Sunday, February 26, 2006

Should you worrry about your kid and MySpace? 

If you're a parent you're going to worry no matter what -- it's your job. There's always the question, though, of how much to worry and what action to take.

The latest media frenzy is about a blogging site called MySpace where teenagers post online diaries, optionally with pictures. The reason there's a media frenzy is that predators have figured out that this is a gold mine of information, there have been some awful incidents, and the press can't resist a true crime article where they can use the word "Internet".

How to protect your kids without overreacting?

I can't do better than to point you to the advice of Microsoft senior product manager for child safety(*) Linda Criddle, quoted in the Seattle Times. Some of the best points:

(*) Does that mean that child safety is a Microsoft product?

UPDATE 3/12/2006:
... some Internet safety experts say that a fear of networking sites has grown disproportionately to actual demonstrated threats, and that there is an unjustified paranoia about the sites.

So says the New York Times, in an article that quotes a 14-year-old explaining (doubtless while rolling his eyes exasperatedly) that most teenagers know perfectly well that posting personal information is as dumb as getting in a car with a stranger.

The rest of the article also helps keep things in perspective.


via surveillance technology 

Get a text message on your phone, delete it, and a jealous spouse can still read it:
- Read all available files on a SIM card and store in an archive file
- Analyze and interpret content of files including text messages and stored numbers
- Recover deleted text messages stored on the card but not readable on phones

The company asks you to send in your story about using their product and says "confidentiality guaranteed".

London prepaid transit passes are also a privacy risk.


Saturday, February 25, 2006

More than one kind of security: voting machines 

Either you can trust the records from a voting machine or you can't.

The activists at Black Box Voting took a look at the logs of some Florida voting machines from 2004. You might think they could have done this earlier. You might think these were public records that the public should have prompt access to. That's what the judge thought who ordered Florida to turn over the records after two years of stonewalling.

If the logs are correct then someone added votes to several of the machines with time stamps in October.

I can think of two or three ways that could be an innocent screwup. None of them leave me any confidence in the administration of the machines or in the audit trail they produce.

Florida's election officials have said that the records in the logs are wrong. Here's the central logical problem: if we can't trust the audit records how the hell can we trust the same machines to report election results?


Monday, February 20, 2006

Mac users, this one's for you 

Do you ever use the Safari web browser? Go to preferences, and turn off "Open safe files after downloading". The Mac turns out to have a dangerously unclear idea of what a "safe" file is.

The result is a recently discovered bug which lets a bad guy's web site take over your computer just because you visited there. That's right, just as if you were a Windows user.

The good news is that last I heard the bad guys weren't yet taking advantage of this bug. Of course you should still change your Safari preferences. Or use Camino or Firefox instead of Safari.

The respected Eric Rescorla discusses the "open safe files" bug and has an insightful comment from developer Peter da Silva.

UPDATE 2/21:

Reportedly the same thing can happen in Changing Safari's preferences of course won't help but it may work to move the Terminal application to a different folder (don't ask).

Credit to Michael Lehn for the discovery.

UPDATE 2/25:

Usually the press exaggerates security problems. This time there are columnists in the Mac trade press saying this isn't a big deal, common sense will prevent it, no need to change anything.
See for yourself. Try Secunia's vulnerabity demonstration page and imagine whether you could protect yourself if it were a malicious web page. Show a trusted technical advisor the Internet Storm Center's detailed report.

UPDATE 6/22/2007:

Removed the link to's test for whether you're affected: McAfee Site Advisor thought it was malicious.


Saturday, February 18, 2006

Bank employees install software from strangers 

A security trainer carried out a publicity event: he gave away CD's on the street in London's financial district.

Bank and insurance company employees ran the CDs in their work computers. We know this because the CDs ran a program that did the network equivalent of phoning home to say "guess where I am?"

The closest analogy I can think of would be finding a sandwich on the street, taking it to work, and putting it behind the glass at the company cafeteria.


Physical security: side effects of VOIP 

Everyone's heard way too much about whether their home VOIP service from Vonage or Packet8 or whoever will work right with 911. This article is about something different.

What about your burglar alarm system?

It uses the phone line to talk to the alarm company (I've met an alarm salesperson who didn't know that, by the way). It talks to the alarm company using Very Old techniques. Will those work with your VOIP service? Check with your alarm company or better yet run a test.

Erika Smith has an article at with more information about using monitored home security systems with VOIP.
And some alternatives that are designed to work over an Internet connection:


How important is privacy? 

