Monday, February 28, 2005

Do you get a Blue Screen of Death when you install antivirus software? 

If so, you're not alone and Microsoft already has a fix for you to download. As usual, pick Windows Update from the Start menu.


Sunday, February 27, 2005

Beginner's guide to reading web addresses 

"Hey, Mister, come into the alley with me!"

That would send you running in real life. Can you spot the equivalent on the web? Bad guys on the web try to trick you into clicking links that go to bad places. Phishing is only one example. If you were still running Microsoft Internet Explorer, malicious links could take you to pages full of popups and spyware installations.

So can you tell whether a link is safe to follow? Common sense helps. If it's in email from a deposed African dictator, I'd suggest not clicking it. Can you look at it and tell where it will go?

Scott Pinzon of Watchguard Security wrote a brief lesson in reading Web addresses. It's worth reading just to make yourself a little more street smart. His advice is for nontechnical people (you know, the kind with actual lives) so there are some tricks he doesn't cover. In other words don't get overconfident: if you're getting a bad feeling about a link but you don't see anything wrong with it, go with your gut feeling.


How to read security news 

Network World Fusion just ran two opinion pieces. A person we'll call Hatfield says, in the first one, that intruders from the outside aren't the real threat to businesses, who should instead worry about insiders and crooked or careless employees. Hatfield cites statistics to prove this.

A person we'll call McCoy says in the second opinion piece that insiders are overrated as a security threat and that businesses should concentrate on defending against outsiders.

Are you throwing up your hands in confusion? Or are you cynically wondering whether Hatfield is from a company that sells protection against insiders and McCoy is from a company that sells protection against outsiders? Are you wondering whether the statistics in Hatfield's article come from his own company? Then you're street smart, not cynical, because that's exactly what happened.

We have too few hard facts about security threats, and far too many of the numbers in the press are made up. Always look for conflicts of interest. Does a news article quote "experts" saying that a virus cost $11 billion worldwide? Check whether the "experts" are from an antivirus company.


Saturday, February 26, 2005

wireless security: review 

Your grandparents or great-grandparents may have gotten their phone service on a "party line", in which everyone in the neighborhood was an extension on a single phone line. Anyone could pick up the phone and hear anyone else's conversation.

Wi-Fi hotspots have the same problem. Everyone's on the same radio channel. Clever electronics keep people from interfering with each other, but anyone who wants to can hear everything that's going over the air.

How often do people eavesdrop? Nobody knows in general. At security conferences it's all but guaranteed. Anywhere else, well, the tools to eavesdrop are free.

Someone who can read your data won't get anywhere if the data are electronically scrambled, "encrypted" with a secret code. Your credit card transactions are protected this way (look for a lock icon at the bottom right of your browser window). Your logins to web-based email systems are often encrypted: Google's mail service, gmail, is one that does this right.

You may be exposed when you read your email. Most web-based email services don't offer encrypted links for reading your mail. Again, gmail is an honorable exception: just change "http" to "https" in the address and you're protected.

Even worse, the vast majority of non-Web based email servers make you send your password in the clear. There's no excuse for that any more. Email programs today know ways to log in that protect the password from snoopers. ISPs simply don't bother supporting the option. One game played at one security conference was to post email passwords of Wi-Fi users on a bulletin board.

So, how do you protect yourself?

Well, inevitably there's an acronym involved, which is "VPN". It stands for "Virtual Private Network". Your computer joins a local area network somewhere away from the Wi-Fi hotspot, as if your computer were physically there. What makes it "private" is that all the communication between your computer and that other network is encrypted. Someone listening in at the hotspot only sees gibberish.

You can rent a connection to a VPN. I just tested a commercial VPN service to protect your privacy at hotspots. They're called, and I found the setup painless (on Windows) until it got into a fight with Zone Alarm, which I was able to fix on my own. It worked reliably. I thought the sales pitch on their home page was a bit over the top, but their support forum (still getting fleshed out) has useful and honest information. I was impressed when gtaylor, their support guy, correctly explained the security tradeoffs of the security protocol they use!

