Saturday, March 26, 2005

So which web browser is more secure, anyway? 

The more you think about that question the more you realize it's meaningless. But you still have ot make a decision about what program you use to poke around the web.

A Belgian security firm called ScanIt has tried measuring browser security. They took several browser programs and counted how many days of the year each one had publicly known vulnerabilities without a patch available.

I compliment their work, but keep in mind that it's not the last word. For one thing, bad guys may know about a vulnerability before the public does. They only counted bugs that allow taking over your computer. Also, not all browsers are equally likely to get attacked on days when they are (known to be) vulnerable. You'd call ScanIt's work "a metric", "approximate", "debatable", or "lame" depending on what your job is and how old you are.

I'm sorry. That parapraph was too abstract. All it means is Your Mileage May Vary. ScanIt's numbers, like mileage numbers, are useful but you need to remember their limits.

The envelope please

The numbers are dramatic compared to gas mileage numbers. Microsoft Internet Explorer was "vulnerable", by their definition, for 98% of the year 2004. There was only a single week, in mid-October,when a fully patched IE installation could stand up to publicly known attacks.

The Mozilla/Firefox family was vulnerable for "only" 15% of the year. To do even that well you'd have to install every patch the day it came out.

The sleeper was a small, fast, feature rich web browser called Opera. Opera had a "window of vulnerability" for 17% of the year but nobody spotted any malicious software to attack it. The total number of problems was much lower than for the other two, but maybe that's because fewer people were looking.

Here are the ScanIt browser vulnerability study results. Just skim over the parts you don't understand: it's clearly written but assumes that you read all the security news.

Scanit also offers an online browser vulnerability test you can take to see if you're at risk now.


Friday, March 25, 2005

Firefox has a "critical" vulnerability 

This could let your computer be taken over if you view a .GIF image file that a bad guy specially prepared to take advantage of the bug.

This is pretty serious, but last I heard there weren't actual attacks in the wild yet. What makes this bad is that it could happen without any action on your part other than visiting the wrong web page, or even simply visiting a good web page that has the wrong ad on it.

Upgrading is easy and you can do it inside Firefox. Go to the Tools menu, click Options, click Advanced at the bottom left of the dialog that comes up, scroll down to "Software Update" on the right side of the dialog, click the Check Now button and follow instructions.

All the browsers I know of have had some kind of vulnerability show up recently in how they handle images. So why am I recommending Firefox over other browsers? Part of the answer is in this sentence from the article: "The flaw came to light after work done by security researchers at Internet Security Systems but was fixed before they published their report." The Firefox team can move much faster than a large company to fix a problem.


What do you look for in a security consultant? 

Infoworld has a good recent article about how to hire a security consultant.


Tuesday, March 22, 2005

Wow. ANOTHER insecure consumer networking device 

According to someone named Donnie Werner of, one model of DSL modem from Samsung has some embarrassing security problems.

I don't have one to test, so I can't vouch for any of this. Like most things these days, the modem is actually a small computer. By its nature it has to be directly connected to the net, so firewalls can't help it. So how secure is it? According to Werner, the unit's master password is "root" and it accepts logins from the outside network. In other words anybody with net access can take complete control over it.

I don't know whether any bad guys will try to take advantage of this. There are so many insecure Windows machines to take over that bad guys might not bother taking over modems. If they do, the most likely uses wouuld be to store illegal files and to hide the source of Internet connections. Attacking the rest of your computers is less likely, though it would be easy for a bad guy to install a program to spy on your Internet traffic and steal passwords.

I can't think of a way for normal people to protect themselves against problems like this. In a normal market you're fairly safe buying from established suppliers, but some of the biggest names have had back doors built into their products. Over time, maybe loud protests will discourage vendors from putting their customers at risk like this.


Monday, March 21, 2005

How to read security news, part 3 

Who is the news from?
Does it include specifics?
Do the facts support the headline?
Are there quotes from independent sources?
Does the article answer logical questions?

Here's an example to practice on: a report about Macintoshes vulnerable to viruses.

Who is it from? The "news" is from Symantec. Symantec makes antivirus software.

Does it include specifics? It doesn't mention a single virus that infects Mac OS X.

Do the facts support the headline? You can't tell. They talk about vulnerabilities disovered in OS X without saying whether the vulnerabilities would allow spreading viruses.

Are there quotes from independent sources? No. Just something from another anti-virus vendor. Nothing from Apple, nothing from security researchers, nothing from virus writers.

Does the article answer logical questions? The first logical question is, how many viruses in circulation affect Mac OS X? There is no answer.