Privacy advocates usually do a bad job explaining their case. Canada's Privacy Commissioner is an exception.
...privacy - the right to control access to ourselves and to personal information about us - is at the very core of our lives. It is a fundamental human right precisely because it is an innate human need, an essential condition of our freedom, our dignity and our sense of well-being.

If someone intrudes on our privacy - by peering into our home, going through the personal things in our office desk, reading over our shoulder on a bus or airplane, or eavesdropping on our conversation - we feel uncomfortable, even violated.

Imagine, then, how we will feel if it becomes routine for bureaucrats, police officers and other agents of the state to paw through all the details of our lives: where and when we travel, and with whom; who are the friends and acquaintances with whom we have telephone conversations or e-mail correspondence; what we are interested in reading or researching; where we like to go and what we like to do.

Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy.

But there also will be tangible, specific harm.

The more information government compiles about us, the more of it will be wrong. That's simply a fact of life.

Several years ago, after the existence of Human Resources Development Canada's "Longitudinal Labour Force File" was brought to light by my predecessor, many people demanded to see the information that had been held about them. They were astonished by the number of factual errors.

which leads to
If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent behavior is misinterpreted as suspicious because authorities don't know our reasons or our circumstances, we will be at risk of finding ourselves in trouble in a society where everyone is regarded as a suspect. By the time we clear our names and establish our innocence, we may have suffered irreparable financial or social harm.

but it is this paragraph that truly drives it home:
The bottom line is this: If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free.


Here's what you're up against 

What does all that talk from me about "spyware", "remote control", etc. actually mean? Does it affect real people? What does it really do? How bad is it?

The mainstream media prove they still have a place with this Washington Post article about someone who breaks into computers and installs spyware to build a "botnet". It's vivid, and as far as I can tell it's accurate and thorough.

If you read to the end, there's mention of what one piece of nasty software that's out on the street can do:
the bot program also contained more than 30 other features, including the ability to capture all of the victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by the bot allowed the attackers to peek through a user's webcam.


How secure will the next version of Windows be? 

We don't know yet, of course. It's not finished. Microsoft could change features before it actually ships. But there are some encouraging signs in the sneak previews.

Michael Desmond writes in PC World about important features of Vista.

The top item as I see it is one that may sound obscure at first. It's called User Account Protection, and it means that you're not always running with the ability to screw up your entire computer. If bad software gets installed it will be easier to clean it up. Some old programs will stop working until they're rewritten, but that's a good thing.

Microsoft has improved their backup software to match today's world of huge cheap hard disks. Yes, backups are a security measure.

You'll be able to install security updates without having to use Internet Explorer! This is supposed to make the experience smoother and faster. It also allows you to run a tighter security policy.


Friday, February 17, 2006

More than one kind of security 

From Techdirt, I find an interesting story: the police chief in Houston spoke in favor of legally requiring TV cameras in apartment complexes and private homes. Oh, yes, of course he remembered to say "I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?"

I have an answer to that. You should worry about Mark Summerton and Kevin Judge, and all the others like them who haven't gotten caught. They operated a surveillance camera in Merseyside, in the UK. They aimed it to look into the window of a woman's flat. The BBC reports
Over several hours, she was filmed cuddling her boyfriend before undressing, using the toilet, having a bath and watching television dressed only in a towel.

The next time someone wants to strip away your privacy, at the very least make them give you a straight answer about exactly how it's supposed to improve security. If they can't explain that much, they're not your friends.


Thursday, February 16, 2006

Mac users, don't panic, but heads up 

People are calling it the "first Mac OS X virus", then collapsing into arguments about whether it's actually a "Trojan", and then getting really confused.

Here's what happened.

Someone posted a file to a forum, which he claimed was screenshots of the next OS X release. It was a .tgz file, which is sort of the Unix equivalent of StuffIt. You could have downloaded it and unpacked it safely. But then the next step would have been dangerous, because (and here's the important part): it unpacked into a file that had the same ICON as a JPEG image but which was actually a program. If you had double-clicked the phony JPEG icon in the hope of seeing the future, you would have started that program and it would have made a buggy attempt to insert itself into other programs on your computer (breaking them all in the process) and then sent copies of itself to your buddies on iChat. But, and here's another important thing, first it would have asked for your Administrator password.

Things to do

If you get that popup asking for your Administrator password, stop and think. Are you installing software? From someone you've got a reason to trust? Are you making a change to how the system works? If not, say "no". That dialog is a security feature, not a video game to train you to enter a password as fast as possible. No way would it be legimate for opening a picture.

Be a little more suspicious, sadly, of files from people you don't know.

