Tuesday, November 30, 2004

"Optimize your Internet connection"? 

There's a service called MarketScore that promises to speed up your web browsing. It comes bundled with file sharing software from iMesh. They offer to store popular web pages on their own computers which then pass the popular pages along to you. They do this without your knowing about it: you just type in the same web address you always use, and they make it go to their computer instead of going straight to the one you had in mind.

So far, so good. That kind of service is called a "proxy", and you may be using one already without knowing it. There are some mild privacy implications, if you don't want the proxy operator to know that you visited asiangirlsincombatboots.com.

MarketScore is doing something unusual, though. They're also sitting in the middle of "secure" transactions (like sending your credit card number) and are able to see the contents. You can check that the little padlock appears at the bottom right of your browser window, you can double-check that the Web address begins with "https" instead of "http", but you can still be exposing your credit card number to a stranger.

How's that possible? Your credit card number is supposed to be electronically scrambled ("encrypted") so that eavesdroppers can't get it before it gets to where it's going. And it is, but there's one more step to keeping your credit card number out of unfriendly hands. You have to be sure you're really talking to the online store and not somebody else. Otherwise that somebody else will get your credit card number securely transmitted to them. That's what MarketScore is doing. Then they pass the information along to the real merchant, you get what you ordered and all is well. In theory.

MarketScore is doing something that should be technically impossible. If you want to impress your friends, call it an "SSL Man in the Middle Attack". Part of what makes a transaction "secure" is that the web site you're talking to has to prove who they are. Unfortunately the software which checks who you're talking to isn't what it should be. It can be fooled easily by a simple change to your browser settings, a change which MarketScore makes.

As far as I know MarketScore is perfectly honest. I'm not accusing them of peddling spyware. But how secure are their computers? Amazon.com has a good track record handling our credit card numbers, but how do we know MarketScore won't get compromised?


Monday, November 29, 2004

A couple more ways to create good passwords 

There's a web site that will generate strong random passwords for you. If you have a healthy amount of paranoia and don't want your passwords to come from someone else's computer, you can install a Firefox extension for creating strong passwords.


Why you should patch your system before you visit the first web site 

Someone named Ben Edelman installed a fresh copy of Windows XP on a computer, and just to see what would happen he went to a web site before installing any of the available security fixes.

After he used Internet Explorer to look at a single web site he counted sixteen pieces of spyware which had gotten installed on his computer without his permission as a result of visiting that one web site.

He made a movie of the experience. The movie is a big download but watching it is educational. The first thing to notice is how his system goes out of control with random popups and error messages. Remember what that looks like. If it ever happens to you, react as though a large person walked up to you on the street and said "You're in the wrong neighborhood". Leave. Then run your anti-spyware software.

After the first few minutes the movie is all about the new junkware that got installed, and home users can skip that part of the movie without missing anything vital.

What's scary is that the spyware problem is even worse than what he shows. He said "No" to everything that asked permission. If you get tricked into allowing things to install themselves you can wind up even worse off than he was.

You have to prevent things like this from happening. Letting them happen and trying to fix them just doesn't make sense. If he'd run Windows Update first to get his security fixes from Microsoft, and if he'd used Firefox to look at the web site, then the movie would have been much duller.


Sunday, November 28, 2004

Important tip for Windows and Linux users 

I already mnetioned that you need to install a new version of the "Java runtime environment" if you're running Linux or some Windows systems.

The official advisories seem to be leaving out an important detail. You have to uninstall the old version or you could still be vulnerable. In Windows, you go to the Start menu, click Settings, click Control Panel, choose Add/Remove Programs, and look for something like "Java 2 Runtime Environment SE, v1.4.2_03". If you've got something like that, click Remove.


Mac users, you seem to be safe from the Java bug 

I wrote about a security problem that affects both Windows and Linux on November 24. The problem affects both operating systems because it's related to a computer language called Java which is designed to run on everything from desktop computers to cellphones.

I had to dig to find this out, but people have tested a couple of versions of Mac OS X to see if it has the underlying problem that makes the security hole possible. So far it still looks like OS X is safe from this particular security bug.


Friday, November 26, 2004

Computer running slowly? Anti-spyware reviews. 

A web site called Ars Technica has a review of anti-spyware software by Adam Baratz which points out the quirks in each program, points out that there's no good reason to pay since there's so much good free anti-spyware software, and recommends Ad-Aware. They also have an important page about how to prevent installing malicious software. It's worth your time to read what they have to say.

