Sunday, April 30, 2006

More than one kind of security: cargo ports 

The government keeps proposing and implementing drastic measures in the name of keeping us safe. Everyone weighs the supposed tradeoffs between liberty and national security, because everyone takes for granted that the government's actions are aimed at national security.

For example, you'd figure by 2002 it would be impossible to ship a slug of uranium inside a steel pipe (on X-rays that would look like a crude bomb) in a cargo container from Europe to the US. But ABC News did just that, a year to the day after September 11.

You'd figure that the government, concerned for our safety, would immediately close that security gap. But a year later, September 11 2003, ABC News shipped a similar package from al-Qaeda-infested Indonesia to LA. Nobody detected it.

Next question: did the government, concerned with our safety, fix the problem and thank ABC for reporting it? Or did they try to file criminal charges against ABC for performing a safety test?

But that was then, this is 2006. By now the government, working for our safety, will at least have issued ID cards for the people with access to our ports. Right? Not yet, though they were supposed to be available in 2004. Meantime, the government has promised that Real Soon Now they will check port workers's names against lists of suspected terrorists. And we're supposed to have 98% checking of incoming containers for nuclear material -- by late 2007.

We're told that we may have to trade some freedom for safety. Until that safety shows up I think I'll hold on to my freedom.

|

Here are some quick street smarts 

There's an AARP survey of computer security awareness in Washington State which says that even people in the country's second most cmoputer-literate state are missing key information to protect themselves.

Do follow the link, I'm only going to hit the high points.

Half the respondents didn't know that banks (sane ones anyway) are not going to send you email asking you to click a link to confirm your account information. That's the signature of a phishing scam. If you get email like that and think it might be legitimate, phone the bank.

Three quarters didn't know that Web site owners can share information about you even though they have a privacy policy. First, a lot of those policies simply describe how little privacy you have. Second, companies violate their own policies all the time. Third, once the company goes bankrupt, your personal information is a company asset that goes wherever the bankruptcy judge says it should go.

The Seattle Times article about this mentioned a computer user who got an unexpected popup warning her that her computer was infected with spyware (scam!) but that it could be fixed if she'd download a free program from a strange site and run it (deadly scam!). Of course her computer stopped running, except to display one popup after another offering to disinfect it for $20/month (extortion scam!). Not even the blindest, greediest legitimate antispyware vendors do business this way.

She did the right thing: she took the computer to a local repair shop. It works now. It cost her $100: removing spyware is as much fun as clearing clogged drains and the people who do it charge accordingly. If she'd send money to the scammers the problems would never have ended: she'd simply have gotten herself on a sucker list.

|

Saturday, April 29, 2006

Often it boils down to street smarts 

Recently McAfee put up an online quiz where you can test yourself on your ability to spot a web site that will infect you with spyware.

Eventually this came to the attention of a geek discussion forum. The survey's design was harshly critized. with some reason. What I thought was interesting was the degree of background knowledge that geeks take for granted.

One user, by the handle "fafalone", listed some of the clues he considered unquestionably obvious:
Page 2: Left option explicitly states it shows popups in the fine print. Also, rushing EULA acceptance. Open and shut case.

Page 3: The overemphasis of the word "free" on the left page should immediately arouse the suspicions of an experienced user. The left page just exudes cheapness. The right page looks more professional, better games typically are less likely to contain malware, and there's a forums and contact option. Overwhelming odds that the left page is more likely to contain malware, no contest
...
Page 5/#1: "FREE Sponsored Version"? If you need technical info to guess if a p2p program saying this contains adware, you're a fool.

...
#4: "Unlimited free online calls", "Promote your blog", virus protection... in a P2P program? Dead giveaway even if you've never heard of Kazaa.
and if you haven't figured out what his expectations are,
There are ways to tell which of those pages are legit, it was based largely on inferring it from the text on the page. If you didn't get at least 6/8 (2 questions are invalid, see below), then you MISSED SOMETHING that indicated spyware. It was there, on the image, no outside information whatsoever was needed, sorry if it hurts your pride.

Enough of the mealy mouthed euphemisms, tell us what you really think.

I guess a lot of lifetime city dwellers would be equally condescending to a visitor who walked into an urban scam. It's the same kind of situation -- going into a hostile environment without experience.

Let me try to translate what the guy said above into tips you can use, without the namecalling. There are two kinds of free software out there. There are programs written as a hobby by decent people, who often share things they've written for their own use because it doesn't cost them anything. This kind of free software is good and I couldn't do my job without it. Linux is an example.

