Wednesday, June 29, 2005

Only for Veritas Backup Exec users 

Grab patches from Veritas, soonest.

There's a security flaw that allows outsiders to take over your computer(s) completely if they're running Backup Exec Remote Agent. There's also a problem with their server software.

What makes this so urgent is that the Computer Emergency Response Team reports that bad guys are breaking into systems now through this security hole.


How to buy a security product 

I just read some security product purchasing advice. It was all common sense business practice that you could apply to any situation where you deal with vendors.

I'd add some points to it. For one thing, don't trust any vendor who promises a complete solution to your security problems. Honest ones will talk in terms of risk management and explain what subset of security threats they mitigate.

Check whether they offer an easy way for outsiders to report security problems. It's disgusting how often I see people having to ask "I just found a security flaw in ___, does anyone know of a security contact at the company?". How on earth is the maker of ___ supposed to keep it secure if they can't even find out what the problems are?

Think about whether you can get hold of the expertise to keep their gadget running. You can't beat the price, performance and flexibility of an OpenBSD firewall with pf, but it's not much good if you have to bring in a consultant from two states away to make changes.


Windows 2000 users, you have a "rollup" today 

Microsoft says they will continue publishing security patches through 2010.


Sunday, June 26, 2005

"Abstract and obscure"? No, vital. 

When you set up an account on your Windows machine you have a choice about whether to make it an "Administrator" account. An Administrator account has total control over your computer and so does every program you run when you're logged in to that account. Running a program while logged in as an Administrator is like handing your entire key ring to a valet parker.

It's safer to do your day to day work in a more limited user account. If you accidentally run some vicious program then Windows will limit the damage that program can do as long as you're in a non-Administrator account.

Not many people take advantage of this built-in Windows security measure. One problem is the many widely used defective programs that don't have a legitimate need for Admnistrator privileges but refuse to run without them. Another reason is that Windows doesn't warn you when you're running with more privileges than you need. Microsoft is trying to spread the word now but their security program manager Michael Howard says "To the average user, the notion of non-admin is abstract and obscure". It shouldn't be.

Michael Howard wrote a program to make things easier. You can run in an Administrator account, but before you do something dangerous like surfing the Web you can run his program to temporarily give up the most dangerous privileges. The program is called Drop My Rights, and running it is like taking your house and safe deposit keys off the keyring before you hand it to a valet parker.

That may be easier than running full-time in a limited account, which can confront you with really technical issues.


Thursday, June 23, 2005

Movie files are hazardous again 

This time it's Real Player that's vulnierable. If a bad guy feeds your copy of Real Player a booby-trapped file of type AVI then he can take over your computer.

Fortunately there's a fix from Real Networks already.


Wednesday, June 22, 2005

If a box pops up and asks for a password, think twice 

I'm not sure how real a problem this is, but one browser vendor thought it was worth fixing.

Suppose you're looking through the web and have more than one web site open. Either of them can ask you for information by popping up a dialog box. The problem is that your web browser doesn't tell you which one the dialog box comes from.

Suppose that is run by a shady person, and you're looking at it for entertainment while you have another tab open to your bank. Now the shady operator pops up a dialog box that says "Your online banking session has expired. Please re-enter your password.", the dialog box appears over your banking session, and the answer you type in goes to

Except, this isn't news. That dialog box is always going to have a title like "Javascript" or "Javascript application", precisely because the people who build web browsers were worried that something like this would happen and made sure that the dialog box title was impossible for web sites to change. They were afraid someone might pop up fake dialog boxes.

The makers of Opera were sufficiently afraid people might get fooled anyway that they stuck in something to identify who popped up the dialog.

One good way to protect yourself against problems like this is to close all your other windows and tabs when you're doing something sensitive. And of course it improves your security to avoid sleazy sites about porcupines in Fort Lauderdale.


Microsoft's update may be even more important

One of Microsoft's fixes on Patch Tuesday fixed a problem that could allow someone to take over your computer completely from outside. Bad guys can look at the fix and work out what the problem was (if they didn't already know). Then they can build an attack. If they move fast they can take over lots of machines before the owners install the fix from Microsoft.

That's the theory. It may be happening for real this month. The Gartner Group says there are network probes going on that look like reconnaissance for an attack using the Windows vulnerability that Microsoft just fixed.

Remember, it's only fixed if you install the update! Start menu, Windows Update, follow the directions.


