Sunday, October 31, 2004

More than one kind of security: informed voting 

For my US readers, there are some independent web sites that investigate the truth of campaign statements and summarize the voting records of candidates. Both are good tools for a citizen deciding who will govern a superpower.

Feel like complaining that you have to choose the lesser of two evils? Celebrate! Imagine how much better off people there would be if they'd had that choice for the last 40 years in Iraq.

Dislike both? Remember that one purpose of a democracy is to let you throw out bad rulers peacefully.

Read, think, and vote.


The bad news about Internet Explorer 

Yesterday I told you about some independent testing on several web browsers. It showed that Microsoft did a good job handling simple bogus input, on the tactical level.

How about the strategic level? What if the input looks right, but is actually malicious in some sophisticated way?

Yet another sophisticated attack on Internet Explorer showed up recently. It's a variation on a previous problem where a bad guy could trick you into installing a nasty program when all you thought you were doing was dragging a picture from one place to another. This latest bug was yet another strategic problem.

Microsoft keeps making fixes, and the attacks have to get more complicated in order to succeed. Microsoft is making progress. Security people in general think Microsoft will never entirely succeed because the problems are with the fundamental design of Internet Explorer. It's designed to run your computer. A browser like FireFox is designed to look at web pages, period. As long as IE has that much power, and as long as it's complicated, people will find complicated ways to trick it into doing bad things.


Saturday, October 30, 2004

e-voting: You can NOT make this stuff up 

If you'd like a brief and entertaining look at electronic voting, check out this article about Professor Avi Rubin and the Diebold voting machines.

In other news, some students have calculated that an error of one vote per voting machine could have changed the outcome of the 2000 election. Any programmer could make an error like that look like an accidental bug.


Good news about Internet Explorer 

Microsoft apparently put their resources to work on some useful testing and debugging.

Security researcher Michal Zalewski put together an automated test that bombards a web browser with nonsense input to see if it crashes. That gives you an idea of how good the browser's tactical programming is, and the results are even relevant to security. If bad input can derail a program, then malicious input may be able to hijack it.

He tried this test on several popular browsers and made an interesting discovery. Microsoft Internet Explorer held up best. It would keep running, maybe throwing up an error message, while the alternative browsers crashed.

My guess, as a programmer, is that Microsoft must have built a testing tool like Zalewski's and then paid attention to the results.

So am I changing my advice to switch away from Internet Explorer? Stay tuned.


Friday, October 29, 2004

There's more than one kind of security 

My US readers, no matter who wins the election, should be thinking about the system of checks and balances built into the Constitution. That system directly supports national security. It protects us against bad governments, a very real threat that wrecked many nations in the 20th century.

Security author Bruce Schneier points out in his blog that checks and balances are weakening.

He explains "This is not a partisan issue; I don't believe that John Kerry, if elected, would willingly lessen his own power any more than second-term President Bush would. What the US needs is a strong Congress and a strong court system to balance the presidency, not weak ones ceding ever more power to the presidency".


Electronic voting: the professionals speak 

Companies that make electronic voting machines have tried to paint their critics as paranoids, eccentrics, or a minority.

The ACM (Association for Computing Machinery) is one of the oldest and most prestigious professional societies in the world of computing. They're solidly in favor of requiring paper records of each vote. Their policy statement says in part " is important that physical records (e.g., paper) are maintained to ensure that a vote has been cast accurately and that a meaningful physical record of a vote exists.".

95% of the 4,600 members surveyed agreed with that statement.


Low-tech security: laptop locks 

A bad guy can read all your confidential information, deprive you of the use of your computer, and cost you one or two thousand dollars by simply picking up your laptop and walking away with it.

But, of course, you lock your laptop, right?

If you're a paranoid security person, you start wondering how good the laptop locks are. The paranoid security people at anti-virus firm F-Secure had a slow day for viruses and started yanking on laptop locks.

Turns out you can open cheap laptop locks with pliers. The expensive ones are a little better. Sometimes the lock holds up and the laptop case breaks. They have photos of simulated laptop theft. If a thief has a bit more finesse, it's possible to open several popular laptop locks with a Bic pen.


Dangerous video 2: Real Player 

NGS Software, the folks who discovered the security bug in QuickTime for Windows, also turned up a security bug in many video players from Real Networks. Details are scarce, but it seems to have something to do with downloading a "skin" for the player. RealPlayer 10 and 10.5 are said to be affected, as are versions 1 and 2 of RealOne.

