Thursday, April 28, 2005

Guide to Windows security, all in one place 

Respected Wall Street Journal columnist Walter Mossberg just published a list of recommended Windows security products.

It's a good list. I would add Microsoft's antispyware program to his list. It's free (so far anyway) and catches a lot of spyware. The user interface is annoying right now but the functionality is there.

I'd drop Norton Antivirus from the list, based on the complaints I've been hearing about viruses it doesn't catch. I and other security professionals are running "Nod32". Trend Micro's products are easier to use than Nod32 and are also well regarded. Whatever you use, subscribe to the periodic updates!

He adds lots of sound advice, including the radical
"consider dumping Windows altogether and switching to Apple's Macintosh"


Wednesday, April 27, 2005

Put in something about dialup firewalls 

Do you still get on the Internet with a dialup modem? Do you feel like you've been forgotten by the entire computer industry?

For example, the little firewall boxes that I keep recommending always seem to be designed for broadband connections.

The good news is that there are a few firewall boxes that work with modem connections. SMC Barricade
and maybe you can find a used Asante F3004-series box.


Blog without getting fired, for abnormal people 

There's software out there to let you publish with serious protection of your identity. It's meant for people who might face torture if their governments found out what they were writing. Some of it is really hard to use, badly documented, and unreliable. One person evaluated the software and hated it. He decided he might prefer the torture.

Anyway, if you're writing the Latveria Human Rights Watch newsletter, here's some places to look:


Blog without getting fired, for normal people 

Some companies are so twitchy about controlling their public relations that they've fired employees for writing about them in public, even harmlessly.

The Electronic Frontier Foundation has put together some common-sense advice about blogging anonymously. Besides the obvious tips about not mentioning your birthday or describing your work too clearly there are some less obvious ideas like staying out of Google and limiting your audience.


Small business computer security advice 

I wish I'd spotted this myself. Dana Epp discovered that the US Chamber of Commerce teamed up with Microsoft to write a security guide for small business. It's long and Microsoft-centric but full of good advice.

The Chamber of Commerce has a whole page of small business security resources. Nothing new, but maybe some good stuff to show your employees.


Emerging fraud with US postal money orders 

You start an online romance, and your new girlfriend in Nigeria says it's hard to buy a laptop there, so could you please buy one and mail it to her. She sends money orders.

What can possibly go wrong?

The money orders can be counterfeit and increasingly they are. Most people don't know all the security features of a genuine US postal money order, so counterfeiters can get away with a sloppy job.

The good news is that a post office money order is one of the hardest documents to forge properly. There's a watermarked picture of Ben Franklin that shows if you hold a money order up to a light, and a microfiber strip next to that.

The US Postal Service has an illustrated guide to telling genuine money orders from counterfeit money orders.


How to set your firewall, and troubleshoot a cable modem 

Fair warning, this is pretty technical reading, but if you've already studied networking or if you're willing to blip over acronyms you don't know, Robin Walker has an interesting page about common problems with cable modems and whether "stealth mode" firewalls are really a good idea.


How safe is your personal information in corporate hands? 

Not very.

Consultant Scott Bradner reports on yet another data theft scandal. Polo Ralph Lauren had a security breach that allowed 180,000 credit card numbers to be stolen. They didn't bother notifying the victims.

That's just the latest in a long string of recent scandals.

What can you do to protect yourself?

Not very much. Keeping a close eye on your credit report and credit card statements helps a little. The big problem though is that your information is outside of your control.

We may need legislation. Governments aren't exactly famous for getting technology legislation right but we may be out of alternatives. Conference-goers at Infosec Europe agreed that security is now less a technical problem than a law enforcement problem.


Thursday, April 21, 2005

Questions to ask about a security risk 

Do you ever get the feeling that everything gives you cancer? Newspaper headlines are good at telling you that things are dangerous but they suck at telling you how dangerous.

Do you ever get the feeling that computer security threats are showing up every day? It's the exact same problem. You're more in danger from some things than from others. I see dozens of security vulnerability reports every day and try to pass along only the most dangerous ones that affect the most people.