Friday, June 17, 2005

Now that you've been through another Microsoft Patch Tuesday 

Does it feel like you never get to use your computer, in between spyware scans, antivirus updates, and operating system patches?

If so, you're probably doing it right.

On my own computers I find that the overhead of keeping them protected is a pain.

There's no good answer, not for a general-purpose computer. Right now it's less work to keep a Mac secure than to protect a Windows machine. But there's nothing in the Mac to protect you against spyware that you install yourself, after being fooled by a misleading "license agreement". So far the spyware scum haven't discovered the Mac market. When they do things will get worse.


Thursday, June 16, 2005

I can't figure out how to make this simple 

To start with, click the Edit/Preferences or Tools/Internet Options menu in your web browser, go through the options until you find something related to "Java" (not Javascript), and turn it off. You probably don't need it, and if you do need it you need to fix a security problem before you use it again.

Java is a computer language. Web sites sometimes use it to run small programs on your machine. In theory this is safe because the Java system allows for confining a program to a small set of activities so the program can't install spyware, erase files, or generally vandalize your machine.

Every now and then someone finds a way for a Java program to sneak around those limits. Once that's possible, a web site could take over your machine as soon as you visit, by downloading a hostile Java program to you. Java's supposed to be safe so your browser probably runs it without asking you first.

Now things really start to suck.

There are two different flavors of Java in wide use. One's from Microsoft, one's from Sun. The recently discovered Java bug only affects Java installations from Sun. You might have either one.

Nobody's automatic updates will help. Microsoft had a bitter legal battle with Sun over Java and I don't expect them to help you upgrade a competing product. Browser makers might conceivably help but right now none of them mention the problem on their home pages. You're going to have to install the update yourself.

So how do you tell whether you're affected? This is where it starts to suck like one of those truck-mounted vacuum cleaners that cleans ductwork. Brace yourself:
If you then you should be safe.

You could also try Watchguard's instructions for identifying your Java version. If you're comfortable at a command prompt, Sun suggests typing "java -fullversion" which gives you version information just like "java -version" does but gives you less of it. Here things start to suck like the inside of a tornado because Sun has at least two version numbering systems for Java. If you get one or more numbers back, look at the number that begins with "1.4" or maybe "1.3". The version you want to have is 1.4.2_08 but may also be called "J2SE 5.0 Update 2". If you don't get any response typing the command "java" you may be safe.

Head hurting yet?

By the way, this affects every operating system, not just Windows. Linux users are at risk too.

Sun recommends downloading this version of Java to fix the problem. Security firm Secunia suggests you could also get another version from Sun. I don't know which you should prefer.

Angry? I think you're entitled to be. This is a case of the industry installing a vulnerable technology without a clear way to alert users to hazards or to provide updates.

Scared? Well, the Internet is worth quite a bit of risk. I'll quote another Star Trek character, the superbeing called Q:
"If you can't take a little bloody nose, maybe you should crawl back under your bed. The universe isn't safe, it's wondrous, with wonders to satisfy appetites both subtle and gross, but it's not for the timid."


Monday, June 13, 2005

There's more than one kind of security 

"Freedom of the press is a security measure."

That's from security guru Bruce Schneier.

Think about it. Is it safer to live in countries with a free press, or countries without?


New newsletter, for your geeky friends 

I've launched an unabashedly technical newsletter called The Security Nerd. It usually won't help or interest a normal home/small business user.

Although, anyone with a dash of curiosity might enjoy the book I just reviewed there.

Silence on the Wire, by Michal Zalewski, is a manageably short (268 pp not counting index) book that starts by explaining the basics of how networks and computers operate and goes on to show zillions of ways information can waft out of your computer. You could learn why a "switch" is better than a "hub" in your network and why a switch still doesn't prevent eavesdropping. It's a book about technically beautiful attacks, so it doesn't cover the ugly ones like spyware that are the everyday threats.

Zalewski's writing style is clear and personable. He's obviously one of those people who loves his subject so much that he wants to share it and wants you to understand what he's writing. His book should be accessible to any teenager and to any adult who likes learning new things.


Friday, June 10, 2005

Medal of Cluefulness: Fidelity gives good security advice to customers 

More financial institutions should educate their customers (heck, more should educate themselves, but that's another story).

Fidelity's web site has good security advice, kind of a condensed version of what I try to provide here. Some of it's oversimplified but not in ways that would hurt you.


