Sunday, May 29, 2005

Here's another treasure trove of useful advice 

Security firm Watchguard has some beatifully written semi-technical security advice on their web site.

Some of it is pitched to normal home users and some of it is better for network administrators. You can tell from the titles which is which.


I've been afraid this would catch on 

Israeli police report that companies there have been bugging competitors's computers.

It was easy. They sent booby-trapped email that took advantage of security holes, or sent a CD with a business proposal and some spy software that installed itself automatically.

The people who do mass-market spying are easy to catch because they try to infect millions of computers so they can show a few dollars worth of ads on each one. Antispyware software is less likely to recognize a custom-written spy program that a dishonest private investigator plants on a few chosen computers.

There could be big money in this kind of spying. It's a safe bet that most of it is never detected, which means there's a lot more of it going on.

You can defend yourself by making it harder to install software on your computers. If you have an IT department they're probably already trying and everyone thinks they're obstructionist.

Second best is to use software like Zone Alarm that (tries to) warn you when software unexpectedly tries to send information out from your computer.


Thursday, May 26, 2005

Mac OS 10.3.9, you've probably already updated 

If you've run Software Update since May 3, and your computer should have asked you to, then you're covered.

Apple fixed a bucket of problems, the most serious of which would have allowed bad guys to take over your computer if you had your computer look at a cleverly constructed picture in any of several formats.

If you're feeling deja vu, it's because so many security problems fall into this same category. Data formats are complicated, programs that read data have bugs, and if a bug is bad enough to make your computer jump off the tracks then someone may be able to steer it the wrong way instead of just making it crash.

How do you protect yourself? Backups are good. Updating your software before exploits hit the net is good but not always possible. I have a slightly paranoid friend who is going to dedicate one computer to web surfing and email, but do all his bookkeeping and writing on a separate machine that will never be attached to a network. His approach looks less extreme every day.


Apple Macintosh bug that worries me 

Apple's already fixed this in OS X version 10.4.1 but it leaves me with a bad feeling.

The bug was in the new Dashboard feature. You can download new widgets to include on your Dashboard, and Apple's web browser Safari could be tricked into installing one behind your back if you had an option turned on called "Open Safe Files". Then the widget could do things on your computer. If the widget only does good things you'll be OK but I do not recommend, on today's Internet, that you rely on the kindness of strangers.

For now, if you're running Tiger, make sure you run Software Update and get version 10.4.1. In Safari, turn off "Open safe files after downloading". But there may be more problems later.

I fear more problems because Apple made a bunch of design decisions that don't look security-minded.
  • They made it easy to install software without the usual safeguards
  • They let the web browser believe that a program can be "safe"
  • They gave the downloaded programs too much freedom. There are restrictions but some Dashboard widgets are considered trusted and allowed to run free.

  • I hope I'm wrong about something on that list because those are exactly the decisions Microsoft made with Internet Explorer that have been causing havoc for years.

    Here's the official advisory for the Dashboard auto-install issue.


    Wednesday, May 25, 2005

    The good news corner: a clever idea from Microsoft 

    Have you ever wondered how anti-virus companies get hold of viruses so they can write software to detect them?

    That question has led to a lot of defamatory conspiracy theories.

    Microsoft is trolling the bad neighborhoods of the Internet to detect new kinds of attacks against Windows machines. They've set a small army of closely monitored XP systems to crawl automatically through questionable web sites. As soon as one machine gets infected they can take it offline and check whether it's a known attack or a new one. If it's a new one they can get to work on fixing the underlying bug.

    I can think of at least two ways for the bad guys to avoid getting caught by this but it's still a good idea and Yi-Ming Wang, the researcher who headed the project, deserves a compliment.


    Internet Explorer is vulnerable again (still?) 

    Security company eEye (yes, they really spell it that way) reports a critical vulnerability in Microsoft Internet Explorer. But they're holding back the details until Microsoft releases a fix, so we don't know how the problem gets triggered or how to avoid it.

    I'll give you some educated guesses.

    First, eEye says the bug won't bite if all you do is look at the wrong web page. They say it requires "minimal user interaction". Don't let yourself get talked into doing anything unusual.