I meant to try it under Linux, OpenBSD and Mac OS X but my subscription to their service expired before the antibiotics made it possible to work again. One customer in the support forum said he's gotten it working with Linux. My research makes it look like setting up a connection from Linux is Not For Normal People.

Yes, you can also use their service to secure Internet traffic from your home wireless network, if for some reason you can't get security working on your own.


Thursday, February 24, 2005

Industrial espionage by computer -- is it real? 

Scary headlines warn that "hackers" may steal your company's business secrets. Is this another scare tactic to sell newspapers and security products, or is something real happening?

Several real-life people have been hauled into court for trespassing on competitors's computers. Baseline Magazine lists several recent incidents of computer-based industrial espionage.

"Yes, but how big a problem is it really?", a healthy skeptic would ask. Nobody knows. Police don't have statistics, and a lot of incidents are never reported (let's face it, a lot are never detected).

I suspect exaggeration though. Ambitious prosecutors can get their names in the paper by tackling a glamorous "computer crime". And not all business secrets are really vital: do you think Coca-Cola would go out of business if someone learned to make something that tasted the same?


Wednesday, February 23, 2005

Before you hook your computer to the Internet 

I've written about this before, but just ran into some really detailed instructions that explain what buttons to push and so on. gives accurate advice and I think it's readable by normal people.

The Computer Emergency Response Team offers some other bits of advice for non-technical users. They're not all equally good. I like their advice about how to avoid phishing, their password advice is not bad, their "Understanding Firewalls" article packs good information into a quick read, but I'm not sure what else I'd recommend.


Tuesday, February 22, 2005

Security insights you can keep on your iPod 

Which is more dangerous, pigs or sharks?

That's one of the questions on this audio interview with security guru Bruce Schneier. Schneier is one of the people I really admire for a rare combination of technical depth and plain common sense. Listen to the interview for a clear look at which security measures really help and which are nonsense.


Monday, February 21, 2005

Thinking "I've got nothing to hide"? Privacy matters. 

Does it ever seem like privacy advocates are raving loons?

It doesn't help that some of them are fanatics who will reply to "But I have nothing to hide" with "So why do you use a shower curtain?" It's not a helpful answer and doesn't say anything about businesses collecting apparently harmless information. Like your grocery store purchases, for example.

Your Safeway discount card that gives you lower prices in return for tracking what you buy seems perfectly safe, doesn't it? The problem is that almost any fact can be used against you. That's why attorneys tell even innocent people not to talk to the police. The perfect example of why privacy is important is firefighter Philip Lyons from Tukwila, Washington. His house caught fire. Investigators found a camping fire starter at the scene. His Safeway card revealed that he'd bought one of the same kind so he was arrested, charged with arson, and put on administrative leave from his job. By pure random good luck someone else came forward and confessed. Otherwise he could have lost his career and gone to prison for a long time with everyone thinking he'd torched his house with his family inside.

Don't give out personal information unless you've got a really good reason.


Sunday, February 20, 2005

What to do after an identity theft (US only) 

All these places have detailed, step by step instructions about how to contain the damage:
The Federal Trade Commission
The Department of Justice
Privacy Rights Clearinghouse

After reading those you'll feel motivated to prevent the problem. A lot of identity theft happens in the physical world. Use a shredder, sadly give up the convenience of an unlocked mailbox, don't give any sensitive information to someone who says "You may already be a Winner!"

In fact you may already be a victim. A data warehouse company named Choicepoint leaked hundreds of thousands of identifying records recently. Watch your accounts for strange activity and consider ordering a copy of your credit report to see if someone's taking out new loans in your name.


Saturday, February 19, 2005

Bipartisan voting machine legislation 

For my US readers:

Republican Senator John Ensign of Nevada introduced a bill called the Voting Integrity and Verification Act. His bill would require electronic voting machines to produce paper trails. Three Republicans and four Democrats are co-sponsors.

By all means, write to your Senators and ask them to support this. Don't know who your senators are? You're about average. The front page of the Senate web site lets you pick your state and find out who represents you. You'll end up at a page with the address, phone number, email and home page for your senators. The home page may include a contact form.