Apple's latest fix -- I think you want it 

Software Update will soon be offering you a security upgrade if you're running Jaguar or Tiger. This fixes several things, most of which could wait. But it's worth installing just for some fixes that constrain malicious Dashboard widgets from taking over your system.


Why it's hard to get a straight answer from a security consultant 

Why do you hear about "risk management" and "tradeoffs" when you're shelling out big bucks for the simple task of keeping bad guys out of your network?

The reason you get complicated answers to simple questions is that there's some risk in taking security measures. After all, every security product you install makes things more complicated and is one more thing to go wrong.

There were a couple of good examples earlier this year when anti-virus products went bad and brought systems down.

That's why I'm not recommending anti-virus software on Macintoshes (yet). This could change tomorrow, but right now the virus threat is so low that anti-virus software doesn't seem to be worth the hazards.


Is it really antivirus software? 

If you step back and get some perspective it's kind of strange that you need anti-virus software for a telephone.

When you do install anti-virus software on your phone, make sure you know where it's coming from. There's a destructive Trojan Horse program that pretends to be F-Secure Mobile Anti-Virus. You're safe if you download directly from F-Secure.


Twilight for Windows 2000 

Not sunset yet, but if I understand Microsoft's Windows 2000 update announcement correctly, Microsoft is beginning the official phase-out of Windows 2000. Mainstream support for Windows 2000 will reportedly end June 30, and Microsoft has announced that the next version of Internet Explorer will only run on XP and later systems. If you can't use a more secure browser you should definitely upgrade to XP when IE 7.0 comes out.


Are you considering switching from Windows? 

If you're curious about Linux but you're confused by the number of choices out there, you're normal. Someone's put together a wizard for choosing Linux distributions which is pretty reasonable. Check it out: it asks a few questions about your needs and narrows the hundreds of choices down to a few of the most appropriate.


Betrayed by your own boxes 

I've written about this before but it just keeps happening. Those little networking "appliances" are small computers with software written in a hurry by companies that are not always security conscious.

One recent example is a wireless router, the Acrowave AAP-3100AR. It is reported to have a bug allowing anyone to administer it from the Internet. Presumably this would allow turning off firewall features.

D-Link provided another recent example with a DSL modem/router that can be reprogrammed over the net by anybody.

I'm not sure what to suggest for protection except maybe to do belt-and-suspenders engineering with software like Zone Alarm on each machine behind your hardware firewall. The good news is that all these pieces of equipment are cheap enough to throw away. The bad news is that the manufacturers don't always make fixes available. All the big-name vendors have had egg on their faces, so it's not like there's some brand you can buy with a great security record.

If you don't mind the noise and the electric bills you could set up a spare computer with two network cards and some well-tested software and build your own firewall.


Here's an accurate, practical, up-to-date WiFi security article 

Brian Livingston writes about what works, what doesn't, what you should throw away, and gets it all right (!) in his recent article about WiFi wireless network security. I wish I'd written it.

He's got wonderful links, including a strong password generator, lists of hardware certified to work with the new security standards, and even a link to a white paper about how to set up enterprise-wide wireless security. It's all in a clear conversational style.

This is the best material I've seen on the subject. Check it out.


Thursday, June 09, 2005

Who you gonna trust? 

Security people have a funny reaction to the word "trusted". Their hackles go up, they arch their backs, and their tails puff out.

"Trusted", you see, doesn't mean "trustworthy". When you see the word "trusted" in security literature it means "something you have to trust because you don't have any choice".

The Netscape web browser comes with what sounds like a nifty feature. They rate web sites and change security settings based on the trustworthiness rating. The theory is that if you wind up at a site that installs spyware, and if the site is a known one, your browser will put its deflector shields up.

How do they decide what sites are safe and which aren't? They get a list from their "trusted security partners". There's that word, "trusted". How good a job do the "trusted security partners" do?

Spyware Warrior sharply questioned the Netscape trusted sites list. Many sites on the list are known sources of spyware/adware/whateveryoucallitthesedaysware. (via Broadbandreports).

It's a funny world when you get better advice from fictional characters than from a commercial product that you pay for, but here's some good advice about trust:
"Trust is earned. Not given away!" -- Lt. Worf, The Wounded
"Trust requires time and experience" -- Capt. Picard, First Contact


You know something other people don't 

A Harris poll this year found that about half of surfers don't know that some web browsers are more vulnerable to viruses and spyware. (49% give or take a 5% margin of error).