Be a little more suspicious, sadly, of files from people you do know. That file from your iChat buddy could in theory be a file from a virus on your iChat buddy's computer.

Check whether that so-called picture has a preview. This piece of malware pretended to be a JPEG but didn't have a preview icon. That was a clue that it was a wolf in sheep's clothing.

Technical article by Andrew Welch about the "Oompa-Loompa" (aka "OSX/Oomp-A" virus or Trojan for your technical friends.


Monday, February 13, 2006

Happy Valentine's Day from Microsoft 

Your present from Redmond is a set of Windows security patches, some of them critical. Upgrade ASAP unless you have automatic updates turned on. Start menu, Windows Update.


Internet Explorer: a new drag and drop pitfall 

Under certain circumstances, if a clever attacker with an intricately crafted web site can trick you into picking something up with the mouse and moving it, he can install unwanted software on your machine.

In real life the scenario would something like you visit an untrustworthy web site, it has a banner or a game like "move the monkey into the barrel and win $25!", you fall for the trick, and you get a piece of spyware or something nastier on your computer.

Microsoft does not see this as a big deal and doesn't have a patch available now or soon.

If you are forced to use Internet Explorer, stay out of bad neighborhoods, don't let yourself be inveigled into playing interactive games, hope the bad guys don't booby-trap the advertising that you see on legitimate web sites, and ask your technical adviser whether you should try the recommendations in this technical article about the Internet Explorer drag and drop vulnerability. All those recommendations will cost you functionality. Understand well what you're giving up.


Sunday, February 12, 2006

How much should Mac users worry? 

Apple made some good security decisions but OS X is, of course, not perfect.

There's a good, levelheaded, informed discussion in a recent Rebecca Freed article about OS X security. It's good enough that I can't think of much to add to it.


Saturday, February 11, 2006

Where does spyware come from and how does it infect? 

People like me have been publishing general impressions. A research team has turned a program loose to search the web for spyware and report back solid facts. They looked at tens of thousands of sites and have published a paper about spyware sources and distribution. I was surprised at some of their findings.

For example, I've been warning people against visiting the web's red light districts, or online neighborhoods where people in trenchcoats try to sell you Rolexes or cheap software. The researchers found another category that's really dangerous to visit: games sites! I hadn't heard of that being a problem, but my business partner points out that games are good bait, maybe even better than "adult entertainment". The study found spyware on one out of four games sites, making it the single nost dangerous category.

"Just say No"

Spyware gets on your computer two different ways. One way is invisible to you. That's the so-called "drive-by download", that installs itself by using a security problem when you do nothing but visit a web site. The University of Washington study experimented with using both Internet Explorer and Firefox to visit spyware sources. IE infected the test computers with hundreds of drive-by downloads. Firefox was immune to them all.

Much more common, though, were spyware infections that are like vampires -- they can't come in unless you invite them. The study tried two diferent programs, one that said "yes" when asked to install things, the other of which always said "no". There was a huge difference in infection rates. Some of the spyware was riding inside otherwise legitimate software, and some was pretending to be something it wasn't. Don't install cute cursors or other tools unless you know the reputation of the program (kind of like not eating sandwiches you find on the street).

How big a problem is this? How likely are you to be attacked?

"1 in 67 Web pages that we examined contained malicious content targeting browser flaws."

In other words, if you travel widely on the web, you're going to hit a web page that will try to trick your web browser program into doing something bad. You need to be able to trust your browser. Firefox has a good record. Hardly anyone's found flaws in Opera, though that makes me wonder whether anyone's looking.

80% of people have spyware infections according to a study a couple of years ago.

What else do do?

Anti-spyware programs are good but they don't catch everything. There are tools out there that keep a list of bad places on the web and block them from showing up -- the researchers found that those tools don't really work.


Tuesday, February 07, 2006

The whole spyware problem explained in a sentence 

A computer repairman kept trying to explain to customers why their machines were running slowly, popping up random ads all the time, and not going where they were supposed to on the web.

He kept having trouble explaining. That happens with technical people. And nobody likes to be told that it's their fault that their computer got infested.

He finally found the right way to explain why it's unsafe to take all the "free" goodies that are in your face on the web. He now says something to the effect
"There's no free lunch on the net and there are plenty of businesses that can make money taking over your computer"
. He says that intelligent but non-technical people positively glow with insight when he explains it that way.

Yes, there's good free stuff. But you usually can't trust someone who stops you on the street to give you the good free stuff.