You're going to hear the article's central argument a lot, so it's important to understand the facts behind it. Symantec says that the only reason so many viruses attack Windows is that Windows has more market share. OK, let's take a look at some place where Microsoft has a minority of the market and see if they're going unmolested there. Over 60% of the web sites out there are powered by a non-Microsoft package called Apache. Most of the defacements and takeovers have hit Microsoft's web server software despite its smaller market share.

The strange thing is that someone could make an honest case for worrying about Mac OS X. Computers do what you tell them -- if you tell it to install a program that turns out to be spyware, then you'll have spyware. If you run Microsoft Office, you can catch viruses that live in Office documents and reproduce with the Office macro language. Mac users still need to practice good hygiene.


Fax machines. Who would've thought of fax machines? 

I'm not talking about wrong numbers, though some businesses have embarrassed themselves by faxing sensitive information to the wrong person. That's easy to avoid. Double-check phone numbers before you use them, and follow a procedure for responding when someone tells you you're faxing them someone else's medical history.

This post is about a different problem with fax machines.

You already know, if you're security-aware, that you need to run special software to erase hard drives on old computers before you sell or dispose of them. Writer Judy Monchuk points out When the leasing company gets the machine back they may sell it into the secondhand market, so your old faxes could wind up anywhere.

The lowest-tech defense is to insist on buying the hard disk at the end of the lease.

How can you avoid getting caught by surprise by issues like this? Hire a security consultant who has a set of checklists and a knack for lateral thinking.


Sunday, March 20, 2005

CNN discovers caller ID spoofing 

CNN reports that crooks can fake caller ID information.

I reported on this last October ("Do you trust caller ID?") and before that in July when I wrote about the privacy implications of caller ID spoofing.

Maybe I should have put this in the "How to read security news" section. The CNN article is a good example of scare tactics that don't really make sense. For example, they say that someone who steals your credit card can send cash via Western Union by pretending to call Westen Union from your home phone number. This doesn't make sense -- wouldn't you expect Western Union to call back, like the pizza delivery place does? I heard from a WU customer who says that they do call back. In other words CNN was reporting a non-issue.


Saturday, March 19, 2005

Hepatitis is more successful than Ebola 

Biological viruses can stay dormant for years. They survive better that way. A showy virus like Ebola will find itself without any living, vulnerable hosts in a matter of weeks. Viruses are better off hibernating, not causing symptoms, until the host immune system weakens or something else triggers them.

Will computer viruses follow the same path? Will they spread slowly and concentrate on hiding from antivirus programs? Mikko Hypponen of antivirus firm F-Secure says stealthy viruses are here now. Designed to make money by stealing information or allowing remote control of a computer, these viruses aren't about to clog the network they depend on by spreading too fast.

If you've seen my articles on how to read security news, you'll wonder whether maybe F-Secure has a product for detecting stealthy viruses. They do but I'm inclined to believe them. It's a logical development.

You can use the same hygiene measures to protect against stealthy viruses as you do against others. I run antivirus software but it seldom has anything to do because I only open things from trustworthy sources. More importantly I use a sane web browser program that doesn't automatically run unknown software.


Thursday, March 17, 2005

What happens to stolen credit card numbers? 

The US Secret Service, which investigates financial crimes, says the crooks have highly organized black markets including quality control, online auctions for bundles of stolen credit cards, and specialists in money laundering.

Deborah Gage and John McCormick report on organized on-line crime.

Does this mean the government needs more surveillance powers? Probably not. The article describes how the government took down a ring of crooks who used sophisticated privacy technology. The investigators used an ancient technique, recruiting an informant.


Wednesday, March 16, 2005

How to read security news, part 2 

Or, how to make it as a lazy security writer.

A lazy travel writer, an old joke says, can always start an article by saying "Mumblestan is a land of contradictions". That always works because everyplace is a "land of contradictions".

A lazy security writer can always say "Mumblesoft will not solve your security problems". Nothing will ever "solve" your security problems. All you can do with security problems is manage them.

Lately there have been articles pointing out that Firefox has (gasp!) security problems. Those articles are answering the wrong question. The question you need to ask is whether Firefox will give you a better experience than Internet Explorer. (The answer is "%$@^#!!, YES!").


Monday, March 14, 2005

Tone down the rhetoric already 

Exaggerating security problems is bad for the public.

People need to fix and focus on the real problems. One real problem is that if you attach any Windows system other than XP SP2 to the Internet without a firewall then it will be taken over in minutes. Someone who's trying to fix that should not be distracted with cries of "Wolf!".

Someone shouted "Wolf!" about something Microsoft does. They're supposedly giving the government early warning about security problems. This is a bad idea. As soon as the black-hat crowd finds out about a security problem they invent new attacks that use it. The closest thing to safety is to tell all the defenders at the same time. Otherwise you've got the risk of some blackhat stealing security information from the government and attacking the unprepared public.

