Wednesday, July 20, 2005

Good for Visa and American Express! 

After payment processor Cardsystems leaked forty million account numbers, Visa and American Express took decisive action. They announced that they won't do business with Cardsystems any more. Mastercard is giving them another chance for some reason. If and when Masterard follows suit, it will be close to a corporate death penalty.

Visa and American Express are right and their action will wake up some of the hundreds of other payment processors. Cardsystems, you see, wasn't even supposed to be storing those account numbers! They said they were keeping them for "research", which is about as credible as the man who says he has a kilogram of cocaine for "personal use".


Sunday, July 17, 2005

When should you hire someone like me? 

This is about hiring a consultant in general, not specifically about hiring a security consultant, but it has good advice about how to check for conflicts of interest and what benefits you get for your money:
Why Your Business Needs an IT Consultant

Even if you have enough expertise in house to keep your system secure from day to day, it can make sense to hire an outsider periodically to give you a checkup. Another good reason would be installing new and unfamiliar equipment, or spinning up new Internet services. You might also want a security consultant if you are getting hit by new government regulations and need someone to translate them into concrete actions.


How and why people get spyware 

Sometimes someone says things so well I just have to quote them. The quote below came from a forum for nerds, so let me start by defining some of the jargon:

Claria: a company that sues people who call its products spyware
drive-by download: software that installs itself without asking or notifying you, usually through a security flaw in Microsoft Internet Explorer
EULA: End User License Agreement, the text to which you click "I agree"
NTP client: a program that sets your computer's clock accurately from a reference on the net
Spynet: Microsoft's collection of reports from Microsoft Anti-spyware users.

Re:Sadly, no surprise.
by bhtooefr (649901) on Thursday July 07, @07:05AM
( )

Typical infection process of a Claria app, if it's downloaded legitimately (I don't recall Claria's stuff doing drive-by downloads):

1. User sees "Free password manager", "Free calendar thingy", or "Keep your computer clock up to date" (on the last one, not knowing that their XP box has a built-in NTP client, and easy to set up, too)
2. User downloads, and installs, not reading the EULA (as they've been taught - it's all legalese BS, after all, but there's often a string of legalese in the EULAs of these apps that boils down to "this is spyware")
3. User wonders why computer is running so slow, so he/she calls a friend over to remove the spyware. Said friend mentions something about "Claria junk", and removes it.
4. User sees that their little clock thingy isn't working right, and redownloads it.
5. User again realizes that their computer is running slow, but hears about this "Microsoft AntiSpyware" thingy that helps it go faster, so they download it.
6. On the first scan, it says "OMG! There's Claria on here!" (not really, but that'd be the general gist of the screen to a user). The user remembers that when the friend cleaned stuff off, Claria was the thing that when removed, broke the clock thingy, so he/she tells it not to erase. Default behavior is to send the actions to SpyNet, so it went to SpyNet that he/she chose to keep it.

Does that sufficiently explain it?


Friday, July 15, 2005

Something is up with Windows Remote Desktop (maybe) 

Remote Desktop can work through the firewall, so it could be pretty dangerous if something were to go wrong with it.

Someone using an automatic tool that throws strange inputs into programs until they crash managed to make Windows crash.

Right now everything is rumors and speculation so I can't give any solid advice. But it looks like the Windows component that crashed is the one that makes Remote Desktop work. It also looks like the kind of crash that could signal the existence of a security hole.
UPDATE 7-16: eWeek magazine says Microsoft will patch the vulnerability
UPDATE 7-18: no more "maybe" about it, Computerworld says Microsoft confirms a Remote Desktop flaw and recommends disabling the service.

The facts should be in within a few days. Meantime, if you can disable Remote Desktop when you're not using it, that couldn't hurt.

If you mention this to your IT person, pass along the following frustratingly incomplete links:
Incomplete SecurityFocus vulnerability report
Speculation about where the problem is
Screen shot of the crash but it's still not clear whether someone can take over your machine.


Fast User Switching is a security measure 

I wish I could take credit for this idea. In fact, I wish I could even remember who came up with it so that I could give him/her credit.