If you run a computer you have to assess risks and decide what's worth protecting against. You can leave that decision to Microsoft and rely on their updates to fix the most important things. You can run away from the Internet altogether, like some of my relatives -- but then you miss a fantastic wealth of resources. You can trust everybody, in which case your computer will be wrecked quickly. You can get a custom-made risk assessment for your specific needs from an expensive consultant. Or you can ask yourself a few simple questions.

Does this even affect my environment?

Let's start with an example. Microsoft has a bug in which previewing a file might take over your computer. But the report says it affects Windows 2000. If you run XP, you may be able to ignore that bug report (unless more news comes out).

Is this problem "local" or "remote"?

Want to turn a room full of security people into a passionate argument? Ask them to define the difference between a "local" attack and a "remote" one. It's close enough to say that you want to know whether a stranger on the Internet can attack your computer. The previewing vulnerability is more local than remote. The mischief only happens when you do something on your computer, even if the nasty file did come from a stranger on the Internet

Will my existing precautions prevent harm from this new threat?

If you only download files from trustworthy sources then the previewing vulnerability shouldn't affect you.

Is there a workaround?

In other words, can you make a change that will prevent harm until an official security patch comes out? In this case, yes. Security firm Watchguard quoted the discoverer of the problem as saying you can go to Tools/Folder Options and choose "Use Windows Classic Folders"

So there you are. Unless you collect photographs from the web you're at low risk and if you do you can still protect yourself.

The previewing vulnerability is an example of the kind of thing I normally don't write about, but it made a good example of how to do a risk assessment.


Upgrade Real Player if you use it 

It has a nasty bug which would allow a bad guy to take over your computer by getting you to play a boobytrapped .RAM file.

Real Networks has already fixed it. Get the Real Player security update from their website.


Should you worry about cell phone viruses? 

In my opinion, not yet. They exist but they spread slowly and are easy to dodge if you follow the "don't take candy from strangers" rule.

Here's a longer article about mobile phone viruses.


Sunday, April 17, 2005

A look at Friday's Apple security updates 

Do you run a computer lab, or some other environment where people you don't trust are using your Macs? Then you need to install the latest security update really soon. Otherwise you can wait a few days.

Apple fixed some problems that could have allowed someone to crash the machine, or could have allowed someone who was already logged in to exceed their privileges. These bugs are a step away from being a screaming emergency. You still need to fix them, because an attacker could add other ingredients and make a dangerous attack. Fortunately it's not happening yet.

If you're in a hurry, run Software Update from System Preferences.


This time it's Firefox 

The Firefox web browser had a couple of the worst sort of security bugs, the kind that could let bad guys take over your computer if you just go to the wrong web site.

The version you need to have to be safe from this particular problem is 1.0.3. You can download that from In the meantime, you're also safe if you turn off Javascript, but at the cost of breaking a lot of useful web sites such as gmail.


Friday, April 15, 2005

Security company says nice things about Microsoft 

Michael Sutton of iDefense Labs says Microsoft security practices are improving.

He's talking specifically about how Microsoft reacts when someone reports a security bug. They're acknowledging problems and giving credit to the people who report the problems. Giving credit is important because so many people who dig for security bugs are doing it to build a reputation. Thanking them in public is like paying them.

He also said something worth thinking about:
"Microsoft needs to shorten the patch time frame. It's now at about 145 days from when something is brought to their attention to when a patch is released. That's nearly five months, and that's probably too long"


How to read security news, again 

Even the BBC picked up the story that blogs are dangerous.

Here are the questions you'd ask as a critical reader, and the answers.

How widespread is this problem supposed to be?

There are reported to be 200 blogs containing dangerous material.
That's out of how many blogs total?
Eight million.
How does that compare with other web sites?
Nobody really knows but judging from the number of spyware infections there are a lot of non-blog websites with malicious content.
Are we talking about new attacks or about delivery systems for old attacks?
Old attacks, such as trojan horses and attacks on Internet Explorer security bugs.
If I have my security straight, is there any extra risk to reading blogs?
No. Everything mentioned in the story is covered by the two rules of security, Don't Take Candy From Strangers and Run Firefox.
Who's the source for this story?
What does WebSense do?
They sell "filtering" software to block people from going to pornographic or dangerous web sites.
You mean ... ?