Coming soon, I hope 

A startup called SiteAdvisor is planning to have programs crawl the Web looking for spyware distributors and other toxic web sites. Then they'll assign ratings and presumably sell access to the ratings.

This could be super-useful. I hope they have good lawyers, though.


Saturday, February 04, 2006

Do you use "WinAmp" v5.12? You're at risk. 

This is yet another case where bad guys supply poisoned input to a program and get control over your computer.

In this case, the program's weakness shows up when it opens playlist files. The poison consists of putting in a preposterously long file name.

Unfortunately you can't just decide not to open playlists from strangers. There are some tricks that will make WinAmp open a playlist just because you looked at the wrong web page.

Your firewall won't help, because firewalls don't know about this kind of thing. Antivirus might help someday. Anyway your best move is to upgrade. You're supposed to get a popup inviting you to upgrade, just say yes when you see it. You're also safe if you uninstall the program and switch to a different media player, or, if you like popping the hood, you can prevent automatic playing of poisoned content by following the advice of Kaspersky Anti-virus and going to the Windows Folder Options menu, picking .pls under file types, and turning on "Confirm open after download".

This sort of thing is the reason lean systems with minimal software are safest.


Thursday, February 02, 2006

Why people complain about Microsoft 

Well, of course some people just like to complain. Some people just overlook Microsoft's successes at security. Some people think Microsoft's progress isn't fast enough, completely ignoring the reality of how hard it is to turn a supertanker around.

But there there are the real problems.

It was May of 2005. The prosecution had just rested in the Michael Jackson trial. Security firm eEye reported a serious security problem to Microsoft. It was a problem in the Internet Explorer browser that could allow bad guys to take over a computer.

Microsoft hasn't fixed it yet, according to eEye. eEye isn't talking about the details of the IE vulnerability. Maybe there's some reason it's less of a threat than it sounds like and Microsoft is justified in taking their time. But it sure doesn't leave a good taste in anyone's mouth to know that they've been at risk for eight months.


What's this "Kama Sutra" thing anyway? 

It's a malicious program that installs itself when you open an email attachment. It turns off your anti-virus software and on the 3d of every month (starting tomorrow)it scans your computer and attached devices for document files and overwrites them.

So, if it turns off anti-virus software, how do you know whether you've got it? There's a removal tool from Microsoft you can use.

Back up your data anyway, to CD or DVD or to rewritable storage that you then unplug.


Internet Explorer 7: cautious optimism 

Microsoft is letting people use a test version of the next Internet Explorer web browser. So far it's already had a serious security bug. Is it going to be as bad as previous versions?

It may well be much better. Microsoft has been striking at the roots of the previous security problems. They've gotten rid of the idea that some web pages should be trusted to act like locally installed programs (I'm oversimplifying a lot, sorry). They're tightening up the security level all around, and they're making it harder for visiting a web page to install software. These changes should put a dent in the spyware problem.

Don't rush to download it, though, unless you have a test machine. There's a reason it's pre-release.


Have you ever wished someone would explain "phishing"? has a nifty phishing tutorial with examples, explanations, advice, and even an online quiz if you want to challenge yourself. I got 90%, missing one question because I was too suspicious of a legitimate email.

They have real good nuts-and-bolts advice about what to look for and how to protect yourself.


Good reading for Windows administrators 

The Watchguard blog pointed me to Mitch Tulloch's security tips for Windows networks. It's semi-technical, aimed at the person taking care of doznes of Windows servers. His advice is sound. He's really fond of a book on the same subject, Protect Your Windows Network : From Perimeter to Data.


What does a security consultant do for self-defense? 

First, there's a hardware firewall to intercept many attacks from the Internet.

By the time you get to my PC, the defenses include

I was still vulnerable, after all those precautions, to the recent WMF problem. Not even someone who does security for a living can keep a Windows box 100% secure.

For a more normal person who doesn't need to do as much online research as I do, I'd add one more recommendation. Limit your web connections to a few trusted partners.


Bad guys were using the WMF attack before the announcement 

Earlier this month Microsoft released an emergency path for a problem which allowed bad guys to take over your computer by sending you a picture with type .WMF. This was a scary problem because you could lose control of your computer without doing anything stupid. In fact, you didn't need to open the image at all to be infected.

The scary part is that the bad guys found out about the vulnerability before the good guys did. News of the WMF attack was sold on the black market in mid-December. Reportedly, bad guys were taking over machines in quiet, targted attacks for almost a month.

How many more problems like this are there, that bad guys are using and good guys don't know about?


This page is powered by Blogger. Isn't yours?