Eric Howes has a thorough review and test of many anti-spyware programs which takes a while to read. No need to go through the whole thing unless you're a security consultant like me. One highlight is that Pest Patrol turned in a stellar performance.

You can also get some honest advice and reviews at spywareinfo.com.

I was going to wrap this up with some general advice (like "watch out for crooked 'anti-spyware' vendors" and "don't take candy from strangers") but I can't put it any better than Eric Howes did with the spyware prevention advice in his conclusions.


Thursday, November 25, 2004

Who are you, to your computer? 

When you installed XP, you had the chance to create one or more separate login accounts for yourself and your family members. Somewhere in there the system asked you to decide whether each new account would be an "administrator". Just what does that choice mean?

Being an Administrator means having complete control over the computer. It's what you need for installing software, doing some kinds of regular maintenance, and also what you need if you want to cause major damage. You're safer not to be an Administrator unless you need to be. If you're not installing software or making system changes, then logging in to an account that's not an Administrator is like having a safety catch on. It's much harder to make dangerous changes when you're logged in to a non-Administrator account.

You want that kind of protection because there are so many ways for bad guys to trick you into running programs they wrote. When you run those programs you're giving them power of attorney. The programs can do anything that you can. If you're an Administrator, they can make your life really difficult.

Sometimes you need to do some administrative work temporarily and then go back to being a "Limited User" for your regular work. There's several ways to do that and there's a guy named Aaron Margosis who has an entire blog about how to make them work. I found one post of his that's non-technical enough to share with normal people. When you read it, remember that "LUA" stands for "Limited User Account", "RunAs" is the Windows feature that lets you run a program as if you were somebody else, and it's safe to ignore the geeky comments at the bottom. Here's a link to the Aaron Margosis HOWTO on running XP at home as a Limited User.


Do you ever check email at a coffee shop? 

Did you know that the coffee shop's wireless network is like a party line, and anyone else on the network can see what's going over it including your email password?

There are plenty of technical fixes for this but not many people understand the problem. Author Glenn Fleishman just listed some email providers who offer secure solutions in his non-technical guide to secure use of email on a Wi-Fi network.


Wednesday, November 24, 2004

Followup on today's multi-platform security hole 

The Mac, running OS X 10.3, seems to be unaffected. I tried to run the demonstration program on a browser on my Mac and nothing happened.

The official word on whether this affects the Mac is "we don't know". The silicon.com article about the Java vulnerability says in part:
"The advisories from Sun, Secunia and Pynnonen do not address whether the problem could affect Apple's Mac OS X operating system, which is based on a Unix-like core of code, similar to Linux. The Sun representative said that the Mac issue is being investigated.

Apple was not immediately available for comment.


This underreported problem affects every browser and operating system 

There's a computer language called Java which, among other things, lets Web developers write programs that can run (theoretically) safely on your computer.

There's a bug that takes away the "safely" part and makes it possible for nasty web sites to send you a Java program that can do much more to your computer than it should be able to. The important part is that this is a problem in any web browser, not just Internet Explorer. FireFox users are at risk. Even Linux systems are affected.

The good news is that so far it appears the bad guys aren't using this security problem to do bad things.

There are two ways to protect yourself. Well, three ways, counting "stay out of bad neighborhoods".

The easy way

You may not really need to run Java programs. Only a few web sites depend on sending them to you. You can tell your web browser never to run Java programs. In FireFox, go to the Tools menu and choose "Options...". In the dialog box that comes up, click the icon labeled "Web Features" on the left. On the right there will be a checkbox labeled "Enable Java". If it's checked, then uncheck it.

If you were still looking at the Internet through Internet Explorer, you'd go to Tools/Internet Options/Security/Internet/Custom Level/Microsoft VM/Disable Java (but I might be wrong here).

The hard way

If you use a web site that requires you to run Java, like my favorite secure email service, then you need to figure out whether you're affected and then install a fix if you need to.

The first question is what version of Java you have and where you got it. Sun and Microsoft both make the part that lives on your computer. This time the Microsoft version is the safe one and it's the competitor which has the bug. You might have either one depending on when and where you bought your computer.

Open a command prompt (in XP, go to Start/Programs and look for a black icon) and type "java -version" without the quotes and hit Enter. If it says something like "version 1.4.2_03" then you need to upgrade. If you're using the "Microsoft VM" then none of this applies to you. Visit http://java.sun.com/j2se/1.4.2/download.html and follow the links and instructions for the "Java Runtime Environment" (JRE).