Thursday, April 14, 2005

For the next month or so avoid strange .MDB files 

Of course, you should always be careful about files you're not expecting. But right now there's a chance of malicious software hiding in Microsoft Access database files, which have the extension ".MDB".

I don't think this will be a huge problem. For one thing, people don't normally pass around databases like they do pictures. For another, Microsoft already knows about the problem and is presumably working on a fix. Best of all, I haven't heard of any real-world attacks yet. Unfortunately this could change tomorrow since someone has published an example attack program.

Up to date antivirus might protect you. Install Microsoft's fix as soon as it comes out, and in the meantime don't take candy from strangers.


Tuesday's MS patches, and the life cycle of a security bug 

One of the security bugs Microsoft fixed in Windows Update on April 12 now has an example program showing how to take advantage of it. You're not instantly at risk, but probably will be soon.

I should explain what that means, so you can make more sense of the endless stream of jargon coming at you in the news these days.

Someone discovers the bug, first of all. There are people who spend their time looking for security holes. They need a rare set of skills and turn of mind to do that kind of work. Sometimes they want to build a reputation that they can cash in on with consulting contracts, and sometimes they're just turned on by the challenge, like any kind of puzzle enthusiast.

Security people call the bug a "vulnerability" at this point. They start wondering "Can this really be used to take over or to crash a machine?", "How can I tell whether I'm affected?", and "Once I install a 'fix', how can I be sure it really fixes the problem?". This is where the discoverer, or somebody else, writes a "proof of concept" program that is harmless but proves that attackers could use the vulnerability. Usually the writer publishes the program so as to answer all the questions above. Sometimes they'll only send it to the vendor of the vulnerable software or equipment.

So far there are good, ethical reasons for everything that everyone's done. People argue passionately about the ethics of finding and disclosing security problems but nothing I've mentioned yet is definitely "black hat" activity.

Microsoft's software is at this point today -- there's a publicly available "proof of concept" for one of their bugs.

The next step is that someone, somewhere, "weaponizes" the proof of concept by changing it to do something destructive and maybe making it easier to run. This is where the risk to you skyrockets. After the weaponized "exploit code" hits the streets, unskilled attackers can run automated attacks against millions of computers including yours. As soon as an attack starts spreading, the antivirus and antispyware companies call it "in the wild". The weaponizing step can take less than a day.

In other words, run Windows Update if you haven't already.


The Mac security debate: quote of the day 

Somtimes someone boils an issue down so well that I can't do better than quoting them.

This is from Jason Miller, who works for security and utilities firm Symantec:
Although OS X users shouldn't live in fear of attack due to new security threats, unlike their Windows counterparts, they also shouldn't make the mistake of believing that they're immune to them either.


"You've just got to trust us" 

That's a real quote (see below).

Marketers pay big money to track what you do on the Web. It's a little creepy anytime but especially creepy if you do your taxes online. David Lazarus in the San Francisco Chronicle has an article about web bugs in tax preparation services. Lazarus quotes people from the tax preparation firm and their marketing partners admitting that they could collect confidential information. Since that's not the business they're in, they don't have much reason to, and spokeswoman Julie Miller from the tax preparation company said "if we didn't uphold our privacy commitment, we wouldn't be here."

Oh-kay ... but is everyone who works for the marketing affiliates, their outsourced vendors, and so on honest? And are their computer systems secure? And has any company ever really been put out of business for violating its customers's privacy?

Meanwhile you can protect your privacy on the technical front. The people trackers use a simple but clever technology called a "Web beacon" or "web bug" which is nothing more than an invisible image from the marketing firm's computer on the page of the company you're patronizing. The trick is that the marketing company keeps notes every time your web browser fetches that image. Firefox lets you avoid the entire situation. Go to the Tools menu, choose Options, choose Web Features, and click the checkbox for Load Images From the Originating Web Site Only. That's all. You may miss out on a little bit of content. You can always make exceptions for legitimate images.