Your first question, of course, should be "who paid for the survey"? It was Opera, which makes a web browser with a pretty good security record and would doubtless like to sell more.

Only 11% of the people surveyed had, as I have, switched browsers for security reasons.


Is Firefox really a more secure browser? 

That's the question people were asking after the latest embarrassing Firefox security bug. Check your Firefox version (Help menu, "About Firefox" item). You should be at version 1.04. Earlier versions have some known security problems.

The flip answer is that nothing is secure. There's a deeper answer, though.

Security doesn't come from using the right product any more than health comes from using the right pill. No matter what software you use, if it takes input from the Internet you'd better be checking regularly for security updates. It's a boring and annoying job, but then so is flossing your teeth.

Here are some places where you can safely test your web browser for known security problems. and (for Internet Explorer only) offer safe checks for recently reported problems.

Firefox really is more secure than Internet Explorer today other things being equal. Other things are never equal. Let's be careful out there.


More than one kind of security: voting machines, AGAIN 

Optical scan voting machines take a form that's just like those tests you took in school where you fill in an oval with a dark pen or pencil. They have a counter you can see, so you know right away whether your ballot was readable. There's a piece of paper available for auditing and for recounts if necessary. A simple, clean system which should be easy to do right.

Diebold didn't do optical scan voting machines right, according to the folks at Black Box Voting.

The scanning machine stores its count of votes on a removable memory card. That card should be as simple as a floppy disk or a USB thumb drive.

For some reason known only to Diebold, those cards can have programs on them. The program inside the scanning machine starts the program on the card. What can the program on the card do? Well, among other things, it can rewrite the results.

You think that's bad? It's a bad design but the risk it causes could be controlled. All the software is supposed to be certified, so the voting machine should check the authenticity of the software in the card.

It doesn't. It doesn't check the right way, it doesn't check the stupid way, it doesn't check at all. Any of millions of computer programmers could write a vote-changing program and stick it on one of the memory cards, and the ballot results would go into the system undetectably changed.

Now you could control even that risk with good physical security on the memory cards. But the Black Box Voting report says
these cards were seen scattered on tables in King County, piled in baskets accessible to the public in Georgia, and jumbled on desktops in Volusia county

Read the report at the link above. It's non-technical, and there's lots more information there. Yes, it's actually even worse than my description. I'm a software engineer and a security consultant and can say with confidence that this system is bad. Not just Detroit-car bad. Not screen-door-on-a-submarine bad. This is pile-of-oily-rags-up-against-the-kindling bad.

Too many of us have died for the right to vote to take this sitting down.


Trends in computer attacks 

Computer intrusion
has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money
according to security industry heavyweight Bruce Schneier.

He predicts more targeted attacks, aimed both at the most vulnerable targets and at the highest profile ones. He also expects more viruses spreading over file sharing networks.


Securing your wireless network: the hard way made easy 

The latest alphabet soup in wireless security standards includes gibberish like "802.1x" and "RADIUS".

The big change in the newest security standards is that they go beyond just scrambling the network traffic to deter eavesdroppers. They also force anyone joining the network to provide some kind of login information. It's as though you needed a password to use an Ethernet jack.

This is a good thing, really, but the standard way to set it up involves having a server just to handle network logins. At this point any small businessperson is likely to run away, envisioning four-figure bills and hours on hold with technical support.

Fortunately these are problems you can outsource. There are companies that will take a monthly fee and provide and maintain the back end for you. I can't possibly give you a better rundown of the offerings than this Glenn Fleishmann article about outsourced "WPA Enterprise" solutions.


Yet another way to prevent eavesdropping on WiFi 

Glenn Fleishmann's wonderful Wi-Fi Networking News mentioned another service to protect your data when you're at a coffee shop., like competitor, offers a virtual private network for rent. Your Internet traffic goes to their machines on a scrambled connection, then they descramble it and send it on to wherever it was going. They charge $6/month or $60/year.

They have instructions for setting up both Windows machines and Macintoshes. Theoretically other operating systems should work but they don't give detailed support.


Good news from Microsoft 

eWeek reports that Microsoft will ship Internet Explorer 7.0 in a restricted configuration.

What that means is that (hopefully) future security bugs in IE won't be able to take over your entire computer, because IE won't have all the privileges that you do.

Some web sites may stop working. That will be good.


This page is powered by Blogger. Isn't yours?