Then there's the stuff that's "free" to you because it lets someone take over your computer. That's why the word "sponsored" was such a red flag. So is agressive advertising.

|

How worried should Mac users be? 

There's a lot of drivel about OS X security in the press. I did find one column that's mostly right. Scott Bradner, writing in Network World, argues that concerns are overblown. He concludes "That does not mean OS X users can ignore security - at the very least, enable the built-in personal firewall - but it does mean you should not stay with Windows because you think it will be safer".

I would add "keep up with updates" and "don't download software from random strangers".

I don't completely agree with his analysis. He points out, correctly, that some inner vital organs of OS X are descended from programs that have survived trial by fire. On the other hand the corresponding parts of Windows have been solid for the last few years. No really clear advantage there.

I predict a rising tide of OS X security flaws and reports thereof, meaning Mac owners will be forced to pay attention to security but will still have a better experience than Windows users.

|

Friday, April 28, 2006

The debate is over. Users are not stupid. 

Security companies can't (well, don't) get security right.

From the Be Careful Out There security blog, I find that at a recent information security trade show the vendors of security products were setting up wireless networks with no security and were spreading viruses.

Sometimes security people argue about whether most security problems are caused by non-specialists being stupid. Now it is time to bury that idea unless they're willing to say the specialists are being stupid.

The good news is that you can outperform the security companies with a moderate amount of non-wizardly work. Keep backups. Use Firefox or Opera. At work, follow the advice and orders of the IT people. At home, if you want a high-risk technology like a wireless network, stuff some pizza into the teenager next door and let him or her set it up.

|

Tuesday, April 25, 2006

Is it the users's fault? Another round of the debate. 

Information Security Magazine had a Point/Counterpoint about whether user security education works. Could have been an interesting debate between two highly qualified and experienced people, except both of them agreed. They think user education is futile.

Fortunately, you can find a contrasting opinion from Scott Pinzon, editor of Watchguard Wire. (Disclosure: they paid me for an article once). He puts it more politely, but suggests that maybe security education has been failing because computer geeks have been the ones doing it.

None of them mentioned that some contractual and even legal security requirements call for a security awareness program. If user education doesn't work, then a lot of people are being compelled to waste money.

I'll step back from the debate and point out that if user education doesn't work then nothing else will work. Technology can't overcome the force of people trying to get their jobs done in spite of security hassles. If user education is hopeless, then security is hopeless (and consultants like me have work for life).

|

Monday, April 24, 2006

Today's reported bug is in Firefox 

Not much detail and I didn't recognize the name of the discoverer, but there's supposed to be a Firefox vulnerability that lets bad guys take over your computer remotely.

It looks like you can minimize your risk by controlling Javascript execution with the wonderful, damn near indispensable, Noscript extension.

|

Sunday, April 23, 2006

Microsoft will check your password for you 

Someone else has done a good enough review of Microsoft's online password quality checker that I can't think of much to add.

|

Friday, April 21, 2006

Have you been having problems since Patch Tuesday? 

One of Microsoft's security fixes causes problems with video cards from NVidia, with software that HP used to ship with scanners, and with the well-regarded Kerio personal firewall.

If you've been getting new crashes since the latest security updates, be sure to download the fixed patch, due out next Tuesday.

|

Thursday, April 20, 2006

More than one kind of security tradeoff 

A strong password helps security but it's a pain to remember. Antivirus software protects your computer but may destabilize it. Internet access educates you in protecting yourself but also exposes you to more threats.

Computer security is a profession that's about tradeoffs.

Lately we've been hearing a lot about another kind of tradeoff, in the world of physical security. We're told over and over that there's a tension between civil liberties and safety. Government officials say we may need to give up some privacy to prevent attacks by terrorists who are willing and able to kill thousands at a time.

One example of this tradeoff came in 2004, when the military turned its surveillance on a Quaker meeting house in Lake Worth, Florida. The Quakers were planning to protest military recruitment at high schools. I would have thought that was Constitutionally protected free speech, but the military said it was a "threat", and they're here to protect us.

There's the tradeoff in a nutshell. We may not have our civil liberties about speaking out without fear of the military, but in exchange we are safe from Quakers.

|

Small web browsing security tip 

It's a pain and usually not necessary, but you can prevent a whole family of attacks by closing all other windows and tabs when you're doing something sensitive like typing your credit card number.

|

Wednesday, April 19, 2006

Antivirus helps but only if you update regularly 

"The poll results show that only 24% of users update their [antivirus] solution at least once a day." That's from a report by antivirus firm Kaspersky Labs.