    Stay away from porn, gambling, and pirated software sites if you're running Internet Explorer. They're notorious for having booby traps. Sometimes online ads on reputable sites contain something dangerous to IE, so an ad blocker is a security measure.

    Most important, turn off Javascript, which Microsoft calls "Active Scripting", unless you absolutely need it. Virtually every browser security problem I've seen depended on using Javascript. Go to Tools/Internet Options/Security/Internet/Custom Level/Scripting (it's near the end of the list)/Active Scripting and choose "Disable" or "Prompt". Unfortunately a lot of useful sites like GMail depend on Javascript.

    If you're still using IE because your employer won't allow you to install anything else, try getting a USB drive ("nerdstick") and put Portable Firefox on it.


    Yet another hardware box with a security bug 

    This time it's DSL routers from D-Link. The problem is a little esoteric. Like everything these days, the boxes from D-Link that plug into your phone line for DSL are little computers. Naturally enough, there's a way to reprogram them to add features or fix bugs. Unfortunately, for the D-Link boxes, it's possible to reprogram them over the Internet without the owner's permission. Oops.

    The D-Link bug is rated as a low risk because it would take a lot of know-how to change how the box behaves. It might be possible to trash the box and make it useless but these days the bad guys are in it for money and not for pointless destruction.

    None of your usual security measures will help because all of them are on the other side of the D-Link box from where the attacks might happen. D-Link told the guy who discovered the problem that they released a fix: the guy who discovered the problems says the fix doesn't work.

    This problem, you can probably live with. Just stay alert to the fact that any of those "appliance" boxes may need to be updated or replaced someday.


    More than one kind of security: why "civic duty" matters 

    Entrepreneur Tom Evslin offers a deep insight into community obligations in his blog.


    Zone Alarm news 

    First off, none of this affects you if you just have the Zone Alarm firewall.

    If you have their antivirus product, which is part of the Zone Alarm Security Suite, then you need to upgrade. Here's what the Zone Labs security team said:
    ZoneAlarm Anti-virus and ZoneAlarm Security Suite users should
    upgrade the anti-virus engine to version 11.9.1 or later.

    To update your ZoneAlarm Anti-virus or Security Suite product:

    1. Select Antivirus

    2. In the Status area, choose the Update Now option

    3. Select Overview | Product Info and verify that the Antivirus
    Vet engine version is 11.9.1 or higher

    I haven't heard of any real-world attacks (yet).

    If you don't have the Zone Alarm Security Suite, has a bucket of rebates which could get you a free copy if you switch from a competitor. I don't know how good their antivirus software is. Their firewall software has a good record overall, but be sure to keep an old working version around in case an update doesn't work.


    Thursday, May 12, 2005

    Mac users, upgrade soon 

    Apple has a security update waiting for you that fixes iTunes. Right now, it's possible for a bad guy to feed you a toxic media file in "MPEG-4" format which could take over your computer.

    Go to System Preferences, which is the item on the Dock that looks like a light switch, and ask for a software update. Or, if your computer asks you for permission to update, at least say yes to the iTunes change.


    Wednesday, May 11, 2005

    When good security software goes bad 

    One popular personal firewall program had a bug once. Someone wrote a worm which took advantage of the bug to install itself on every accessible computer running the buggy version. It did a lot of damage.

    Security software has a problem. By definition it has to handle untrustworthy data. It's also a prime target for intruders.

    Right now, according to Computerworld, almost all the popular antivirus software needs updates to cure vulnerabilities that would allow intruders to poison them or to turn them against you.

    Worse, you likely won't get these updates automatically. Those automatic updates only bring you new data about what viruses to look for. Usually they don't update the program that does the looking.

    Computerworld lists the following pages for more information and for updates:
    Trend Micro


    Tuesday, May 10, 2005

    Test your street smarts again just put out a new version of their online quiz where you can check your ability to detect phishing scam emails. They have real-life email messages for you to evaluate. I scored only 80% because I was over-suspicious of some of them.


    Identity theft may require government regulation 

    Speaking as a
    victim of identity theft, there is absolutely nothing that an individual
    can do to effectively protect themselves against identity theft.