Tuesday, November 23, 2004

This virus deletes data 

Antivirus firm Panda reports a Spanish-language email virus which goes beyond the usual mischief and destroys data files. It chooses different subjects and messages when it mails out fresh copies of itself, but apparently always arrives in a .ZIP file.

A .ZIP file can contain anything. Don't open one unless you are expecting one and know what's in it.

The big US antivirus companies aren't yet mentioning this one on their web sites, at least not under the same name Panda uses for it. What that means to you is that your antivirus software may not yet know to look out for it.

Now I have a good excuse to remind you to back up your data.


Humor: a "Dear John" letter to Internet Explorer 

CNET reviewer Robert Vamosi has a funny breakup letter to Internet Explorer.


Monday, November 22, 2004

Speaking of ad blocking, here's news for Zone Alarm users 

Zone Alarm is a popular firewall program. One of its features lets you block popup and popunder ads, or even (at its strictest setting) banner ads.

Now that bad guys are using banner ads to spread infections, blocking ads is a security feature and not just a convenience feature.

Unfortunately Zone Alarm has a bug. If you turn on ad blocking (it's off to start with), you open yourself to a bug in which your computer can lock up if Zone Alarm tries to read certain kinds of web content.

For now your best move is to check regularly for the upcoming fix. Open Zone Alarm, go to the Overview section's "Preferences" tab and hit the "Check for Update" button. If you're running FireFox or any other alternative to Internet Explorer, you're safe from getting an infection from a banner ad and you could safely turn off ad blocking altogether if you want to.


Need any more reason to hate online ads? Now they're dangerous. 

If you view the wrong web content in Microsoft Internet Explorer, you can lose control of your computer. It used to be that you only ran into malicious content like that at, um, questionable web sites.

Sunday, the news broke that banner ads from more than one advertising company have been taking advantage of the Internet Explorer bugs to install unwanted software on people's computers. So far the unwanted software has simply displayed more advertising but there's nothing to stop something worse from happening. In fact, according to author Conrad Longmore, banner ads have dropped some truly nasty software onto victims's machines.

Here are some things you can do that partially help:

There's also a complete solution:


Sunday, November 21, 2004

Good news for AOL subscribers 

AOL 9.0 Security Edition is likely to be worth getting if you're an AOL user. What they've done is to put together virus protection, spyware protection, and several other security must-haves in one convenient package that's automatically kept up to date.

Use keyword "upgrade" to get it.


Saturday, November 20, 2004

More advice about avoiding "phishing" scams 

"Phishing" is when a crook sends you email that looks like it came from your bank (or PayPal, or eBay) and tricks you into typing your password and account information into a computer the bad guy controls.

Security firm Sophos is one of many places with good advice on protection against phishing scams. I prefer to suggest the non-technical approach. Do the same thing you'd do if it were a phone call instead of a message on your computer. If you didn't place the call, you don't give out your credit card number.


Friday, November 19, 2004

Internet Explorer bug helps trick you into downloading nasty files 

Two bugs, actually.

Internet Explorer ("IE") is supposed to show you a warning if you try to run a program you found on the web. One bug allows bad guys to send you a file that won't set off the warning. You shouldn't have been depending on getting a warning message, though. Ideally you'd just be careful what you download.

The other bug lets a bad guy fool you about what type of file you're downloading. You could think something was a picture and actually be getting a computer program instead.

Things that don't help:

Things that help:


Thursday, November 18, 2004

Watch out for ".EMF" files 

It's a kind of picture file for Windows, and there's lots of legitimate artwork published that way (Microsoft has published clip art in .EMF files).

Unfortunately .EMF files can also be a way of spreading viruses.

Unfortunately the bad guys know this and are doing it today. There's mail going around with pictures from the Arafat news which spreads a virus.

You can sleep easy if you've kept your system up to date. Microsoft fixed this bug earlier this year, and Service Pack 2 is immune.


Wednesday, November 17, 2004

The ad promises to protect you from spyware. Do you believe it? 

Andrew Brandt of PC World has a review of commercial anti-spyware programs. PC World did their own tests, and looked at spywarewarrior.com.

Stick with the free programs, they advise. The heavily advertised programs make misleading claims and sometimes even install new spyware.

I'll repeat my recommendation: AdAware and Spybot Search&Destroy. Spybot hasn't been updated in a while. It never hurts to run more than one anti-spyware program, because often one program will find something that another one missed.


Tuesday, November 16, 2004

How hard is it to steal an election? 

Suppose all the voting machines are secure and work perfectly. Have you ever wondered who adds up the counts from each machine?

One of my security colleagues downloaded Diebold's vote counting software and ran an imaginary election on his home machine. Check out his report on the security of Diebold vote counting software.