"Surviving the first day" -- a review 

A volunteer-based security education organization wrote instructions for what to do with a new XP system.

How good is it?

I think it helps you solve the wrong problem. Their detailed, easy-to-follow instructions are for how to set up a machine relatively safely when you don't have a firewall. There's just no point. You can buy a firewall box from your favorite office supply store for $30-50.

They talk about how to download all the vital security updates. They wrote this before Microsoft began to publish security updates on free CDs. I'd recommend ordering a security update CD weeks before you order your computer.


Thursday, February 17, 2005

Found some good and not obvious advice for XP home users 

What do you do after the obvious things that everyone tells you to do, like firewalls and antivirus programs?

My fellow CISSP Tony Bradley lists intermediate-level security advice for Windows XP Home Edition. Things have changed a little since he wrote it. For example he says the Windows firewall is off by default, something Microsoft fixed last year in Service Pack 2. The advice is still good, and includes some tips I haven't seen elsewhere. You'll get the most benefit from his fourth point, which is to run as much as possible from "limited" accounts which can't change the system too much even when a virus takes them over. This is the same idea as my tiresomely repeated advice "don't run as an Administrator".


Wednesday, February 16, 2005

The US government's advice on securing computers 

The National Institute of Standards and Technology came up with a set of computer security guidelines for government agencies.

Mostly it's about how to generate organizational structures and paperwork. They did have some ideas relevant to a small business, maybe even to a home.

Got an inventory?

If you're recovering from a disaster then your insurance company will want to know what equipment you had. If you order a security survey then your security consultant will want to start with a list of what you've got. Do you know what software you have installed? Where are the original disks?

You'll benefit by taking an inventory of your data as well as your hardware. Think about what you can't do without. Accounts receivable records? Tax data? Take those thoughts and re-do your backup procedures.

How's your physical security?

My doctor had to add a lock to his computer room door so he could meet the security requirements of US privacy law. Computers get stolen from offices all the time. Have you done something to prevent that?

Can your employees install software?

If you're a home user, imagine that I said "children" instead of "employees". The safest answer is "no". Give as few people as possible "administrator" access especially to important computers.

Clean off disks before you sell them or throw them out

And of course shred your paper. Would you like to get paranoid and have bragging rights? You could buy a shredder from the National Security Agency list of approved crosscut shredders.


Tuesday, February 15, 2005

Windows hygiene actually works 

I just read an interesting forum post by a guy who builds custom computers.

He puts them together just like I would recommend. He does the setup from behind a firewall so the machine is protected while he installs the security fixes. He installs all the security fixes, plus antivirus, plus a personal firewall program, and perhaps most important he makes sure that the usual login doesn't have dangerous Administrator-level privileges, so that if something does go wrong the damage will be limited.

He was complaining that after six months a "non-trivial number" of the machines he sells get infested with something or other. ("The glass is partly empty").

Why is that good news? Because he didn't say "most". The glass is mostly full. The flip side of what he's saying is that the majority of properly set up Windows machines are still alive after six months. Compare that to this column describing a four-minute survival time for a Windows PC which didn't have the same careful setup.


Monday, February 14, 2005

How to stop sharing your hard disk 

My other entry today talks about the Windows firewall, and when it does and doesn't prevent people from seeing folders you've chosen to share.

What if you simply never share any folders? Are you safe then?

No. Administrators, in Windows, can see and use special names to get access to the entire disk of any Windows machine on the local network. If your machine is named "Gardenia", for example, someone with the right password can connect to "\\Gardenia\C$" and read or write your entire C: drive.

Isn't it amazing what Windows does for you?

That is a convenient feature. If you're security-minded, it's the kind of feature you don't want to have unless you really need it.

That much I knew before today. Today I learned that you can turn that feature off. I spent over a decade programming for Windows and it's not every day someone can teach me something I don't already know.