    Do you know what your identity is worth? Mine cost $200. That's what a
    criminal paid on a street corner in Los Angeles. Add in $75 for a
    low-grade forgery of a driver's license, and he was in business. To this
    day, I have been unable to discover how my personal information ended up on
    that street corner. I own and religiously use a high-quality confetti-cut
    paper shredder. I have never received sensitive financial correspondence
    at the unsecured mailbox at my home, instead renting a locked post office
    box. I have made a policy of not disclosing my social security number
    whenever possible. My SSN has never been on my driver's license. It has
    never been printed on my checks. I do not carry my social security card in
    my wallet, nor any other document bearing my SSN.

    In spite of all this, my identity was stolen, and used to open a half-dozen
    credit accounts in my name, which were then used to obtain almost $20,000
    in merchandise. If the thief has just been a little smarter, he would have
    doubled that figure.

    What made all this possible? A credit industry that refuses to do even the
    most basic of checks when someone walks into a retail establishment and
    asks to open a credit account.

    That's a quote from a victim named Tom Goltz, who makes a convincing case that self-defense is not enough.

    He's right. Our personal information is in the hands of zillions of businesses with uncertain levels of computer security, personnel screening, and even basic honesty.


    Security software versus security 

    If you live in Florida, you can keep yourself safer by signing up with the government to get emergency alert email about events like hurricanes.

    Unless you're on AOL. AOL blocks those messages as spam.

    A while back I wrote about, a company that provides a way to keep your data safe at wireless hotspots and other networks that you don't control. Unfortunately, if you're using their service AOL blocks you from sending email to any of their customers, according to a report from Techdirt.

    There's no good answer to problems like these. Your best bet is to swing your business to companies that fix problems quickly when you complain.


    Happy Microsoft Patch Tuesday! 

    There's only one major security patch this month and you only need it if you run Windows 2000. And it's not very serious.

    Upgrade, but don't drop everything in a panic for this one.

    UPDATE, May 11: Microsoft says it's "Important".


    Can your car catch a virus from your phone? 

    This is too funny. The techies at antivirus firm F-Secure borrowed a Toyota Prius (same phone interface as the Lexus) and tried to infect it with a mobile phone virus.

    All they really needed to do for security was to drive out in the country, but in a fit of showmanship they put the Prius in an underground bunker for the virus testing. They have a picture at their site.

    Oh, you want to know the results? The Prius computers shrugged off everything the phone sent. Everyone expected that from first principles but it was impressive how well the Prius handled unusual input.


    Is antivirus software good or bad? 

    On a Windows machine, of course you're better off with antivirus software than without it. The software can cause problems, and bad ones -- I've lost one disk to buggy antivirus software -- but it's much better than letting viruses run free.

    On a Macintosh, right now (May 2005) I'd actually recommend against installing antivirus software. Until virus writers invent and share a working Mac OS X virus, the risk from a virus is lower than the risk of antivirus software destabilizing your computer.

    I could change that advice tomorrow. The Mac has some advantages in virus resistance but it doesn't have magic immunity.


    Sunday, May 08, 2005

    Bad news about Firefox 

    UPDATE May 11: you can get the fixed version of Firefox at or at

    There's a security hole in Firefox that allows bad guys to take over your computer if you do nothing but visit a web page they control. The Firefox developers are working on a fix but they haven't finished it.

    For now the only workaround that anyone's sure about is to turn off "Javascript", a programming language that allows web sites to do (hopefully safe) things on your computer. You can do taht by going to Tools/Options/Web Features and unchecking the checkbox next to "Enable Javascript". Unfortunately you'd need to keep turning it back on for some useful and legitimate web sites. My favorite way to handle this problem is to install the Preferences toolbar extension so that a single click will turn Javascript on and off.

    There have been too many problems like this lately. I hope the Firefox developers take a step back to see if the security problems have anything in common and to see whether they could make a design change to prevent future problems.


    Saturday, May 07, 2005

    Mac OS X users: get the latest Software Update now 

    Apple released a bunch of security fixes. One of them's really important. Without the fix, you could lose control of your machine just by opening a TIFF graphics file from the wrong source.

    The only way this could be worse would be if there were bad guys using it to take over computers. I haven't heard of any. Yet.

    Go to System Preferences, the item on the Dock that looks like a light switch, and ask for a software update. Your system will remind you soon anyway but I wouldn't wait if I were you.


    This page is powered by Blogger. Isn't yours?