Most people don't take full advantage of being able to create multiple login accounts on XP. They're handy for letting more than one person use the computer with minimum interference but you may also want to have more than one login account for a given person.

Why would you do something as strange as giving one person multiple accounts? Because different accounts can have different privileges. The first and simplest thing to do is to create one account that's allowed to "Administer this computer" and another that isn't. If you do your daily work on the non-Administrator account then XP's security mechanisms will limit the damage from any nasty software you download by accident.

Now comes the fun part that makes this all convenient. You can log in to both accounts at once. Use the non-Administrator account for web surfing and other potentially dangerous activities. Then when you need to install software, defragment the disk, or anything else that's limited to Administrators, just switch over to the other login session.


The future of antivirus; expect more false alarms 

Antivirus programs have two ways to detect malicious software. One way is to look inside a downloaded program to see if it matches a known virus, kind of like a police officer comparing a face against a Wanted list.

The other way is to watch what the downloaded program does and stop it if it does anything "suspicious", like a police officer detaining someone for acting strangely.

The first way requires you to download new antivirus signatures every time a new virus comes out. The second way is prone to false alarms: police officers and antivirus programs can make mistakes.

Virus writers over the last new months have started releasing new versions of their pests every few hours, each one slightly changed to avoid detection by antivirus software. A few hours later when the antivirus vendors catch up, the crooks make another change. If this keeps up then we may have to give up on looking at the bits inside a program to identify viruses.

If we can't count on catching a virus by recognizing its bits ("signature based detection") then we'll have to depend more on watching for virus-like activity ("behavioral analysis"). Innocent programs will be blocked by antivirus software occasionally, just like innocent people in bad neightborhoods sometimes get stopped and questioned by the police. (Yes, the Internet is a bad neighborhood).

Is there any hope for a long term cure? My personal opinion is that operating systems need to change how they assign permissions. HP Labs has done some fascinating research about this. If you have a technical friend you can point them to my unabashedly technical security newsletter for a discussion of what HP has.


Tuesday, July 12, 2005

If your copy of Zone Alarm suddenly crashes 

it might be a bug -- for some reason the latest versions have had a lot of reports of reliability problems. It might also be an attack. Details are maddeningly scarce but there's allegedly a way for a bad guy on the network to send your Zone Alarm firewall something that will make it crash.

If everything's running then there's no compelling reason to do anything. If you do have problems, though, don't simply uninstall Zone Alarm. Be sure to run something else in its place. There's another well regarded personal firewall product from Kerio. I haven't used it but the buzz about it is good.


Happy Patch Tuesday! 

Don't waste any time getting Microsoft's newest security fixes. It's "Windows Update" on the Start menu. Today's set is important because Microsoft reportedly has evidence that bad guys are attacking through one of the flaws that Microsoft fixed.

In the meantime, you're at risk fromIt's the last one that bad guys are exploiting now.
UPDATE 7-13: Microsoft now says that both of the Windows problems are in use in the wild for real attacks. For the Word problem, Windows Update doesn't help, you need to update Office separately at Once you get the updates, you'll discover that they won't install unless you put in your original Office CD (or reconnect to the network location where your company put it. This doesn't apply to you if you're at a large company, which will have a way of managing installations that avoids the problem of needing the original installation source).

This isn't the kind of problem that firewalls help with, and even if your antivirus software begins looking for attacks on these weak points, by the time it does that you should already have updated Windows.


Wednesday, July 06, 2005

At last, some relief for the latest IE vulnerability 

Once again, Microsoft Internet Explorer (the "blue E") has a problem that allows bad guys to take over your computer.

Microsoft suggests workarounds in their security bulletin. They're pretty technical but the bulletin describes them in enough detail for anyone to follow.

I'm still trying to find out how serious this problem is. Bad guys aren't using it for breakins, at least not on a large scale. The first accounts make it sound like the problem only comes up if you're allowing "ActiveX" to run from untrusted web sites. Never mind the technical details: if your computer is working well enough that you can read this, you probably haven't been letting random web sites run ActiveX.

On the other hand, I need to find out whether this affects all the zillions of other places in Windows that use components from Internet Explorer.


This page is powered by Blogger. Isn't yours?