matters

Let's look at a typical example, wireless access points. They're great -- plug them in and they Just Work. Unfortunately most of them come out of the box set to shout "I am here! Connect to me!" to every wireless card within range. All the access points from one manufacturer will all have the same password to start with. You better believe bad guys know all those passwords (nothing new there. One locksmith got a reputation as a genius safecracker just by memorizing the factory-set combinations for several models. Nobody ever changed the combination). You'll be wide open to hostile users.

But if you change the password and turn on the security features you'll be much safer.


Thursday, September 16, 2004

Anybody can get a virus 

You've noticed, every time there's a news report of a computer breakin at a government facility, they always say "no classified information was stolen"?

Ever wondered how they could be so sure? It's because the government takes an unimaginative but effective security measure: computers with classified information aren't connected to the Internet. Period. Spies, weapons contractors and others talk to each other over a completely separate network called SIPRNET.

Unfortunately someone got the idea that since their computers were off the public Internet they didn't need antivirus software. Security guru Bruce Schneier pointed out an article about a virus infection on the super-secure black network. At least they detected it and unplugged the infected machines.

The lesson for everyone is, simply, don't get complacent. Don't relax just because you have a piece of security technology installed. Be ready to detect problems and fix them.


Wednesday, September 15, 2004

There's a critical Mozilla and Firefox update today 

Yep -- a high risk security problem in the alternatives to Microsoft Internet Explorer.

Unfortunately they're harder to upgrade than IE. Check first whether you need to. From the Help menu, choose About. For Mozilla, you're safe if the version number shown is 1.7.3. For Firefox, look for 1.0PR. If it's anything else, you need to upgrade.

Here's the unpleasant part. The authors recommend uninstalling first and then installing fresh. I've gotten away with reinstalling over an existing installation but that's not supposed to work.

So download the installer for the new version (from the Mozilla page or the Firefox page), quit the browser, go to Start/Settings/Control Panel/Add/remove Programs, select the entry for your browser, click Remove. Then run the installer from wherever you downloaded it to.

Your bookmarks and saved passwords should survive this process. You may want to check the help files for how to back them up. You'll have to reinstall any extensions you added.

The changes fix several problems. The most dangerous was just like the recent Internet Explorer problem where viewing a maliciously built image file could take over your computer. Others involved email: a specially built "vcard" business card attachment could cause damage, as could some kinds of toxic email. Dragging links from one location to another could bypass security (just like another recent Internet Explorer problem). Another bug allowed a hostile program to change the contents of a security warning dialog.

If you can't upgrade immediately, the short-term and inadequate defenses are

It's getting to the point that I and other security professionals are tempted to recommend having two computers, one for important work and another disposable one for web surfing and email, and not networking the two.


Tuesday, September 14, 2004

There's a critical Microsoft patch today 

This fixes a pretty serious problem, though I haven't heard of bad guys taking advantage of the problem yet.

Microsoft Internet Explorer has a bug in the way it displays pictures (the type of picture with ".jpg" or ".jpeg" in the name). The bug is so serious that a bad guy could put together a picture file which would derail Internet Explorer and take over your computer.

You need this update even if you've stopped browsing with Internet Explorer (tell me you've stopped. Please tell me you've stopped). That's because a lot of other programs in Windows use pieces of Internet Explorer to display things. You could be vulnerable without ever clicking on the blue "E".

I've been afraid of something like this happening because it's so hard to defend against.

Today, log in to your Administrator account (you shouldn't be using it routinely) and go to the Start menu, choose Windows Update, and follow the instructions.

How do you protect yourself from problems like this? There was a similar problem in the competing Mozilla browser recently, so you're at risk with any software. Keeping your software up to date helps, but only if the good guys fix the problem before the bad guys start exploiting it. Keeping backups will help you recover from a problem, antivirus software may alert you if something tries to turn your machine into a zombie, but really the best I can offer is stay out of bad neighborhoods. Legitimate web sites aren't likely to try hijacking your computer. Web sites that engage in illegal activity are often unethical as well.


Monday, September 13, 2004

E-voting: why election officials push for it 

All over the US, the public servants who run elections are eager to install computerized voting machines. Sometimes it seems like only a small minority of computer geeks and professors is worried.

Are computerized elections like water fluoridation, a good idea that only crackpots oppose?

Let's take a look at why election officials like e-voting machines. You can apply common sense to their reasons without needing to be a certified security consultant.

One reason to like e-voting machines is that they can make elections easier. You can redo a ballot at the last minute if one candidate dies in a plane crash. You can accommodate the handicapped better. You can eliminate the whole hanging chad debacle.

The other reason you might like e-voting machines is if you get paid to like them. The New York Times today has an editorial which points out that California's secretary of state and his assistant both went to work for an e-voting vendor. Florida and Georgia both had secretaries of state get jobs as lobbyists for e-voting companies. While still in office, election officials benefit from vendor donations to their professional organizations and there are even reports of individual officials being offered dinners and limo rides.