Security writer Tony Bradley (good guy BTW) has a short piece about how to turn off administrative shares on If you're comfortable editing the Registry it's easy and quick. is packed to bursting with useful and high quality information. It's on the technical side, better suited for the person stuck with running an organization's network than for the average home user. (Disclosure section: my business relationship with them is that they offered me a link).


When the Windows firewall won't protect you 

Windows has a reasonable basic firewall in XP Service Pack 2. It has the same limitations as other firewalls, of course. Today I'll be talking about how it balances usefulness against paranoia.

The firewall controls who can see your shared files. After all you don't want random strangers on the Internet writing over your shared files. More subtly, every time someone finds a security bug in Microsoft's file and print sharing programs they can write a new virus or worm that spreads to every machine which makes those services visible.

But you do want to share the printer with the machine in the basement and to be able to swap files back and forth. That's why you have a network in the first place.

So the built-in Windows firewall hides file and print sharing from the Internet at large but makes them completely available to your local area network. That way you can share a printer with your wife but keep your files safe(r) from strangers on the Internet.

Q: You're about to point out a catch, aren't you?


What happens when you're at a coffee shop?

The whole coffee shop is one local area network. The firewall is going to assume that since all the other customers are on the same local network that it can trust them.

Try a quick experiment. Browse the "Network Neighborhood" at Starbucks or at the library. Don't actually open anything you see, that would be unethical, but take home the insight that if you can see them then they can see you.

Other firewall programs like Zone Alarm will stop you and ask whether you want to trust each network you connect to. If you're at a wireless hotspot, just say no.


Sunday, February 13, 2005

Sorry for the blackout, folks 

I just spent about a week negotiating with a virus (the biological kind). We reached a compromise that allowed me to feed the cat and go to the bathroom as long as I spent several hours saving up the energy to do it.

I should be publishing on a more regular schedule now.


Voting machine news 

Toasters don't set your house on fire because the industry has a set of standards and a testing body, Underwriter's Laboratories, to run the tests.

Shouldn't we be equally careful about the machines that count our votes?

The good news is that people are already putting together standards and tests for electronic voting machines. All the right people are involved. Reputable voting machine suppliers, advocates for the disabled, and some of the top security researchers are working together to write standards for voting equipment.

You might want to write to your legislators and suggest that your state should only buy equipment that gets a good rating on the new tests.


A glimpse of the black market 

Have you ever wondered what happens to security problems between the time they're discovered and the time they're fixed?

If we're lucky, someone ethical finds the problem, they quietly notify the people who maintain the flawed product, and in due course a fix comes out. For example, Core Security Technologies discovered a severe problem in MSN Messenger, told Microsoft about it last August, and Microsoft released a fix this month.

What happens if a bad guy finds a security problem before it gets fixed? Security researcher Mark Loveless has some numbers about that. Infoworld quotes Loveless as saying that bad guys can sell the news of an unknown security hole (and a program to exploit it) for a few thousand dollars.

Who spends money buying attack tools, and why? Governments buy them(use your imagination). Organized crime can use the attack tools to take over computers and sell access to them. Zombified computers sell for 3 to 10 cents (US) each in lots of 5000.

Once you own someone else's computer you can send spam or simply display ads to the victim. Spyware and adware firms aren't illegal yet so we have firm numbers from them. Security Focus reports that spyware brings in around 3 dollars per infected machine per year.

Stolen credit card numbers, depending on how fresh they are, can range from 50 cents to 5 dollars each in lots of 1000. That seemed high to me: Loveless explains that the price has gone up since the US Secret Service shut down some suppliers.

Security's in terrible shape when security flaws and compromised machines are so plentiful that they sell so cheap.


What you need to do SOON after Windows Update 

First things first

First, if you haven't already downloaded Microsoft's security fixes from last Tuesday, do it now. Go to the Start menu and click Windows Update. If you get an error message about your computer's clock being wrong, ignore it and try again. If you're logged in without Administrator privileges, which is a good idea, then instead of clicking on Windows Update hold down the shift key and right-click on it, then log in as Administrator in the resulting dialog box.

The fixes are for important problems. There's also one confusing problem, having to do with instant messaging programs.