Saturday, April 09, 2005

Laptop theft 

185,000 people exposed to identity theft or worse when laptops were stolen from the San Jose Medical Group. Supposedly the laptops didn't have actual medical histories but did have "billing codes", and I haven't seen an explanation of what that means.

This was a regular burglary as opposed to a snatch-and-grab at the coffee shop. Even so, laptops are easier for a burglar to pack and run away with.

If you have sensitive information on your laptop then for heaven's sake think about its physical security.

First, don't trust the average cable lock. With a little practice most people can open one popular brand with a Bic pen in place of the key. Go to a locksmith shop, ask if they know which ones are good, and when you find one who says "yes" get your laptop lock from them.

Second, back up your data. What could you not afford to lose? Email? Bookmarks? Irreplacable photos?

Third, if something's really a secret, do what I do with client data on my laptop. Encrypt it. I use the well-regarded but sometimes intimidating PGP. There are also products, none of which I've been brave enough to try, that encrypt your entire disk. Study reviews of these carefully. The clueful Fred Avolio has reported problems with disk encryption programs.

And you know, common sense helps too. Do you really need to put 185,000 of your customers's Social Security numbers on a laptop?


I was afraid of this. Watch for fake Windows updates. 

The old quote is
Some people look at things as they are and ask "Why?". I look at things as they might be and ask "Why not?".

I'm a security consultant. I look at things and ask "what could go wrong?".

Bazillions of people visit the Windows Update web site and trust it to change system files on their computer. It was only a matter of time until bad guys made it a target.

The actual Microsoft web site is just fine, don't worry, but always go there yourself and don't trust anyone else to take you there.

Long ago, spam went around that pretended to be from Microsoft with a "security update" attached. Microsoft does not send people programs in attachments. The spam that went around recently, which I'm sure will attract copycats, is more subtle. It pretends to be from Microsoft and gives you a link to follow to get the "security update". The link looks like it goes to Microsoft but doesn't.

What is safe, until the next refinement by the bad guys, is to do your updating by clicking the Start button and choosing Windows Update. Also, be suspicious of updates that don't happen on the second Tuesday of the month. The rare emergencies when Microsoft releases an unscheduled security update will be mentioned in the press.


Thursday, April 07, 2005

Now we have to look out for bogus Web ads 

The always-interesting Techdirt has a story about a new phishing scam.

This one tricks you into giving out your credit card number by placing a normal banner ad for discount airline tickets.

You can catch the current generation of the scam because they get too greedy. After stealing your credit card number, they put up an error message and tell you to send them a money order. If you see that happen, call your bank and cancel the charge.


Wednesday, April 06, 2005

I may have to give a Medal of Cluefulness to Microsoft 

If they go through with something they're discussing, Microsoft will be provably clued in.

Ever wonder why malicious software can do so much damage? It's because it's allowed to do anything you can do. Your best option now is to log in as a user without Administrator privileges except when you really need them. Unfortunately a lot of common operations require Administrator privileges, so many people stay logged in as an administrator all the time. That's like carrying a loaded gun with the safety off.

Microsoft hasn't committed to anything yet but they're talking about some really good ideas for the next major version of Windows, "Longhorn". They've sent up trial balloons about something called a "least-privileged user account" or "LUA". They are considering changes to let ordinary users do day to day work without having to risk their systems by running as Administrator. Even better, they're talking about a system where your IT department can set limits on what a program can do, separate from what you're allowed to do. In other words, you'll finally be able to run a program without giving it full power of attorney. Theoretically you could run a web browser but deny it permission to install spyware.

If they go through with this a lot of existing software may need upgrades. It will be worth the hassle.

None of these ideas are new, but I've long thought they're exactly what Microsoft needs in order to make solid improvements to Windows security.


Tuesday, April 05, 2005

Do you still have a modem? 

Here's something I should have thought of.

One online threat that can cost you money out of pocket is sites that trick you into installing software that dials international phone numbers on your modem. The numbers go to some tiny country that is desperate for the money. The scammers get a cut of the long distance charges. Your phone company may not reverse the charge, because they're out real money for the call.