New viruses come out frequently. There's a profit motive behind them now. Old viruses that are already blocked don't make as much money. Bad guys are pressured financially to write new viruses all the time in the hope that they can stay ahead of antivirus firms.

Did you get a free antivirus product with your computer? It probably came with only 30 days of free updates. You need to get online and pay for an update subscription.

|

Tuesday, April 18, 2006

how voting machines SHOULD be regulated 

A crooked slot machine can only steal money, not democracy. Yet gambling machines are better regulated than voting machines.

|

Update Firefox. Also Thunderbird if you use it. 

You should be on version 1.5.02 of Firefox. Preivous ones had bugs that could let bad guys take over your machine by feeding it a poisoned web page. Follow the update link that Firefox puts up for you.

|

Monday, April 17, 2006

How strong is your password? Eye-opening article. 

Does it seem like your company's IT department makes up password rules just to make life difficult?

Ever wonder how much difference all those irritating rules make in real life?

There's a fun web page with estimates of how long it would take to use brute force trial and error to guess different kinds of passwords. Don't take the exact numbers too seriously, and focus your attention on the columns labeled "Class D" and "Class E", which are the most likely for a real attacker.

Dictionary words are hopeless. A well equipped attacker can try a hundred million passwords per second and there are only a few hundred thousand words in the dictionary.

That page is part of a site which is a security resource for home users, not unlike The Security Mentor. It seems to be a bit more technical, so check it out if you want more depth than this newsletter but not as much as The Security Nerd.

|

Sunday, April 16, 2006

What if you can't just delete a suspicious file? 

You can scan it with your antivirus software, and you should, but any one antivirus program might miss something.

Most of the time, the right thing to do is to follow the wisdom you learned as a child about funny-smelling items from the fridge -- "when it doubt, throw it out".

If that's not an option or if you're just curious, and if the file is not confidential, there's a website that will scan your file with about a dozen antivirus engines. Too much trouble for regular use, but it's a good resource to know about.

|

Saturday, April 15, 2006

If you want something done right do it yourself 

There have been way too many incidents like this.

Netgear makes a box for plugging into a DSL line which shared your connection among multiple computers, and which also shares it over a wireless network. They make lots of boxes like that, but the one we're talking about today is the NETGEAR WGT624 Wireless DSL router.

Someone who goes by the handle "Tranceformer" just discovered that no matter what password you set to secure the WGT624, there's still something in the device's configuration that looks like this:
super_username=Gearguy
super_passwd=Geardog

People on the hostile side of your firewall can use this to log in and change settings.

In any normal industry you'd get a recall notice.

If there's a manufacturer of cheap firewall appliances who gives a *&(&^%! about security, I wish they'd advertise it. Meantime I'm stuck trying to figure out what to recommend. There have been a lot of problems just like this one and they've shown up in multiple brands.

Maybe the only hope is to take a spare computer, put in a second network card, and install some respectable free firewall and security software.

|

Friday, April 14, 2006

What's the most secure way to surf the Web? 

That headline asks a meaningless question. If you ask a question about Firefox versus Internet Explorer (the "blue E") and if the question is specific enough to answer, you can get any answer you want just by changing how you ask the question (but I still recommend Firefox!).

It's only one of the questions you could ask, but "which of the two fixes security bugs faster?" is a useful question. It doesn't tell you which browser is "more secure" but it's a good thing to think about.

The Firefox team fixes security vulnerabilities six times faster than Microsoft does, according to Brian Krebs at the Washington Post.

|

Thursday, April 13, 2006

"There oughta be a law!" But read its fine print first 

Oklahoma is considering anti-spyware legislation. This sounds good -- spyware is a huge problem in real life and good laws could help protect the public.

It sounds good, that is, until you get to the fine print. For example, there's some language that sounds like it's supposed to let anti-spyware products erase spyware or report it. But that's not what it says. It's not limited to anti-spyware products and it's not limited to removing spyware. After you click "Accept" to an incomprehensible "license agreement", that software is allowed to search for and erase anything "illegal". That could cause problems given that everything is illegal. The bill has anti-spying provisions but exempts any ‚Äútelecommunications carrier, cable operator, computer hardware or software provider or provider of information service‚ÄĚ (emphasis added).

|

Wednesday, April 12, 2006

Social Security Numbers on the web -- why policy matters 

Your bank account information, driver's license details, and social security number may be posted on the web if you live in Broward County, Florida.

It's not an external security breach, either. The county is doing it on purpose. They're following a public records disclosure law.