Saturday, September 11, 2004

There's more than one kind of security 

If you're one of my American readers, you too felt the need to do something, anything, to respond to the shock and horror of September 11.

I'd like to offer two ideas, one conventional and one quirky. Both involve some work.

Set aside some time today to dust off your tire gauge and check the air in your tires. When you discover that they're underinflated, head to the gas station and fill them up to the pressure listed on the plate on the driver's side door jamb.

That will add several miles per gallon without replacing your vehicle. The money you don't spend on gas is money that doesn't go to "religious" schools that teach bigotry and hate. It's money that doesn't go to allow sick societies to put off reforms.

When you get home from that, read about the election. You get to choose who will command American power for the next four years. That's a huge responsibility which you cannot exercise wisely by trusting campaign ads, Michael Moore, or Fox News. All of those are trying to manipulate your emotions. Hit the library or the bookstore and get facts for yourself. Read Woodward's book. Compare General Franks's book with Richard Clarke's, make up your own mind about who's right. Research what anti-terrorism experts have to say about how the current Administration is doing.

Does that seem dull? Hitting tire gauges and books while soldiers are taking hostile fire? Both are ways of fighting terrorism, using the American strengths of individual responsibility and democracy. If you wait until you can make a dramatic contribution, like running into a collapsing building to save lives, then it's too late.


Here's a document worth sharing with your family 

My fellow CISSP M. Kabay put together a readable and informative 82-page booklet about staying safe on the Internet.

Dr. Kabay writes clearly and plainly about specific threats to your wallet, your peace of mind, and the welfare of your children. He gives sound advice and a treasury of informative links for followup reading.

He covers everything from online hate groups to gambling sites, concentrating on common-sense non-technical solutions (like talking to your kids) and ethics. Yes, ethics. There's a lot of truth to "You can't cheat an honest man". Con games typically involve the victim in some apparently illegal scheme.

I was delighted by how balanced the advice is. For example, the section on pornography puts a spotlight on the malfunctions of "filtering" software.

I wish he said more about phishing scams, but it looks like he wrote before they caught on bigtime.

Don't worry about the length of the document. You can read each section on its own.


Thursday, September 09, 2004

It doesn't have to be this way! 

Deb Naylor, a Buffalo city planner, installed some malicious program on her PC. It started sending out spam, and AOL shut down her account to stop the spam.

She said to the press "It's all part of the price you pay to be online".

No! We don't have to accept having our computers stolen out from under us. We mustn't accept it. The price of being online is taking a few precautions and staying alert. Every city dweller knows what that's like in real life.

Best of all, you already know enough to protect yourself against many online scams. You learned as a kid not to be trusting when another kid said "Open your mouth and close your eyes, and I'll give you a nice surprise". The grownup versions are "run this viewer program for FREE HOT COEDS" or "send your bank account number and we'll transfer a few million dollars".

You can stop most technical attacks in their tracks by doing a few simple things:


Wednesday, September 08, 2004

It's patching time today. Mac users too! 

Microsoft has released their monthly patches. From the Start menu, click Windows Update and follow the directions. If it says something about your computer's clock being wrong, ignore it and try again.

Apple just released security fixes for OS X. From System Preference, choose Software Update. This one matters. Even though most of the fixes won't matter to a home user, there are a couple of repairs to problems that could let someone take over your computer if you just visit the wrong Web page. Don't put this off if you use the Safari browser.


Tuesday, September 07, 2004

Are you scared by news reports about SP2? 

There have been some scare headlines lately about "security holes".

The first question to ask about XP Service Pack 2 is, "Am I better off with it or without it?". If you're in my audience of home and small business users the answer is yes. You can figure that out on your own by noticing that SP2 solves more problems than it causes.

The second question to ask about the press reports is "How much do the reported problems really matter?". You need to ask somebody technical (like me) to get a good answer. The answer is "Well, not really".

I'm not the only person thinking this way. Columnist Tim Mullen has some colorful commentss about the press coverage. He gets the technical issues right! Some good quotes from his column:

If arbitrary code has been run on your computer, then it's not your computer anymore.

He's talking about one of the "holes", which is that bad software can turn off the firewall and make you think the firewall is still on. A detailed analysis of this "vulnerability", in technical terms, is Well Duh. A program running on your computer can do what you can. Operating systems that can defend you against software running on your own machine are rare and specialized.

That quote, by the way, is the same thought as Microsoft's First Immutable Law of Security: if you let a bad guy run a program on your computer, from then on it's his computer instead.

Another Mullen quote, about the problem where picking up an image and moving could secretly install a program:

Even "http-equiv," the one who released proof of concept code for the "drag-and-drop" vulnerability in IE, still recommended that people install XP SP2, even as he described one of the few real issues that were found in the service pack (it was actually an IE problem that worked with SP1 as well).

