Thursday, January 12, 2006

Norton pulls a Sony. Kinda-sorta 

Norton Systemworks has been modifying Windows to stop Windows from being able to see one of the Systemworks directories. Their intentions seem to have been good, with the feature being aimed at keeping anyone/anything from accidentally modifying the directory. It was still a bad idea because writers of malicious software would have been able to hide their poison underneath the same cloak of invisibility.

Publisher Symantec has already released a change that removes this misfeature.

The security researcher who unearthed the Sony scandal, Mark Russinovitch, found this one too. He looked at it and concluded it's nowhere near as bad:
"In Sony's case, it was meant as a benefit to Sony. In Symantec's case, they really believed it was a benefit to the consumer. I don't see the benefit but I think they had good intentions. They did the right thing by making this change"

Install the update.


Wednesday, January 11, 2006

Here's something new to worry about 

What if you get malware from something you buy at the store?

It happened last year in Japan when IO Data shipped infected external hard drives to its Japanese customers. The payload was a program to let bad guys control the victim computer remotely.

Which could be just a freak accident. But put these facts together:and you have a recipe for something scary happening, at least at the cheap end of the market.


Look for the picture of a lock at the bottom right? 

For about ten years everyone's been telling you to check the bottom of your web browser window for a picture of a padlock before you type anything sensitive like a banking password.

That's still a good thing to do but it's getting more complicated. Security firm Netcraft has a new semi-technical paper about trends in phishing which mentions that scammers are now coming up with attacks that do turn on the padlock icon.

Some very bright people are having really intricate arguments about what's wrong and how to fix it. For now, the best a normal person can do is to avoid giving away information if the browser warns you about something wrong with the "certificate", and to keep a close eye on whether you landed at the site you meant to go to (as opposed to one with a similar name, say).


Just when you thought it was safe to go back in the water 

There's a newly discovered Windows bug in the handling of .WMF image files. This is different from the critical WMF bug earlier this year, which was different from the WMF bug last fall.

The new one allows a bad buy to crash your computer if you look at a booby-trapped picture file. Attacks should work in all web browsers.

Microsoft and the discoverer say that this bug can only cause crashes and not machine takeovers. I haven't seen enough evidence to convince me. In general a programming error that lets a bad guy run a program off the rails far enough to crash will also let the bad guy steer it where he wants.

Sigh. Best you can do for now is run an ad blocker and stick to reputable web sites. Antivirus firms may add checks for booby-trapped .WMF files.


Tuesday, January 10, 2006

Interesting article, but is it right? 

Professor Adam L. Penenberg has an article in Slate which argues that Microsoft products are just as insecure today as they were when Bill Gates announced the Trustworthy Computing Initiative.

Is it really that bad?

No. The easiest example to notice is in operating systems. If you take any Microsoft operating system before XP Service Pack 2 and connect it to the net without a firewall it will be taken over within minutes. XP Service Pack 2 will survive.

Microsoft's latest software for running web sites has been downright boring from a security point of view.

I don't think it's coincidence that the latest critical Windows security problem showed up in a very old part of Windows. If that corner of Windows were human it would be old enough to vote. New code from Microsoft is better than old code for security.

What about the details of Professor Penenberg's arguments? He points out some widely damaging incidents. They happened in the first year or two after the "Trustworthy Computing Initiative". That's only to be expected. Imagine that Microsoft suddenly began shipping perfect products. The world would continue having incidents with older products for many years.

More seriously, what he says about software development at MS is just plain under-researched. For example, speaking about a common kind of security vulnerability called "buffer overflows", he says
The technique has been known for decades, yet Microsoft still hasn't come up with a way to defend against it
That's wrong twice over. The programmers at Microsoft use tools to check for buffer overflow risks before they ship the products, and once the products are running in the field they're defended by a clever (but admittedly incomplete) system which tries to stop the computer from running something that's not part of an expected program.

Worse yet, he brings up Trojan Horse programs as a problem with Windows. They can happen just about anywhere. Only a few really specialized (and unusable) systems can defend against them. Everybody in the real world is at risk: don't run programs from random strangers and think you'll get away with it just because you're on a Mac.

So, where is Microsoft in their security campaign? Can you relax now if you're a Microsoft customer? Heck no. In particular you have just got to get rid of the Internet Explorer web browser.


Friday, January 06, 2006

Who's reading your cell phone records? 

There's a company that will sell you anyone's cell phone calling records, for a little over a hundred dollars.

That's bad if you're a businessperson negotiating a merger. It's really bad if you're a journalist with anonymous sources. It's life-threatening if you're an undercover police officer.

It's not clear how the company is getting hold of the information. They might be impersonating their victims, they might be "encouraging" phone company insiders to help, or they might even be getting the info legitimately from the cell phone companies. Incredibly, the phone companies are allowed to sell data about who you called and when to advertisers.

How to protect yourself? Don't expect help from your phone company, they are likely to react with incomprehension. There's a web page which supposedly explains how to opt out of having your call information sold but first, it's not clear that's how the information is leaking, and second, the page has incorrect information for my cell carrier.

If you're blowing the whistle on your employer or doing something even more sensitive, use a pay phone if you can still find one.


Thursday, January 05, 2006

Update Windows. Today. Now. 

Microsoft just released a patch for the critically dangerous problem that could allow a bad guy to take over your machine by getting you ot look at an image file, or in some cases even if you never look at it.

Pick Windows Update from the Start menu, or you can install the Official patch for the WMF vulnerability from Firefox by following the link and looking for the patch that matches your version of Windows.

I recommend uninstalling the unofficial patch. I recommend doing that first, and not leaving any time between that uninstall and running Windows Update. Keep the unofficial patch around just in case. (It looks like they do the same job in slightly different ways. I'm recommending the official Microsoft patch over the unofficial patch because Microsoft can afford to do more testing than an individual can, and because you have a better chance of getting support if you haven't installed unapproved parts in the guts of your Windows installation.


This page is powered by Blogger. Isn't yours?