Sample quote: "There were no passwords to crack, and all I had to do was figure out the way things were stored in an unprotected, clear text Access database".

Folks, this is not a partisan issue. If your candidate won, don't you want him or her to have the moral authority that comes from a clean election? Don't you want to be sure the other side can't steal the next election?


Monday, November 15, 2004

Bad ideas about passwords 

I read a lot about security. I see a lot of bad advice.

I won't name the poor guy, because he means well, but someone I just read suggested starting with English words and adding numbers or special characters.

The password guessing programs the bad guys use know all about both techniques.

People who deface web pages sometimes brag about what they've done. One in particular made fun of the webmaster who'd used "heavymetal1980" as a password. The intruder figured that english plus numbers was stupidly easy to guess. That was six years ago. Password guessing programs are smarter now and run on faster computers. One system administrator found a password of "pre$ident" with a program and computer from 1993 (don't try this yourself -- he didn't get permission first and now has three felony convictions).

Some better ideas would be to take some catchphrase that only your family uses and use the first letter of every word, or to use the serial number of a fifty dollar bill in your wallet. You already have a system for protecting your wallet.


What's a "passphrase", and is it better than a password? 

A couple of Microsoft's security people, in their personal blogs, suggest that people should start using more than one word when we choose a password. For example, you might log in with "squeamish vultures swing dishwashers" instead of "f$i^(A;Q".

Why? It's easier to remember a nonsense sentence, easier to type one, and it may be harder for the bad guys to guess with their password-guessing programs.

Most modern operating systems let you use 127 characters or more in a password and some of them can be spaces. You can log in to your Windows machine with an entire sentence where it asks for a password. Some web sites, though, may not let you type in something that long.

You still need to be careful because longer is not always better. For example, you can see that "Once upon a time" is actually easier to guess than "Once upon a". So don't pick a common phrase like "to be or not to be". Use something you just made up and pick the words as randomly as you can. Depending on how much time you have and how much security you need you can

Then, after you've gone to all that trouble, maybe you can't use the result because the computers at work demand that you include numbers and special characters. Grumble briefly to yourself and then do something like putting an exclamation point at the end or replacing the letter "a" with "@". For example, if you aren't allowed to use "quarterbacks fry fuchsia philosophies" because it's "too simple", you could change it to "2 Quarterbacks fry fuchsi@ philosophies!" and get it accepted.


Antivirus may not help with "Bofra". Here's what will. 

One of the latest viruses propagates itself unusually. It's not an attachment. It uses a toxic link, but it cleverly links to a previously infected machine.

Antivirus programs can't catch it by scanning attachments 'cause it's not in an attachment. Security people can't stop the spread by shutting down the virus writer's link targets because new ones are coming up all the time.

Unless your antivirus program scans web pages before you see them, they won't protect you from the "Bofra" virus.

You can defend yourself by doing any or all of:


Saturday, November 13, 2004

Firefox hits the mainstream press 

I keep talking about the security advantages of looking at the web with Firefox instead of Microsoft Internet Explorer. Rob Pegoraro at the Washington Post reviews the features of Firefox.


Friday, November 12, 2004

We trust computers with our money. Why not our votes? 

Defenders of today's electronic voting machines raise that question. They also point out that there were a lot of problems with the old systems (remember Florida in 2000?) and that computers could make things better.

My favorite security writer answers these questions in a blog article about requirements for electronic voting machines. In a nutshell, imagine how hard it would be to have a safe ATM network if your withdrawals had to be as anonymous as your vote. But he has a lot more to say. It's all well thought out, it's all good, and it is important.


Thursday, November 11, 2004

Does XP Service Pack 2 really have ten major holes? 

A security firm called Finjan says they've reported a bunch of security problems to Microsoft that affect new, security-improved Service Pack 2.

Unfortunately, they refuse to release details about what the problems are. A couple of things they mention look to me like rediscoveries.

Without details, there's no way to tell you exactly how to protect yourself. As near as I can tell, everything they've announced is covered by the two rules of Don't Taka Candy From Strangers, and Don't Run Internet Explorer.


So what do you do if you catch a virus in spite of everything? 

Your antivirus software may try to remove the virus. Doing that right gets harder all the time. Getting a cleverly written virus off your system for good can challenge the best antivirus software.

My recommendation would be to copy all your important personal data and then erase the machine and start over. Writer John Leyden at The Register takes a more optimistic view in his article about how to detect and remove a virus or worm. He also has some good tips about staying out of trouble in the first place.


