Friday, September 23, 2005

Mobile phone viruses: time to worry yet? 

Antivirus firms are arguing in the industry press about whether mobile phone viruses are a security threat or just hype. If you're a cynic you might wonder whether you could guess the firms's positions based on whether they offer mobile phone antivirus products. You could.

The truth seems to be that both sides are right. Today's mobile phone malware is scattered, mostly harmless and spreads slowly. This will get worse as virus writers trade techniques and as smart phones become more common. Things will really get bad when organized crime figures out a way to profit from mobile phone malware.

What should you do now? There are two or three things to consider before you resort to antivirus software on your phone. One is to wander through the settings on your phone and turn off any features you don't need about transferring files or downloading programs. Another is to turn off any Bluetooth features that you don't need.

By the time mobile phone viruses catch on, one phone operating system may have emerged as more virus-resistant. Research that before you buy.

The other thing is to consider getting a dumb phone. An anonymous post on a bulletin board for geeks said
Just buy a damn PHONE. You know. Those things that used to just go ring-ring, and you pick it up and talk on it and maybe keep an address book on?

|

Sunday, September 18, 2005

Microsoft Internet Explorer, again 

eEye Security reports another unpatched bug in IE. This is about the second-worst kind of bug. It can take over your computer but it can't do it without some action on your part (kind of like a vampire who can't come into your home unless invited).

What kind of action should you avoid taking? Nobody's talking yet.

While we wait for Microsoft's fix, the best moves for anyone who's compelled to use IE are to stick to reputable web sites and block ads, turning off "Active Scripting" if the loss of functionality is tolerable, and maybe using a separate account or a separate computer for web surfing.

|

Saturday, September 17, 2005

Manage multiple computers? Worried about managing Firefox? 

Your life will be simplified by the .msi installer for Firefox, one of the many goodies being produced by the Firefox community. You can push it out to multiple machines via SMS.

|

Friday, September 09, 2005

Don't click strange links, especially until Firefox gets fixed 

It's a good policy in general, and right now it's important because someone found a simple way to crash Firefox. If you try to follow a link that begins with "host:" and continues with a long string of dashes, boom.

The guy who discovered the problem thinks a bad guy could use it to take over your machine. Nobody's proven it and others are skeptical. The bug does belong to a class of bugs that are pretty dangerous to security.

Keep an eye out for the next Firefox version, and meantime continue with good hygiene. You wouldn't follow a stranger into an alley, so don't follow strangers into unknown places on the web. UPDATE 9/10: the Firefox team has a patch and workaround already.
UPDATE 9/17: rumor has it that people have figured out how to take over a machine by triggering this flaw.
UPDATE 9/23: it's more than rumor. Any interested bad guy can now get ready-made programming to take over your machine if you visit their web site. Upgrade if you haven't already.

|

Mac users, don't be too smug 

Just stay at the right level of smugness :-)

One Australian comuter security manager discovered that many Mac users think they're immune to viruses, spyware and other plagues.

OS X avoided many of the security-related mistakes in Windows but it's had its own security problems, and no operating system in common use will protect you if you take candy from strangers.

|

Tuesday, September 06, 2005

Quote for the day about buying technology 

This applies to security technology as well as other information technology. Can you believe the claims for Return On Investment?

Bob Dust, quoted in Infoworld, says "If I could really achieve the ROIs that are promised, I would shut down the business and just buy technology all day long."

|

Monday, September 05, 2005

Ever wonder what "spyware" is? 

Last month someone did a survey and discovered that 68% of adults didn't know what spyware was. Those people are probably walking around afraid to ask, because they're sure everyone else knows.

It's unwanted software, which shady web sites put on your computer by tricking you or by using a security breach, that usually displays ads based on monitoring your web activity.

|

Followup on the cookie wars 

There was a splash of news last spring about the next generation of cookies. Did you ever wonder what happened?

Cookies, you remember, are the little files that a web site can write to and read from your disk. Legitimate web sites store your shopping cart, identification, preferences and so on in cookies to make your life easier. Many places misuse cookies to create records of your travels through the web. Much security software now blocks or deletes these "tracking cookies".

So you'd expect advertisers to look for a way to store cookies that won't get deleted. Last spring's news was about a company that announced a way to store cookie-like information in "local shared object" files used by Flash, the program that runs all those obnoxious animated ads.

Is this evil, is it a threat, has it caught on, and is there anything you can do about it?

Certainly not evil per se. There are plenty of legitimate uses that benefit you, ask your permission and explain what's happening on your computer. A threat? Potentially. You may not want a record on your computer that you visited www.surprisebirthdaygifts.com. You may not want potentialemployer.com to know that you previously visited supportgroupfordiseasethatwouldbankruptthehealthplan.com.

Has it caught on? Not that I can tell. I installed the Firefox extension for viewing and deleting Flash cookies and found very few things, all of them safe and boring.

What can you do? Ignoring the whole issue seems to be safe for now. If you make a hobby out of privacy or just want to stay ahead of the game, you can follow the advice from Macromedia, who make Flash. They've been responsible citizens about the whole business, they don't want advertisers to misuse their technology, and their web site even explains how to turn off flash cookies.

|

"Analogies are like goldfish" 

That's what a guy I know likes to say. Goldfish, you see, don't help you understand your problems, so goldfish are like many analogies.

I thought of that when I saw what was actually a good article in Usable Security about controlling malicious software. The article explains why many security professionals (me included) believe computers should resist malware better than they do.

But talk about analogies breaking down, take a look at the comments. The typical comment could be paraphrased as "no, it's not like a butler with a gun, it's more like building a bridge". Ouch. The comments are insightful, though. Be warned that some require a technical background.

The point of the article was the same one I've made before. It's dangerous to have any software you run be able to do anything that you're able to do.

|

Secure your business by doing dull things first 

The four-color brochures are mouthwatering, the salespeople are persuasive, and the press tells you that you need more security gadgets and software.

Odds are that you'll get more value from boring operational changes.

That's the message (and I agree with it) of this Infoworld column by Roger Grimes. Some of his advice is too vague ("review e-mail security policy") but most of it is as practical, cost-effective, accurate (and tedious) as telling you to floss your teeth every day. You should start with testing that your backups are working and with his suggested inventory of installed software.

|

Sunday, September 04, 2005

Poor security at your business? You're not alone 

This article about small and medium business computer security concludes that most SMBs are missing key pieces.

If you run an SME and if you can't afford to hire someone like me, please just do one thing. Back up your important information offsite. Not just offsite, but outside the area if you're subject to region-side disasters. Backing up to DVD is probably the most reliable of the cheap ways to do it.

|

Friday, September 02, 2005

More than one kind of security: Katrina response 

http://www.hurricane-housing.org/ matches up people who have spare bedrooms with refugees.

Money is the best thing to donate to a relief agency. Volunteers can help by answering the phones and taking donations: the Red Cross is being overwhelmed by contributors (now that is the America I know). If you have interviewing or HR skills then ask your local Red Cross chapter if they need someone to help with volunteer intake.

Wherever you live, you're subject to natural disasters too. Do something today so you won't be part of the problem later. Run your car on the top half of the gas tank, put extra canned food and bottled water on your grocery list, take a first aid class.

|

This page is powered by Blogger. Isn't yours?