Of course the usual anti-spyware, anti-virus and other precautions will help.

There's a more elegant and complete answer. Put your modem on a second phone line and ask the phone company to block international calls from that line. End of problem.


If you're running Windows 2003 

then you're wondering whether to install Service Pack 1 for it.

On SecurityFocus, Mark Burnett reviews Windows Server 2003 Service Pack 1 favorably.

My review of his review is that he's looking at the right issues and being impressed by the right things.

It's too soon for anyone to answer the question he leaves open, which is, what's going to break unexpectedly when you install the service pack? If you're a big company you have a test lab where you can check these things before deployment. If you're a small business, schedule the work for a slow time.


Monday, April 04, 2005

Protecting confidential email: some of the contenders 

The mainstream email programs have allowed you to electronically scramble ("encrypt") your email for years. It's never caught on because the process was always too involved and too error-prone.

The new trend is for computers to encrypt and decrypt the email without involving you.

Messagelabs has a product designed for exchanging email between your company and a few known partners. Inside your firewall or your business associates's firewalls, the email is readable but whenever the MessageLabs software sees email leaving your network destined for a domain it knows about, it encrypts the transfer using some respected industry-standard techniques.

That makes sense if you're more worried about wiretapping than you are about losing control of your email once it's sitting on your network.

PGP Universal
is the grand old man of this industry. The company has over a decade of experience with email security.

Ciphire, if I understand their web site correctly, catches your email on its way to the mail server and encrypts it before it ever hits the wire. That's good security. I worry about reliability. Ciphire was clueful enough to pay for a security review by respected expert Bruce Schneier, who found some ways that Ciphire employees might eavesdrop on your email if they were to turn dishonest but concluded that it was reasonably secure against the rest of the world.


Mozilla and Firefox seem to have a serious problem 

This isn't, directly, a "take over your computer" kind of problem but it could contribute to one. Secunia has found a problem that lets a malicious web page read big chunks of your computer's memory. I've run their online demo. It showed me leftovers from my surfing and email history. These could easily have contained passwords.

There's no fix yet (UPDATE: the developers have successfully tested a fix which will be in the next release), and the workaround really hurts functionality. The really lazy approach would be to ignore the problem and hope a patch comes out before bad guys start using the vulnerability. That might actually work. The next hardest approach is to install a browser extension like Pref Buttons or Preferences Toolbar and add a checkbox to your info bar to turn "Javascript" on and off. Leave it off except for trustworthy sites that need it, like GMail for example.


Why haven't you installed XP Service Pack 2? 

According to PC inventory management company Assetmetrix, reported in The Register, 75% of the Windows PCs in business haven't installed XP Service Pack 2. SP2 came out last August. Are people afraid of incompatibilities? Assetmetrix also reported that about 10% of SP2 upgrades have problems. If you have a problem, it's most likely with some poorly written custom application which you should get fixed anyway.

That number means that 90% of SP2 upgrades go off without a hitch. Those odds are much, much better than running an unpatched computer. Go for it.


Phishing keeps getting worse 

There's yet another new wrinkle on the "phishing" scams that try to trick you into typing sensitive information into a rogue web site.

The first phishing scams ("phrauds"?) sent you email with a link to click and a scary message that said you needed to log in to your bank or eBay account right away. You could defend yourself by starting sensitive transactions yourself, from a bookmark or by typing the address.

More recently the crooks have been trying to reprogram your computer to send you to a different web address even if you type in the correct address. You could defend yourself, sort of, by running antivirus and antispyware software and practicing good hygiene to keep crooks from installing nasty software on your computer.

The current generation is really scary. The crooks are reportedly subverting the Internet's directory service that looks up how to reach a web site based on its name. It's as if someone reprogrammed the telephone network to send calls meant for one place to a different phone number. (Which has happened: see this amusing story).

I can't think of a really good way to protect yourself. You could try bookmarking or memorizing the actual address of your bank, which is a string of four numbers with periods in between them. But that's not a good idea because your bank might need to change addresses while keeping the same name.