Here's where policy comes in. Most small organizations have an unwritten policy of "do what makes sense". If you grow to be big and/or hire dumb people, you have to write down a policy that gives people permission to do the right thing. Otherwise you wind up like Broward County, where your personnel are saying things like "recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers".

|

Tuesday, April 11, 2006

Patch Windows today! 

Go to the Start menu, choose "Windows Update", follow instructions. If nothing happens, it's probably because your computer updated itself automatically, so don't worry.

Microsoft has more than one fix in this batch that you need to install right away. There are serious security problems that bad guys are already using to take over people's computers. This patch batch fixes them.

UPDATE 4/11:

Looks like Microsoft has changed some things. I had to turn off Zone Alarm to get update to work, and that's never happened before. Also, if it gets stuck where it says it's scanning your machine but never does anything else, try editing the address bar in Internet Explorer to say "http://update.microsoft.com" instead of "http://windowsupdate.microsoft.com". Keep trying: these patches are important and worth the hassle.

|

Monday, April 10, 2006

Your computer is now worth a quarter of a cent 

"Why would anyone want to take over my computer", you could logically ask, "when I'm not the FBI or CIA or even rich?"

Today's criminals may not care about anything on your computer other than its network connection. They'll take it over so they can use it to send spam, or use it along with thousand of others to flood some victim's website with so much traffic that legitimate customers can't get through. They do that because of the extortion possibilities ("Nice web site ya got here. Sure would be a shame if ten thousand computers tried to connect to it at once next Tuesday").

There's a black market now in the use of armies of infected computers. Crooks will rent anyone interested the use of 10,000 home machines for $25. If that price comes from supply and demand, then things are getting worse: the rental fees used to be higher. Of course it's also possible that the mobsters buying the access are, ahh, better negotiators than the geeks selling the access.

|

Sunday, April 09, 2006

Mac OS X users, more reasons to stay alert 

A poker-into-things named Tom Ferris has been writing automatic tools that throw nonsensical input at Mac OS X programs until they break. This is important because bad guys can do the same thing, and may figure out a way to take over a program instead of just breaking it.

One early finding is that Firefox is more solid than Safari under this kind of attack. Consider switching, though there's nothing compelling yet.

He's finding too many problems for real comfort. I can't help thinking Apple should have done this kind of testing in the first place.

The best advice I can think of is to use a firewall and keep your ear to the ground for real-life problems.

|

Saturday, April 08, 2006

Did Microsoft save us? 

There's been a(nother) string of scary vulnerabilities in Internet Explorer, the browser program with the blue E, These security flaws made it possible for bad guys to set up web sites that would take over your computer if you just visited them (with Internet Explorer).

The security products industry warned of widespread mayhem. So did people like me who weren't trying to sell products. And yet computer users escaped obvious catastrophe.

Via Rootsecure, Infoworld columnist Roger Grimes (I respect him) suggests that Microsoft's investigative and legal efforts prevented a wide outbreak. Microsoft set up a team to search for those booby-trapped web sites and to pressure ISPs to shut them down. Not really Microsoft's job, but in their interests.

My pessimistic side suggests that since today's computer criminals are after money and not notoriety, we may have had a catastrophe that hasn't hit the headlines because it's quietly stealing credit card numbers. My cynical side wonders if so many home computers are infected already that nobody noticed a few million more.

|

Comments on the NSA/ATT wiretapping case 

In case you missed it, ATT let the National Security Agency read all of the network traffic flowing over ATT's Internet hardware, which is most if not all of the Internet.

First of all this is not good national security. Spying on millions of people who aren't dangerous wastes time and manpower. Even the few thousand illegal phone taps that just came to light, which supposedly were targeted, had the FBI complaining about having to investigate thousands of dead ends.

Then, there's a lof of confidential information going over the Internet. Business negotations and trade secrets are just the start -- a few years ago, the American Bar Association told its members that email was secure enough to use for discussing cases with clients. Oops.

Assuming the NSA is noble, trustworthy, and will resist all orders to abuse its powers, what happens if they hire a crook? In all their history, for all their precautions, they haven't been able to keep outright traitors out of their organization. What happens when an NSA employee with access to all Internet traffic is a stalker?

Finally, not that anyone cares about such things any more, the whole program is thoroughly, inarguably, flatly illegal.

|

Friday, April 07, 2006

A phone call scrambler of your very own 

Skype encrypts phone calls, but nobody really know how good a job they do.

If you talk about mergers or medical data on the phone, if you live in a country where citizens are spied on by their own government, or if you just want a cool toy, check out Zfone. It's a program for making secure computer-to-computer phone calls that follows industry standards so well that it can talk (insecurely) with other computer-to-computer voice chat programs.

|

Thursday, April 06, 2006

PC infected? MS says euthanize it. 