Download the Real Player patch or think twice about what you open in Real Player.

UPDATE 10/30: this is more dangerous than the QuickTime bug, because someone's proven that it's possible to use this bug to take over your computer.


Dangerous video 1: QuickTime for Windows 

Now it's watching a video that can get you in trouble.

If you have Apple's QuickTime for Windows, and if you ever download videos from untrustworthy sources, you should download Apple's patch for QuickTime for Windows.

We keep getting hit by problems like this because it's really tough for programmers to handle everything that can go wrong when a program reads complex data. Keep your software up to date to guard against problems like this one, but also be careful what data you feed your computer.


Antivirus reviews: what happens when you call for help? 

Apparently PCs are so complicated now that the tech support staff at antivirus companies won't always give the right answer. Consultant and writer Ed Skoudis wrote a review of antivirus technical support in which he found some outright bad or dangerous advice from phone support.

The most helpful support was from Sophos, which only sells to businesses. Computer Associates, the runner-up, has an antivirus product for home users.


Thursday, October 28, 2004

Are thing about to get better? 

Companies ship insecure products and run insecure computers because they can. Until there's some kind of accountability this will never change. My favorite security author has written that software should be covered by product liability laws.

Yesterday I heard something encouraging at a security conference (believe me, that's rare. If you want to hear encouraging things then don't got to security conferences). Visa has started writing security requirements into its contracts with merchants. Merchants faced with losing the ability to take Visa payments suddenly become religious about security audits, it turns out.

A purchasing manager at the same conference described postponing a seven-figure order until the vendor could prove they met some security requirements. He got results.

People like Visa's executives and that purchasing manager are now putting money behind demands for better security practices. If you make a demand with money behind it in a market economy, you get results. You get those results faster than liability lawyers or government regulators can possibly move.

Now if only we had some way to measure security...


Do you use Outlook Express? 

A lot of security problems these days make you say "so what!" at first glance. But put them together with other problems and things get really bad.

Outlook Express just turned up with one of those problems that sounds like a non-issue. It turns out that someone can send you mail with a picture that gets shown even if you don't want it to be shown.

By itself that's not a big deal, and there isn't a fix yet anyway. But this does mean you should make sure you've run Windows Update recently, because of the other bug that allowed a maliciously built image file to take over your computer when you viewed it.


Do you trust caller ID? 

It's long been an open secret in the security world that a bad or just plain mischievous person can make whatever they want appear on your caller ID display when they call you. The last few years, it's been getting even easier than it used to be.

Today it's really easy. Anyone can fake their caller ID information now for a small fee. There's a website (excuse me if I don't give you the address) where an attacker can type in the phone number he wants to call, the number he wants to pretend the call is from, his real phone number and some payment information. When he submits the data, his phone rings and when he picks up he'll hear the bogus call going through.

The moral is that all caller ID is good for is deciding whether to pick up the phone. You can't make important decisions based on what caller ID tells you.


Things nobody's telling computer users about 

AOL and the National Cyber Security Alliance just ran a security survey of a few hundred home computer users. They said the state of home computer security is bad. I say that computer owners aren't getting the information they need.

First, the scary stuff. Eighty percent of the computers had spyware on them, with 93 pieces of spyware on the average infected computer.

Ninety percent of the infected people didn't know they were infected. That tells anyone willing ot listen that the industry's falling down on the job of telling its customers how to use their computers safely. Two thirds of the people surveyed didn't have a firewall, two thirds didn't have up-to-date antivirus software, and a seventh had no antivirus software at all. Sixty percent thought they were safe.

What else has the industry failed to explain? Well, three out of five people surveyed didn't know the difference between an antivirus program and a firewall.

Here's what you need to know if you're a normal person running a Windows machine and exploring the riches of the Internet. A firewall limits what can happen over the network: it prevents problems like people reading your shared files. Antivirus programs try to stop bad programs from running: they defend you against things the firewall allowed because it "thought" you wanted them. You need both. You also need at least one good anti-spyware program like SpyBot Search&Destroy or AdAware (AdAware's web site is down right now).


Unfamiliar with new voting machines? This guide will help 

A set of volunteers have put together a voter's guide to electronic voting. It's in plain English and includes information about what kind of voting machines are in your area, online demos of voting machines that you'll use, where to report problems, and even information for poll workers.

Check it out. This will be a close election and you want to make sure your vote doesn't get lost to confusion.