There's a trick that I wish I had come up with. Enter a bogus password the first time you try to log in. The bad guys are trying to steal your real password, so they don't know what it is, so they can't tell it's bad and they have to let you in. Your bank will say no and ask you to try again. That trick will work until the bad guys start forwarding everything you type to your real bank. Next time you're in a "secure" session, right-click on the padlock icon at the bottom right of your browser window and just browse. Ignore most of the information you see, which won't make sense to you anyway. Look for the date the certificate was created, and the exact name to which it was issued. Be suspicious if it says something like "Freindly Bank" or "Payp@l". The ultimate check is too much work for normal people -- that would be making a note of the long string of letters and numbers called the "thumbprint" and getting susicious if it ever changes.

You could also get used to reading the "certificates" that are supposed to identify the web site you're sending your credit card to.


Speaking of hardware, a nifty undermarketed gadget

They sell a tamper-resistant pocket-sized gizmo for storing passwords. The coolest feature in my opinion is that it can create a really strong password for you if you ask it to. It has a long list of certification and can help you reach buzzword compliance if you are in, for example, an environment regulated by HIPAA.

The company calls it "inexpensive". They're used to selling to the government. A started kit of two gizmos costs US$269. Strike 1.

It only stores 50 passwords. That's not enough for an individual web surfer. It's enough for a normal worker in a small to medium business. It might not be enough for a system administrator. Strike 2.

It limits the length of passwords. It will only store 14 characters. I wonder if that's a limit of how much will fit on the display. It's a well chosen number in a way: old Windows NT systems resist attack best when passwords come in multiples of 7 characters and those systems have a maximum password length of 14 characters. 14 characters of truly random text is strong enough to stop a password-guessing program. Still, the gizmo is preventing you from taking full advantage of modern computer systems that allow long readable passphrases. Strike 2.5.

Worth looking at, especially if you need the administration software that comes with it. But I hope something better comes along.


Will hardware security devices save us? 

If you've been reading my rants for a while you can guess my answer ("No. Duh!").

A writer named John Leyden has a perceptive critique of hardware security devices. He points out that a lot of them are poorly designed. He actually understates the problem of deliberately inserted back doors -- engineers like to have those while they're debugging a gadget and they don't always get removed.

I'd add to his critique that it's hard to find pure "hardware" any more. Your little DNetLinkGearSys firewall box is actually a small computer running software which screens your network traffic.

What I like about having dedicated hardware devices in your security system is that it's (relatively) hard to change the software they're running, and they tend to be a lot simpler than your PC. Simplicity means there are fewer things to go wrong and fewer openings for bad guys to attack. And from a security point of view it's way too easy to change software on your PC, as witness the current epidemic of spyware. Single-purpose hardware has the advantage for reliability, other things being equal.


Web browser security 

Security firm eEye says they've discovered yet another vulnerability in Microsoft Internet Explorer. Are you safe with the latest patches? They say not. How serious? eEye says the problem allows bad guys to take over your computer. It's not completely automatic. They say the attack requires "minimal human interaction" but don't explain what you should avoid doing.

Outlook, they say, is vulnerable to the same attack. That's a little bit worse since you have more control over what web sites you visit than you do over what email you receive.

Just knowing what's affected gives us a hint about what's going on. If my guess is right then you can protect yourself by telling Outlook to display incoming email as plain text instead of making it look like a web page. This is a vital security step you should take anyway. It's also amazingly difficult in most versions of Outlook. Outlook 2003 gives you an option to read your email as plain text under Tools/Options/Preferences/Email Options. Before Outlook 2003 you had to run a third-party program. The good folks at have instructions about how to make Outlook safer.

After you do that, sit back and wait for Microsoft to release a fix, and hope the bad guys don't discover the same problem.

What happens if a hacker finds a problem like this in Firefox? Rumor has it that the black-market price for information about a security hole is $500-1000. Last week a German security researcher got a $2,500 reward for reporting security problems from the foundation that manages Firefox.


This page is powered by Blogger. Isn't yours?