It's a bad idea, yes, but this is what hit the press:
'Peiter "Mudge" Zatko, a security expert who has worked for both the Clinton and Bush administrations, said the risk from Microsoft's effort was "the worst possible thing for national security." '

Cut the crap.

The worst possible thing for national security is North Korea releasing smallpox. The second worst is an unpaid Russian worker selling a suitcase nuke to Al Qaeda. The chance of yet another widespread attack on Microsoft software isn't even on the map.

Mudge has done important and insightful work. I hope the quote was out of context.


"Just say no" 

You're surfing along. A web site suddenly asks if you want to run a "signed Java applet". What do you do?

Well, were you expecting it? Legitimate sites sometimes need to install Java programs on your computer. Useful ones, like Hushmail, and fun ones, like the slide rule simulator, depend on software running on your side of the connection and they use Java to do it.

If you're not expecting it, say no. Someone with more time than ethics put together an adware installer that ties your machine in knots if you just click "Yes" to let it install.

The details are interesting but not important. This particular piece of poison infects Microsoft Internet Explorer even when Internet Explorer isn't running. Firefox doesn't protect you. Antispyware software may catch this one soon (UPDATE: F-Secure's antivirus program detects it now), but may not catch the next variation.

The important point here is not to let people install software on your computer unless you've got a good reason.


Saturday, March 12, 2005

Living without secrets 

This isn't about Choicepoint or Bank of America.

Careless companies are routinely putting things on their web servers that really shouldn't be published. Security enthusiasts recently demonstrated how easy it is to Google for information that can be used for ID theft.

Maybe the problem is incurable and the best we can do is to demand the same transparency from government and businesses that we're subject to ourselves.


Non-technical threats, or How to Take Over a Casino 

Casinos handle buckets of money. They have cameras everywhere. You'd expect their computer security to be good, wouldn't you?

Here's a story about a security consultant who did a "penetration test" on a Las Vegas casino. He did some of the con-man tricks of walking in and acting like he belonged there. According to his account he could have done immense damage if he'd been a criminal.

Of course we've only heard one side of this, and he's not somebody I know so I can't estimate how reliable the story is. But it is completely plausible.

Humans aren't computers. We make snap judgments. We assume someone wearing a suit is an executive and that someone with a belt full of phone equipment is there to fix the phones.

You're still at risk even if you're a small enough company that everyone knows everyone else. Will your staff do the right thing if someone calls and pretends to be a new paralegal at your lawyer's office?


Friday, March 11, 2005

The state of the art in phishing scams 

Scammers who impersonate banks to trick you into giving them your banking password have some new tricks.

They've found a way to show you a link that starts with the real name of the bank they're impersonating. The link goes to the scammers's machine. It gets worse from there. They show you a copy of the real bank's web page and use a popup window to do their password stealing.

You won't seen anything obviously wrong in your browser.

The single best defense is to ignore email that claims to be from your bank asking you to log in. Real banks know better than to send things like that, or at least they should. Stay out of the technological arms race and use the same common sense you would if it were a phone call instead of email. You'd hang up on anyone who called and said they were from your bank and could they please have your credit card number and expiration date. Do the same for email.

The second best is to install software that tries to tell you whether links are legitimate. Spoofstick is a well-regarded Firefox extension that tries to warn you if someone's sending you to a fake web site. If you were still running Internet Explorer, I think there's a version that works with it too. I don't like this approach even though it usually works. The problem is that next week the scammers will think up a way to fool Spoofstick. Your best bet is to avoid the whole problem by not trusting a link you get in email.

Here are technical details for your technically oriented friends.


Wednesday, March 09, 2005

Read my lips: no new patches 

You can skip the usual monthly ritual of installing security updates from Microsoft. They didn't release any this month. They did, however, update their tool for removing some common viruses. It's a free tool that does part of the job of an antivirus program.


Tuesday, March 08, 2005

McAfee will check your wireless network for you 

Antivirus firm McAfee offers an online test of WiFi network security. You'll have to dig up your copy of Internet Explorer to use it, because the test requires installing software on your machine and most web browsers prevent that. You may have to go to Tools/Internet Options/Security/Trusted Sites and add in order to allow the download.

Or you can just look at the settings on your equipment. You'll see a lot of alphabet soup. You want to see a mention of "WPA", "WPA2", or "802.11i". Older base stations and cards (from before about fall 2004) won't have those without an update. Be careful making security changes so you don't lock yourself out: it's best to make changes from a computer with a wired connection to your access point.