There's plenty of real stuff to be, not scared, but aware about. SP2 isn't one of the things to be concerned about -- just install it. There's too many people willing to scare you into handing over your money. One service I'm proud to provide is sorting out significant threats from the exaggerated ones.


Sunday, September 05, 2004

What others are saying about SP2 

You've seen my advice about XP Service Pack 2 for home and small businesses, which is Turn On Automatic Updates And Let It Install Itself.

For big companies it's more complicated. Often they've paid for custom software that stops working because of SP2's security features. If you work for a big company don't install SP2 on your work machine until they tell you to.

If you have some time, and you'd like to know more about the effects of SP2, the folks at Network Computing have pulled together real-world news about SP2.


Here's a disaster recovery trick 

Security is more than playing cops and robbers (if you're doing it right). Protecting your data includes protecting it against sprinkler malfunctions, accidents, and software bugs.

One common disaster is saving a document in Microsoft Office and then not being able to open it again. Office has some recovery features, but you can also try to fix the document by opening it in a free software package called OpenOffice.

OpenOffice is a work-alike for Microsoft Office that Small Business Computing listed in the top 10 small business software packages of 2003. Anita Campbell of Small Business Trends points out OpenOffice is also good for home users and maybe for big companies. You can often use OpenOffice to read an Office document when Office can't read it. Then re-save the document and it's fixed.

You can read more about OpenOffice and download a copy from the project web site.


Review of Microsoft's security advice for small business 

Microsoft has published a 50-page guide to computer security for small businesses.

They wrote it for the same kind of people that The Security Mentor is meant to serve. The guide is not particularly technical and explains almost all the technical terms it uses.

The guide covers several useful subjects:

Most of the advice applies no matter where you get your software. Every now and then they write as though Microsoft were the only software in the world -- for example, one question is whether you're running the most recent version of Microsoft Internet Explorer. They also recommend looking for a consultant with some certifications specific to Microsoft products. I recommend looking for a consultant who can point you to best-of-breed solutions regardless of whether they're from Microsoft.

There are some strange omissions. Two of the biggest threats to your information security are the telephone and the trash can. The guide doesn't even have the word "shredder" in it, and doesn't cover training your staff about what information to give out over the phone.

It's worth reading. You'll find out things you wouldn't have thought of, and you'll be in a better position to communicate with a security consultant or to try doing it yourself.


Thursday, September 02, 2004

Want to learn lots and lots about spyware? 

Spyware is those icky programs that change the page your web browser shows when it starts, or show popup ads even when you're not surfing, or even steal personal information and send it back to the authors.

Some really good programs will help you detect, prevent and remove spyware installations. Unfortunately there are also a lot of deceptively advertised "anti-spyware" programs.

How do you sort out claims and counter-claims? You could spend hours researching, or get a few tips from back issues of The Security Mentor, but your best move is to visit David Piscitello's Anti-spyware Resource Page. Someone reliable recommended it to me and everything I looked at checks out OK. What he's got is a list of good anti-spyware software, bad anti-spyware software, and lots of pointers to honest information.


How do you decide whether to type in your Visa #? 

A firm called ClearCommerce ran a survey recently which concluded that 71% of online shoppers can't tell if the site they're visiting is "secure".

What they mean is that the people they surveyed didn't check for the icon of a padlock, usually at the bottom right of your browser window (look for it now. It should show an open padlock at the moment). Also, about half their respondents don't check their credit card activity in between monthly statements and therefore can't detect fraud quickly.

Don't worry too much if you're one of the 71%. There are quite a few limits to the protection you get when your browser shows a closed padlock.

Your credit card number will be "encrypted" (scrambled) in transmission so eavesdroppers can't steal it. Better than nothing, but it's easier for bad guys to steal your credit card number from the merchant's computers after it arrives. It's even easier to be a crooked merchant. It's easier yet to be a crooked employee at a merchant.

Theoretically, if the padlock is closed, you've got mathematical proof that you're really talking to the same site whose address you asked for. Practically, a lot of things can and do go wrong. Use an up-to-date web browser and common sense: if you followed a link from scam email, it probably didn't go to your bank, padlock or no padlock. And use bookmarks for sites you visit often. Sleazy people have been known to take names like "" and waylay poor typers. Once you're there, a padlock would only prove that you're really at

So, what to do?

Some people in the ClearCommerce survey said they only do business with well-known online merchants. That makes some sense -- such merchants are either reasonably careful with credit card numbers or they cease to be major merchants -- but those people deprive themselves of the glory of the Internet, the chance to find obscure items at small sellers.

I recommend the same precautions you use in the physical world. Read the fine print from your bank and make sure that they, not you, eat the losses if someone steals your credit card number. You might not have this protection on a debit card.

By all means sign up for online banking and check your account regularly. ClearCommerce advises that small charges you don't recognize can be a warning that a crook is testing your card number.


This page is powered by Blogger. Isn't yours?