"I say we take off and nuke the entire site from orbit. It's the only way to be sure. "
-Ripley, _Aliens_, 1986

The nasty programs from bad guys have been getting worse for quite a while now. They try to turn off antivrus software. They come in multiple pieces, where one piece will fight you if you try to delete a different piece. Some change the operating system that the it won't let you see the infective software.

Things are now so bad that Microsoft recommends that you wipe infected machines and restore from backup. I believe that Microsoft Consulting has been telling clients the same thing for a while, but now the advice is public.

Of course this only works if you have backups...

|

More than one kind of security: dirty bombs 

Could someone smuggle dangerous amounts of radioactive material into the country?
Undercover Congressional investigators successfully smuggled into the United States enough radioactive material to make two dirty bombs, even after it set off alarms on radiation detectors installed at border checkpoints, a new report says.
according to a New York Times article, via Bruce Schneier's blog.

|

Wednesday, April 05, 2006

Is your vote secure? It's not just Diebold machines 

Sequoia is scrambling to patch severe problems in Allegheny County voting machines.

From the article,
[Carnegie Mellon University professor]Dr. Shamos encountered yesterday's problem during a test for vote
tampering. In an instant, he said, he was able to transform a handful
of votes into thousands.

|

Easy wireless security for small/medium businesses 

Long ago, I passed on Glenn Fleishman's (remember the name, he's good) recommendation for LucidLink. They're out of business but he's reviewed some new affordable and easy to use WiFi security products for the SMB (small to medium business) market. His review even makes a noble attempt at explaining the pathological alphabet soup of wireless security jargon.

He recommends Boxedwireless and witopia in particular if you can't afford to run your own authentication server, Elektron for flexibility and low price, and Radiator for brave technically inclined people.

|

Monday, April 03, 2006

More than one kind of security: airports 

83-year-old invalid abusively searched

Don't yawn and say "Oh, another of those". It will keep happening unless we stay outraged and do something.

Bogart had breast cancer surgery in 1997, a total hip
replacement after a fall in 1999, a major stroke in 2004 that caused
dementia, and is hard of hearing

The TSA screener ordered her to stand up from her wheelchair, against medical advice:
Fearing another hip-shattering fall, Moon instinctively reached out
for her mother.

"Don't touch her!" Moon says the screener barked.

But surely, if the situation were explained to the screener?
Moon said she continued to tell the screener that her mother was not to stand without her four-wheeled walker.

"You'd better change your attitude," Moon recalls the screener saying.
"Or do you want me to make it so you don't fly today?"

But surely the TSA works for us and they're accountable?
She demanded the name of the young screener in her mid-to-late 20s with darkish hair pulled back in a bun.

A TSA manager refused to give her the screener's name

If you live in Colorado write to your Congressperson and demand that he/she pressure the TSA until they do a real investigation.
or just type in your zip code at http://www.house.gov/writerep/

|

Misleading headline: Antivirus firm hit by virus 

Trend Micro, a respected antivirus firm, had some of their internal documents show up on a file sharing network because of a virus that does things like that. So say the headlines, which hint that we should all point and giggle.

Here's the fine print, which tells you not to trust headlines:

|

Sunday, April 02, 2006

Will you find out if someone steals your credit card number? 

via the fascinating Emergent Chaos blog:

27 states do not require merchants to let you know if they store your credit card number and someone steals it.

Are you covered in the 23 that do require notification? No, because careless merchants can weasel out of disclosure by saying it would interefere with the police investigation.

There's a company for everything, and there's a company (CardCorps) that tracks data thefts. Dan Clements, their CEO, says
"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise ... Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust."

About all you can do is to use a credit card instead of a debit card, check your account regularly for suspicious charges, and write to your Congressman about the pending Federal legislation that would roll back state disclosure laws.

|

Saturday, April 01, 2006

Truly evil scam: fake IRS email 

"Bottom Line" publications reports that some scum have been sending email, apparently from the IRS, accusing people of having underpaid their taxes by some small amount, typically in two figures. The fake email gives an address where you're supposed to mail your payment.

Most people will pay up rather than fight over a small amount.

Then comes the really evil part. The scum have your bank name, your account number, your name, and a sample of your signature (not that anyone checks signatures). Then, on top of that, what does the IRS tell you to put in the memo field of every check you write to them? Bingo. Your Social Security Number.

Don't fall for this one, it'll really hurt.

|

This page is powered by Blogger. Isn't yours?