Monday, March 07, 2005

Two dollars for antivirus and firewall if you can get the rebate is offering Trend Micro's PC-cillin security suite for $1.99 after rebate.

Rumor has it the rebate is hard to get and that online registration is having problems right now. Check the return policy.

The product itself is a reasonable choice. Trend Micro's anti-virus software has earned a solid reputation over the years. The most useful feature in my professional opinion is that it checks your system for newly discovered vulnerabilities and sends you to Windows Update if necessary. Home PCs are a lot less insecure if you keep up on administration, so anything that helps is a Good Idea.

A few other features sound nifty but aren't as good as they sound. Trend included anti-spyware software but, like all antispyware, it doesn't catch everything. There's a feature to protect you from phishing scams. The threat's real enough, but the way it works has limits. All the feature does is block access to known web sites that scammers have set up. Unfortunately the scammers set up new web sites all the time and each one only stays up for a few hours, days at most. The list of web sites to block will always be out of date. There's a feature to detect intruders on your wireless network, but first of all, what would you do if it finds one? Second, why didn't you turn on the security feature of your wireless network to begin with? Third, it won't catch eavesdroppers who don't try to join your network.


Saturday, March 05, 2005

Think you have a good password? Here's what you're up against. 

An intruder who can't simply guess your password will likely start a computer program to guess it. The intruder has to get a break to make this work, because any sane login system will get suspicious after a few wrong passwords. But that kind of break happens all the time and intruders can then test millions of possible passwords per second.

You've heard that you should never use a word in a dictionary. There's more to it than that. Password-guessing programs use word lists tnat include foreign words, names of fictional characters, and Bible verses. You need to avoid all of those.

Here are excerpts from one such word list. If you picked any of these for a password and thought it was too obscure to guess, you'd be wrong and a password-guessing program would get it in less than a second.

Good passwords look random.


Friday, March 04, 2005

Windows Media files still potentially dangerous 

eWeek magazine reports that Microsoft's patch to Windows Media Player doesn't work.

Bad guys can build a viceo which will make a web page come up. Even if you've installed a safer browser, the web page will come up in Internet Explorer. At that point the bad guys can use any of Internet Explorer's security holes to do bad things to your computer.

Your best moves are to keep Internet Explorer up to date even though you don't use it, and to be careful about who sends you media files.


Thursday, March 03, 2005

Things to learn from the T-Mobile security breaches 

The mainstream media haven't been very helpful in explaining what went wrong at T-Mobile to cause the security breach which had the tragic result of giving more publicity to Paris Hilton.

One problem was largely her fault. She set up one of those "secret questions" to use in case she forgot her password. You need to pick those carefully because anyone can start the procedure for a forgotten password. She picked something like "What is your pet's name?" If you're Jane Average, that question will keep out anyone except nosy co-workers, ex-husbands, ex-husbands's lawyers, and stalkers. If you're a celebrity it won't keep out anybody.

The other problem was T-Mobile's fault, though some blame should stick to their software supplier. T-Mobile's web-based management software has had one security bug after another for years. In 2003 it let you upload and download files from the server without a password. A later bug let anyone with web access run some administrative commands without a password. T-Mobile could have installed a patch to fix that but didn't. An intruder had the run of T-Mobile's network for months as a result and even read the email of Secret Service agents who were investigating him. At least that's one theory: they have so many security bugs it's hard to say for sure which one got used. Details for your technical friends on the T-Mobile compromise.

So how can you protect yourself? It's not like you can audit every piece of software your phone company uses. The closest thing to an answer is not to store anything with a third party unless you're willing to see it in the newspaper.


Wednesday, March 02, 2005

Not again! Media files are dangerous. Upgrade Real Player 

If you have Real Player installed on your machine then a bad guy can put together a .WAV or .SMIL file which will take over your computer if you open it. According to the Real Networks security announcement, Mac and Linux systems are affected too. Follow that link to get the updated versions with the security hole fixed.

The good news is that as far as we know the bad guys aren't using this security hole yet. The bad news is that Internet Explorer can open at least one of those file types automatically when you simply visit a web page.

Update right away if you frequent multimedia web sites, otherwise you can schedule the update for whenever it's convenient.


Tuesday, March 01, 2005

Tales from the dark side: screen shots of a spamming tool 

Spammers use custom software these days to send out their trash and cover their tracks. I have no idea what kind of programmer would willing write something like that, but it does exist.

Anti-virus firm F-Secure has been studying one such tool. They just published recent news and comment about the "Send-Safe" spam program. They have screen shots showing how a crook can set the program to use infected home computers to send out spam.


This page is powered by Blogger. Isn't yours?