What you need to know

"Windows Messenger" is not the same program as "MSN Messenger". The names are confusingly similar, they both send instant messages, and they both had the same critical security problem but you have to fix the two of them separately.

The big difference is that Windows Messenger is "part of Windows" and MSN Messenger is not. When you run Windows Update it will install fixes for Windows Messenger but will leave MSN Messenger with the same critical security vulnerabilities. You need to make a separate visit to the MSN Messenger web site to download the security fix for MSN Messenger.

How serious is this, really?

It's one step short of an emergency and could turn into one overnight. There's a four-step process that happens with security bugs:
1. Someone finds a bug that might be a security bug.
2. Someone writes a program that demonstrates breaching security using the bug. They do that to prove the problem is real and so everyone can test a security fix.
3. Someone changes that demonstration program to do unkind things.
4. Someone turns the bad program loose, perhaps making copies of itself.

Step 3's already happened. Microsoft says step 4 hasn't happened yet. There's absolutely nothing to stop it, though, and anti-virus firm Symantec says they've seen an attack in the wild.

Anyway, you may not have a choice. Microsoft's announced plans to deny logins from anyone who's still running a vulnerable version.


Thursday, February 10, 2005

Which antivirus product to buy? 

Well, you might want to look at a review of antivirus customer service from Information Security Magazine first. Sophos, Computer Associates, and Trend Micro did especially well.


Wednesday, February 09, 2005

Update your Norton Antivirus: high risk problem 

Symantec, makers of Norton Antivirus and many other security products, issued a warning about a security vulnerability in Norton Antivirus and other Symantec products. This is one of the really bad problems where all the bad guy has to do is give some poisonous input to a program in order to take over your computer. And of course, antivirus programs run automatically on all your incoming email and other untrusted input. You can't stop this from happening.

(Well, you could, by installing yet another security program to protect your antivirus program. I don't recommend it. First it's ridiculous. Second, the company offering the protective product once had an equally bad security hole in their firewall product, which allowed a destructive worm to spread.)

Symantec has released updates already for some affected products. Check the link above to see if your version is at risk. Meantime, leave your virus checker running. You're still safer with it than without it, because there are thousands of viruses circulating now that it can stop and the bad guys haven't (yet) started broadcasting something that takes advantage of the Symantec flaw.


Tuesday, February 08, 2005

How to get spyware even if you use Firefox 

Nothing's perfect. The Firefox web browser will improve your life by preventing a lot of the security problems Microsoft Internet Explorer causes but Firefox isn't magic. It can't know what software is good and what's bad so it can't always protect you.

Here are some things that can go wrong. The first two are kind of obvious, but the next ones are recent discoveries.

The easiest way to hurt yourself works with any web browser. If you download the wrong program you'll regret it, no matter how you downloaded it. Be suspicious of "viewer" programs for pictures and anything that comes from a shady web site. Take your business elsewhere if a web site demands that you install something you've never heard of unless you're very sure they're reputable.

You can add new features to Firefox by installing "extensions". Installing a malicious extension could damage you just as badly as installing any other malicious software. You can find good safe ones on Stay in charge of your own computer -- install extensions only when you've read about them and want the features, not when some random web site suddenly shows you a dialog box asking you to install one. If that happens, just say no.

Then watch out for any web site that tries to trick you into doing something unusual. Here are some examples of activities that can hurt you in version 1.0 of Firefox, but which version 1.01 will prevent(*):
Dragging something from a web page to your desktop: this is a way of downloading software. See above, and remember the rule about software on the net: if it were meat, would you feed it to your cat? You don't feed your cat meat from strangers on the street and you don't want to feed your computer any software from random strangers on the web.
Dragging something from a web page onto an open tab: that would really be "something unusual". If you do that you could let a bad web site pretend to be a good web site. You'd be risking having passwords stolen at the very least.
Double-clicking places on a web site: this may be the most likely. The effect would be to trick you into accidentally changing your browser preferences while you thought you were doing something else. You could be tricked into turning off your popup blocking or you could have your start page hijacked to point to ads.