Wednesday, October 20, 2004

A travel tip from a science fiction author 

"The best 'self-defense means' when you are surrounded by a hundred million people of some other culture is to avoid dangerous places and figure out some way to get along with the folks around you."

That's from writer Neal Stephenson, in an interview where someone asked what he carries for self-defense when he travels.

I've never seen Internet security explained better.


Monday, October 18, 2004

Here's another resource for your small business 

Author James Gaskin has a stimulating and opinionated column of security advice for small and medium business. He does legwork, which makes him more useful than a lot of the computer industry press.


Sunday, October 17, 2004

Buying a firewall for your small business 

Wayne Rash has a short but useful article about what to buy when you've outgrown the cheap firewall box from Circuit City.

Small business firewall advice.


Tuesday, October 12, 2004

XP Service Pack 2: it was done right 

If you look at the fine print for Microsoft's latest announcement, most of the problems do not affect XP Service Pack 2.

That tells us something important. What this means is that Microsoft got ahead of the game and prevented problems from happening.

Unfortunately, the flaws in Internet Explorer also affect XP SP2. If you don't install the fixes then bad guys can take over your computer if you continue using Internet Explorer.

If you won't take my advice about using a different browser, then consider this quote from security industry leader Bruce Schneier in SearchSecurity magazine:

I think it's foolish to use Internet Explorer. It's filled with security holes, and it's too hard to configure it to have decent security. Basically, it seems to be written in the best interests of Microsoft and not in the best interests of the customer. I have used the Opera browser for years, and I am very happy with it. It's much better designed, and I never have to worry about Explorer-based attacks.


Bumper crop of Microsoft patches 

If you haven't turned on automatic updates (Start/Settings/Control Panel/Automatic Updates) then run Windows Update today. Now that the fixes are published, the bad guys can work out what the problems were and use that knowledge to take over unpatched systems.


Saturday, October 09, 2004

Oh, before you install XP Service Pack 2 

Service Pack 2 helps prevent spyware from installing itself on your computer. Unfortunately some spyware prevents Service Pack 2 from installing itself on your computer.

The SP2 installation advice on Microsoft's website suggests cleaning spyware out of your computer first.

You may be able to get spyware removal and professional SP2 installation at your local CompUSA or Microcenter.


Friday, October 08, 2004

Why are things so bad? 

Why are some of the brightest programmers working at the richest companies producing programs that can't last 20 minutes exposed to Internet traffic?

Part of the answer is in an old Amway story. Supposedly someone asked the founder why he did something as unprestigious as selling soap. He said "People buy soap". Why did Detroit spend decades selling cars without seat belts? Because people bought cars without seat belts. Why do companies sell insecure software? Because people buy insecure software.

Today, car buyers want safety features and pay for them. Car companies respond by offering more safety features than the law requires. When software companies watch customers walk away over security issues, that day the software companies will begin shipping more secure products.

How do you buy software? Do you look for the equivalent of crumple zones and airbags, or do you look for the equivalent of tail fins?


It's getting to where you can't even look at things 

Simply opening a Microsoft Word document which has been put together by a bad guy can allegedly take over your computer. The advisory about the Word bug from security firm Secunia says that it's been proven possible to crash Word, but that they haven't seen proof yet that you can take over a system.

Unfortunately, the person who found this bug published it yesterday without letting Microsoft know first. So the bad guys have a head start and there's no patch available yet. Microsoft needs to study the problem and test a fix before they can release a patch. On the bright side the bad guys haven't started using it yet.

Protect yourself by not opening .DOC files unless you have some reason to trust the sender. You don't eat apples from wicked witches, and you shouldn't feed Word documents to your computer if they might come from malicious people.


Security updates: Apple, Firefox 

This one's not an emergency, but when it's convenient I recommend installing the patch to prevent others from deleting files from Firefox's downloads folder.

Apple's got a set of security fixes which includes some relatively obscure things and one serious problem


Dangerous pictures: antivirus may not be enough 

According to a Cambridge University security researcher I talked to, and according to CNet, it's possible for an unpatched Microsoft system to get taken over by a tainted picture before the antivirus software has had a chance to check it.

Windows Update is the best line of defense, and it's important to update now that bad guys are trying this attack in real life. The latest I heard of was on instant messaging, where a message saying "check out my profile!" went to a picture with a virus payload. That particular attack reportedly failed but it's only going to get worse.


This page is powered by Blogger. Isn't yours?