A look over at the world of banking 

We're not the only ones who have computer security problems. Banks have been installing Windows XP computers to run cash machines. In August 2003 a bunch were knocked out of service by a worm program. They were supposed to be isolated from the Internet, but all it takes is one mistake ...

Just this fall their trade association released massive documentation about how best to secure ATMS from cradle to grave. Now if we could just get that kind of standard for voting machines.


Firefox has bugs too 

Security firm Secunia reported a couple of bugs in Firefox yesterday. The bugs are much less serious than the recent Internet Explorer bug. One bug could let an attacker with a malicious web page read local files on your machine. Another might allow tricking you into thinking a downloaded file is some safe kind when it really isn't.

The good news is that they're already fixed. The official release version of Firefox includes the fixes. By all means upgrade. The easy way is to go to the Tools menu in Firefox, click Options, click the Advanced icon, look for the Software Update section on the right, and click the Check Now button.

Interestingly, I'm not hearing these kinds of bug reports about the Opera web browser. Either it's more secure or fewer people are paying attention to it.


Norton Antivirus alleged to miss things 

There's some controversy going on, and until it's settled you might want to consider picking up a competing antivirus program if it's on sale.


The bad guys are using the latest Internet Explorer bug 

Antivirus firm Sophos reports a new infection called "Bofra" which spreads via email. The email has subject lines like "Confirmation", "Hello", or "Funny photos :)" and tries to trick you into clicking a link which it promises will take you to free pornography or to an explanation of why your PayPal account got charged $175. The link goes to a web site that triggers last week's Internet Explorer bug and takes over your computer.

This is a lot better than it might have been. You can avoid this one by taking a "Just Say No" policy toward unexpected links. You're safe if you use XP Service Pack 2 or a non-Microsoft web browser.


Look at the wrong web page, give away your computer 

Last week featured yet another bug in Internet Explorer that allows bad people to write a Web page that will take over your computer if you use Internet Explorer to surf there.

You're still at risk even if you've followed my advice (and the Department of Homeland Security's advice) and switched to an alternative web browser such as Firefox. You see, Outlook and other programs that show "HTML" text (text formatted for the web) will have the same problem.

I haven't found a patch at Microsoft's web site.

The two best defenses are

Your firewall won't help with this because this is an attack that happens inside data you asked for. Your antivirus software may or may not help.

You still can't get infected by anything by just looking at plain old text, like you would have gotten from an old-fashioned typewriter. You can add a lot of protection by giving up on the display of fancy text in programs you use. Microsoft has instructions about how to do that in several of their programs:

Things you can do to make attacks harder to perform or less damaging:


Wednesday, November 03, 2004

Installing Service Pack 2 without going crazy 

I've already mentioned removing spyware before you start. Columnist David Pogue has a list of steps to prepare for an XP SP2 installation which include backing up your data, uninstalling your old antivirus and firewall programs, logging off other users and so on. Everything he recommends is logical.


Tuesday, November 02, 2004

e-voting: Paper receipts have been proven practical 

Nevada's done it for real in an actual election. Another New York Times editorial about paper voting records looks at the objections to trying the same thing elsewhere, and why it could work even with longer ballots.


Monday, November 01, 2004

e-voting: But don't the election officials say it's OK? 

The professional organizations that election officials belong to keep endorsing the current generation of electronic voting machines. Some election officials have said that paper records are impractical, and others have said that the only problem is that critics are undermining confidence in the system.

Check out the second page of this New York Times editorial about voting issues. It explains some of the reasons you're seeing election officials disagreeing with computer experts.


The bad news about FireFox 

I wrote recently about a test program that uncovered a lot of bugs in the FireFox web browser, the kind of bugs that might lead to security problems.

They're also, fortunately, the kind of bugs that are (relatively) easy to fix. I expect them to get fixed quickly. You may be surprised, but the volunteer labor behind FireFox oftens turns around fixes faster than the paid experts of the commercial world.

Meantime there may be security problems which could show up if you browse to the wrong web page.

That's not the only threat out there. Trojan Horse programs can scramble themselves to fool antivirus programs, then unscramble themselves and work their evil upon you.

What's a non-expert to do in order to stay safe? Do the same thing that martial artists and firearms experts tell you to do in the physical world. Stay out of bad neighborhoods (on the web, that's porn and illegally copied software sites). Don't follow strangers into alleys (on the web, that means don't click on links unless you're sure where they go). Keep your eyes on the situation and leave if you feel uncomfortable.


This page is powered by Blogger. Isn't yours?