(*) Which reminds me of the real security advantage of Firefox. It's built by people even more passionate and enthusiastic than the programmers at Microsoft. Bugs can get fixed really fast.


Monday, February 07, 2005

Phishing is getting more tricky and insidious 

"Phishing" scams, you'll remember, are when someone sets up a fake web site pretending to be your bank or something else so they can trick you into typing in your banking password. Then they can use the password to loot your account.

Security people used to recommend, back in the good old days a few months ago, that you type in your bank's web address yourself or choose it from a bookmark. The crooks have already found a way around that precaution. If they can get one of their programs running on your computer they can reprogram your computer to intercept requests for the real bank's address and send them to the crook's web page instead. In other words, you can type the right address and your computer will go to the wrong one anyway.

Can you tell whether you've been sent to the wrong web site? Maybe, maybe not. There's an arms race going on between phishers and web browser developers where the browser developers program in new ways to show where you really are on the web, and the phishers invent new ways to trick the browser into displaying the wrong location.

Right now the crooks are ahead. There is a new and better version of an old trick where they'd put their crooked web site at a name subtly different from that of a real web site. For example, they'd replace the lowercase letter L in the real site's name with a numeral one, so they might put their password stealer at "" and try to trick you into clicking on a link to there. The new way is to use a feature of modern browsers that lets them display web site addresses from multiple human languages.

Some languages, it turns out, have letters that look like they're part of the English alphabet but really aren't. Here's a safe example. Take a look at these links which are not Paypal. Hover over them, paste them into another program, or even follow them(they go to a page that says "meow"). If you follow the second link, see what happens when you click the padlock icon at the bottom right of your browser window.

The padlock icon is supposed to ensure that you're really talking to the website you think you're talking to. It doesn't help you against this scam: it sits there and solemnly says, in effect, "I've just used sophisticated mathematics to prove for sure that this web site isn't paypal but has a name that looks the same". Gee thanks.

(Skip this paragraph unless you're the type who likes to look under the hood of a car. There's still a way you can find out you're being scammed. Click on the padlock icon and look for something with a name like "view certificate" or "certificate details". It will show a name for the site you're looking at. The name will begin with "xn-" if there are non-English characters in the name. But that doesn't prove you're being scammed, because a legitimate Swiss bank or French eBay subsidiary might put non-English characters into their name.)

Want a chuckle? There's only one web browser where this new scam doesn't work. It's Microsoft Internet Explorer. It's so far out of date it doesn't even have the feature this scam takes advantage of.

All these scams wil work against Mac and Linux users too.

What can you do?


Sunday, February 06, 2005

How to lose ninety thousand dollars 

You'll find an article in the archives here which raises the question of whether banks will refuse to reimburse customers for online fraud.

Banks are already starting to balk. Miami businessman Joe Lopez checked his online banking account last April and felt horror when he found an unauthorized $90,000 wire transfer to Latvia. Bank of America has said they did everything right and he's just stuck. The Latvian bank still has $70,000 of the money but they've frozen it. Bank of America won't intervene with Latvia because, they say, they didn't lose any money.

Lopez runs a 5-person company. That's a lot of money. He's had to take out a home equity loan to keep the business going.

So, what can you do?

You're still prudent if you keep your online banking account. Online banking has some real security advantages. You can check activity daily and spot fraud faster and you get less sensitive material in your physical mailbox. Nobody knows how this particular security breach happened but I'll bet it was something routine. Practice good hygiene and swing your business to a bank that has a policy of covering fraud losses and/or has advanced security like one-shot passwords.


Saturday, February 05, 2005

Nontechnical threats 

Your Internet connection exposes you to bad guys all over the world, but after that you're in the most danger from the trash can and the phone.

The Internet's uniquely dangerous because attacks are automated and hundreds of millions of people can attack you. That's why you're a target of Internet attacks even if nobody's personally out to get you. Attackers can just twist every virtual doorknob in the virtual city.

Someone attacking you personally is less likely but you can't overlook it. Ex-spouses? Stalkers? Investigators from a lawsuit? If you draw hostile attention from an actual human instead of from a computer program, that human's likely to try "social engineering".

"Social engineering" basically means taking advantage of people's trust. People trust that nobody will go through their trash cans looking for sensitive data. People trust that people on the phone are on the level. Con men violate both kinds of trust.

Feeling a little at sea? Here are some real life examples of "social engineering" attacks, or you could rent the movie "Catch Me If You Can" about scamster Frank Abagnale. There's also a chilling but funny story about a loss prevention expert who showed a store manager that he could walk out with five computers he hadn't paid for and get the store personnel to help.

Kevin Mitnick, the well-known computer intruder, testified to the Senate that conning people worked so well he rarely had to resort to a technical attack. Mitnick's book, "The Art of Deception", gives many chilling accounts of plausible-sounding phone calls leading people to disastrous actions.

So, what can you do?

Keep a low enough profile that nobody takes a particular interest in you.

Buy a shredder. Use it for bank statements, phone lists, phone logs, or any information that could help someone bluff his way in.

Stay small enough that everyone in your company knows everyone else. If you get bigger than that, hire someone to train your people about resisting con jobs.


Friday, February 04, 2005

Keep Tuesday morning clear for updating Windows 

Microsoft says one of the updates you'll get is "critical". That usually means someone can take over your computer. Even if the bad guys aren't using this security flaw now, they will once they see what Microsoft fixed. Then they'll know where the problem was, and they'll attack people who haven't installed the fix.

As usual, run as Administrator and pick Windows Update from the Start menu.


Keep Tuesday morning clear for updating Windows 

Microsoft says one of the updates you'll get is "critical". That usually means someone can take over your computer. Even if the bad guys aren't using this security flaw now, they will once they see what Microsoft fixed. Then they'll know where the problem was, and they'll attack people who haven't installed the fix.

As usual, run as Administrator and pick Windows Update from the Start menu.


Thursday, February 03, 2005

Media files. AGAIN. 

This time it's a little complicated, and the good news is that bad guys aren't taking advantage of it yet.

Real Media files (like movies or sound clips) have a feature that is OK by itself but that allows some attacks on Internet Explorer to be more dangerous. It's like glycerine -- harmless, but if someone comes along with nitric acid they can make nitroglycerine with it.

Here's the What Does It Mean For You section.


Wednesday, February 02, 2005

"...the best computer they've looked at." 

If you follow just a few of my top-priority recommendations, how well off are you?

You'd be running Service Pack 2 of Windows XP. You'd surf the web with Firefox. You'd have some anti-spyware programs installed.

Another writer(who mostly reports on Voice over IP) set up a computer for his wife's parents just like that, and wrote:

Today, the cable company showed up at my in-laws place to install their new spiffy broadband connection with the cable company. Apparently, the tech who was there to check their computer to make sure it "met the requirements" was rather pleased with how the computer was set up. It had XP SP2, Spybot, Ad-aware, Mozilla Firefox as the default browser, and they couldn't find IE (it's there, just not the default browser). To quote them, it was the best computer they've looked at.

Make a few simple changes and you, too, can own the best computer a professional technician has ever seen. And sometimes all you need is to be better protected than the other targets.


Tuesday, February 01, 2005

More tips for home users, especially with new computers 

I wrote a short list of advice in an earlier article about security for new computers. Randy Nash has a longer and more technical Home User Security Guide out today.

He's got good advice including the names of a couple of free antivirus programs with good reputations. I'd add Microsoft's antispyware program to his list of recommendations, because it catches things that Ad-Aware and Spybot miss.

My only reservation is where he recommends you protect yourself against phishing by installing a browser toolbar from Netcraft. First off, if you're doing things right you can't even install the Netcraft toolbar. It doesn't work with the web browser you should be using, Firefox. It only works with Microsoft Internet Explorer. Even I don't know of enough security tools to make Internet Explorer safe to use on the open web. Second, read the Netcraft privacy policy and see if you can live with it.


This page is powered by Blogger. Isn't yours?